mount encrypted partition with sops key

add zsh-z
use dns-01 challenge
2024-02-09 21:22:02 +03:00 · 2024-02-09 21:21:36 +03:00 · 2024-02-09 21:21:20 +03:00
6 changed files with 116 additions and 69 deletions
--- a/machines/AMD-Workstation/default.nix
+++ b/machines/AMD-Workstation/default.nix
@ -51,10 +51,16 @@
  # Mount
  # TODO: fix sops
  sops.secrets.files-veracrypt.sopsFile = inputs.self.secretsDir + /amd-workstation/misc.yaml;
-  environment.etc.crypttab = {
-    text = ''
-      files-veracrypt /dev/disk/by-partuuid/15fa11a1-a6d8-4962-9c03-74b209d7c46a /var/secrets/files-veracrypt tcrypt-veracrypt
-    '';
+  services.cryptmount.files-veracrypt = {
+    what = "/dev/disk/by-partuuid/15fa11a1-a6d8-4962-9c03-74b209d7c46a";
+    where = "/media/files";
+    fsType = "ntfs";
+    cryptType = "tcrypt";
+    passwordFile = config.sops.secrets.files-veracrypt.path;
+    mountOptions = [
+      "uid=${toString config.users.users.${config.mainuser}.uid}"
+      "gid=${toString config.users.groups.users.gid}"
+    ];
  };
  fileSystems = {
    "/media/win-sys" = {
@ -66,15 +72,6 @@
        "gid=${toString config.users.groups.users.gid}"
      ];
    };
-    "/media/files" = {
-      fsType = "ntfs";
-      device = "/dev/mapper/files-veracrypt";
-      options = [
-        "nofail"
-        "uid=${toString config.users.users.${config.mainuser}.uid}"
-        "gid=${toString config.users.groups.users.gid}"
-      ];
-    };
  };

