diff --git a/machines/AMD-Workstation/default.nix b/machines/AMD-Workstation/default.nix index 96b1f0a..2f32c21 100644 --- a/machines/AMD-Workstation/default.nix +++ b/machines/AMD-Workstation/default.nix @@ -51,10 +51,16 @@ # Mount # TODO: fix sops sops.secrets.files-veracrypt.sopsFile = inputs.self.secretsDir + /amd-workstation/misc.yaml; - environment.etc.crypttab = { - text = '' - files-veracrypt /dev/disk/by-partuuid/15fa11a1-a6d8-4962-9c03-74b209d7c46a /var/secrets/files-veracrypt tcrypt-veracrypt - ''; + services.cryptmount.files-veracrypt = { + what = "/dev/disk/by-partuuid/15fa11a1-a6d8-4962-9c03-74b209d7c46a"; + where = "/media/files"; + fsType = "ntfs"; + cryptType = "tcrypt"; + passwordFile = config.sops.secrets.files-veracrypt.path; + mountOptions = [ + "uid=${toString config.users.users.${config.mainuser}.uid}" + "gid=${toString config.users.groups.users.gid}" + ]; }; fileSystems = { "/media/win-sys" = { @@ -66,15 +72,6 @@ "gid=${toString config.users.groups.users.gid}" ]; }; - "/media/files" = { - fsType = "ntfs"; - device = "/dev/mapper/files-veracrypt"; - options = [ - "nofail" - "uid=${toString config.users.users.${config.mainuser}.uid}" - "gid=${toString config.users.groups.users.gid}" - ]; - }; }; powerManagement.cpuFreqGovernor = "schedutil"; diff --git a/modules/crypt-mount.nix b/modules/crypt-mount.nix new file mode 100644 index 0000000..2f6f45b --- /dev/null +++ b/modules/crypt-mount.nix @@ -0,0 +1,81 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; +{ + options.services.cryptmount = mkOption { + type = types.attrsOf ( + types.submodule ( + { name, ... }: + { + options = { + cryptname = mkOption { + type = types.str; + default = name; + }; + passwordFile = mkOption { type = types.str; }; + what = mkOption { type = types.str; }; + where = mkOption { type = types.str; }; + fsType = mkOption { + type = with types; nullOr str; + default = null; + }; + cryptType = mkOption { + type = types.enum [ + "luks" + "luks1" + "luks2" + "plain" + "loopaes" + "tcrypt" + "bitlk" + ]; + default = "luks"; + }; + mountOptions = mkOption { + type = with types; listOf str; + default = [ ]; + }; + }; + } + ) + ); + default = { }; + }; + config = mkIf (config.services.cryptmount != { }) { + systemd.services = + mapAttrs' + ( + name: cfg: + nameValuePair "cryptmount-${name}" ({ + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.cryptsetup ]; + serviceConfig = + let + mount-type = if (cfg.fsType != null) then "-t ${cfg.fsType}" else ""; + opts = + if (cfg.mountOptions != [ ]) then "-o ${strings.concatStringsSep "," cfg.mountOptions}" else ""; + in + { + Type = "oneshot"; + TimeoutStartSec = "infinity"; + RemainAfterExit = true; + ExecStart = pkgs.writeShellScript "storage-decrypt-${name}" '' + set -euo pipefail + mkdir -p ${cfg.where} + cat ${cfg.passwordFile} | cryptsetup open ${cfg.what} ${cfg.cryptname} - --type ${cfg.cryptType} + /run/wrappers/bin/mount ${mount-type} ${opts} /dev/mapper/${cfg.cryptname} ${cfg.where} + ''; + ExecStop = pkgs.writeShellScript "storage-decrypt-stop-${name}" '' + /run/wrappers/bin/umount -R ${cfg.where} + cryptsetup close ${cfg.cryptname} + ''; + }; + }) + ) + config.services.cryptmount; + }; +}