  powerManagement.cpuFreqGovernor = "schedutil";
--- a/modules/crypt-mount.nix
+++ b/modules/crypt-mount.nix
@ -0,0 +1,81 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib;
+{
+  options.services.cryptmount = mkOption {
+    type = types.attrsOf (
+      types.submodule (
+        { name, ... }:
+        {
+          options = {
+            cryptname = mkOption {
+              type = types.str;
+              default = name;
+            };
+            passwordFile = mkOption { type = types.str; };
+            what = mkOption { type = types.str; };
+            where = mkOption { type = types.str; };
+            fsType = mkOption {
+              type = with types; nullOr str;
+              default = null;
+            };
+            cryptType = mkOption {
+              type = types.enum [
+                "luks"
+                "luks1"
+                "luks2"
+                "plain"
+                "loopaes"
+                "tcrypt"
+                "bitlk"
+              ];
+              default = "luks";
+            };
+            mountOptions = mkOption {
+              type = with types; listOf str;
+              default = [ ];
+            };
+          };
+        }
+      )
+    );
+    default = { };
+  };
+  config = mkIf (config.services.cryptmount != { }) {
+    systemd.services =
+      mapAttrs'
+        (
+          name: cfg:
+          nameValuePair "cryptmount-${name}" ({
+            wantedBy = [ "multi-user.target" ];
+            path = [ pkgs.cryptsetup ];
+            serviceConfig =
+              let
+                mount-type = if (cfg.fsType != null) then "-t ${cfg.fsType}" else "";
+                opts =
+                  if (cfg.mountOptions != [ ]) then "-o ${strings.concatStringsSep "," cfg.mountOptions}" else "";
+              in
+              {
+                Type = "oneshot";
+                TimeoutStartSec = "infinity";
+                RemainAfterExit = true;
+                ExecStart = pkgs.writeShellScript "storage-decrypt-${name}" ''
+                  set -euo pipefail
+                  mkdir -p ${cfg.where}
+                  cat ${cfg.passwordFile} | cryptsetup open ${cfg.what} ${cfg.cryptname} - --type ${cfg.cryptType}
+                  /run/wrappers/bin/mount ${mount-type} ${opts} /dev/mapper/${cfg.cryptname} ${cfg.where}
+                '';
+                ExecStop = pkgs.writeShellScript "storage-decrypt-stop-${name}" ''
+                  /run/wrappers/bin/umount -R ${cfg.where}
+                  cryptsetup close ${cfg.cryptname}
+                '';
+              };
+          })
+        )
+        config.services.cryptmount;
+  };
+}
--- a/profiles/servers/acme.nix
+++ b/profiles/servers/acme.nix
@ -1,13 +1,22 @@
-{ ... }: {
+{ config, inputs, ... }: {
+  sops.secrets.cf-dns-api = {
+    sopsFile = inputs.self.secretsDir + /misc.yaml;
+    owner = "acme";
+  };
  security.acme = {
    acceptTerms = true;
    # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; # staging
    defaults.server = "https://acme-v02.api.letsencrypt.org/directory"; # production
    defaults.email = "admin@ataraxiadev.com";
    defaults.renewInterval = "weekly";
+    certs = {
+      "ataraxiadev.com" = {
+        extraDomainNames = [ "*.ataraxiadev.com" ];
+        dnsResolver = "1.1.1.1:53";
+        dnsProvider = "cloudflare";
+        credentialFiles."CF_DNS_API_TOKEN_FILE" = config.sops.secrets.cf-dns-api.path;
+      };
+    };
  };
-
-  persist.state.directories = [
-    "/var/lib/acme"
-  ];
+  persist.state.directories = [ "/var/lib/acme" ];
 }
--- a/profiles/servers/nginx.nix
+++ b/profiles/servers/nginx.nix
@ -55,55 +55,6 @@ let
    };
  };
 in {
-  security.acme.certs = {
-    "ataraxiadev.com" = {
-      webroot = "/var/lib/acme/acme-challenge";
-      extraDomainNames = [
-        "api.ataraxiadev.com"
-        "auth.ataraxiadev.com"
-        # "bathist.ataraxiadev.com"
-        # "browser.ataraxiadev.com"
-        "cache.ataraxiadev.com"
-        "cal.ataraxiadev.com"
-        # "cocalc.ataraxiadev.com"
-        "code.ataraxiadev.com"
-        "docs.ataraxiadev.com"
-        # "fb.ataraxiadev.com"
-        "file.ataraxiadev.com"
-        # "fsync.ataraxiadev.com"
-        "home.ataraxiadev.com"
-        "jackett.ataraxiadev.com"
-        "jellyfin.ataraxiadev.com"
-        "joplin.ataraxiadev.com"
-        "kavita.ataraxiadev.com"
-        "ldap.ataraxiadev.com"
-        "lib.ataraxiadev.com"
-        "lidarr.ataraxiadev.com"
-        "medusa.ataraxiadev.com"
-        "office.ataraxiadev.com"
-        "openbooks.ataraxiadev.com"
-        "pdf.ataraxiadev.com"
-        "qbit.ataraxiadev.com"
-        "radarr.ataraxiadev.com"
-        "s3.ataraxiadev.com"
-        "sonarr.ataraxiadev.com"
-        # "startpage.ataraxiadev.com"
-        "tools.ataraxiadev.com"
-        "vault.ataraxiadev.com"
-        "vw.ataraxiadev.com"
-        "wg.ataraxiadev.com"
-        "wiki.ataraxiadev.com"
-        "wopi.ataraxiadev.com"
-        # "webmail.ataraxiadev.com"
-
-        # "matrix.ataraxiadev.com"
-        # "dimension.ataraxiadev.com"
-        # "stats.ataraxiadev.com"
-        # "element.ataraxiadev.com"
-      ];
-    };
-  };
-
  services.nginx = {
    enable = true;
    group = "acme";
--- a/profiles/workspace/zsh/default.nix
+++ b/profiles/workspace/zsh/default.nix
@ -42,6 +42,11 @@
            src = pkgs.zsh-powerlevel10k;
            file = "share/zsh-powerlevel10k/powerlevel10k.zsh-theme";
          }
+          {
+            name = "zsh-z";
+            src = pkgs.zsh-z;
+            file = "share/zsh-z/zsh-z.plugin.zsh";
+          }
        ];

        dotDir = ".config/zsh";
@ -139,6 +144,9 @@
              ${pkgs.gh}/bin/gh api repos/$org/$repo/actions/runs/$run_id --method DELETE >/dev/null &
            done
          }
+          j() {
+            journalctl -o json --output-fields=MESSAGE,PRIORITY,_PID,SYSLOG_IDENTIFIER,_SYSTEMD_UNIT "$@" | lnav
+          }

          XDG_DATA_DIRS=$XDG_DATA_DIRS:$GSETTINGS_SCHEMAS_PATH

--- a/secrets/misc.yaml
+++ b/secrets/misc.yaml
@ -1,6 +1,7 @@
 attic-token: ENC[AES256_GCM,data:mO5g45uO9fMh9EakmjmdClVkhquKurjXmwnc3Qenj0Wq4QCUvQrOUa9xNcOpQPJsnGnVFH9qFF1X26kGqgUtX3vy4pibvgyoEi5EWVMw8d6tZ/OOKqm4UHlnbG1uEHq5VN5o+IRkk5P0pxXSXiWHNh1aUmW2NrQ8+Wcx7izH01rG5rAZ0hrPZAm/a66W882p6fRdGGvVo4KJBUx8T5n4MD8UNPlafGRKPiloZbXbNAb4NFPnvDLvSPn3VNM659AvDkweMUIQuLvsV0dXB2tOc9ZTkoYHqdYqVMDN/vy+sN+QpKJx0vL5x7e4bSbSCQ7ZP1tJHknuod0DKZqMjg==,iv:Fj35Z4G6jscv8hpcASmoTGc6TUWl/wbebMkQeYoEDeQ=,tag:Y0L5NrA0MKFE+/Fa+eL8oA==,type:str]
 headscale-api: ENC[AES256_GCM,data:oTVPF4ZwvXEle6R7WyNFTkOgbEEaCVumC2fXtWwSCOpWezCYPNpN1Jwtu+JHDiSCgn8zKu9H,iv:iSkHmcCLBHzeWc3r2GPEM2y+nxPCSDK2rVdcatkEtao=,tag:XBCLGwwbYR3YpLDR957hqg==,type:str]
 headscale-api-env: ENC[AES256_GCM,data:YdXBG+jYWOMpzMQvga+LOI7C/plmsxhDdhwkCSUzQGkv383KSPFM/KK+tVaEL2/9r4HaO8flnjGKYGPPC9IaPrrJbiNolcjzyBbIYA==,iv:61h8KDlhEUtOCyS+5FKmFdCuXYe3BQ+nNjpPKEgkenw=,tag:V27Dg0jQQSgrLYXORLzxrQ==,type:str]
+cf-dns-api: ENC[AES256_GCM,data:Y1NYeX6YzOyWkXDlqgv1KFV1rjpkEqTQz1MZC4qKI5zJ7SuXNUqc8w==,iv:mbaJHKJxoNGqSe425UyrGMWa/QT1uiapLccIqzTC11M=,tag:CdMFS6NMLKhH/WLmvgNJ7Q==,type:str]
 git-ssh-key: ENC[AES256_GCM,data:TfQzwqjWNSYZ/x2f6nSlhzRJ+LEzsY8pP/je0Y9wW64oVVyYOJnJsFyu/6TruZKWbCpf0kw9aRyali4ztKoGo6/RR7PiH1EvI/+V55+cwAtUBlTUBadrT1Ed1SHj0hKOLmSoo9M7L4TvOMQjqLr69BxkDIX8LBG/Fp1Hk2dpblqCdG3710o+R6wHMLUURPrMCb8ff953FLVOcCSBi2G34BV+rbuPXV2H3aS3kerMY3XXKeII4a7PKwyk1P+v5Fore2sVxQ8tWa+xfuzgC5pugKZrrkX9CldDA0wb3fBufk6YkBNNGG+EqqFq7IBP8jnZxZ8Gr7XLpXNSTwZ8Vkkhw8ebt0+f60uoxgHbor9m6Vi71k8+yy0HsTfbCbDToi25G094qOTHAINv+36X3KLl+Ea19+53BhYor675bziMBUiZ4o4YE2Da8Wu369lrHXTzPNncOCYwVV4UnxCrmeLV1yPJ4w0LFKpAeyo+v5tqZy9L/0xHZHVfUJq7i6jgpjx+ll4ACxV+V8xxFuFZ8pybY9tcH0VSTk/PZjmjbg0U2LlOa8n8KtywXgkWG+HZjQN+LylyBgaVQjOOuCEPG6NVerIE7N41r1GI0kdPlvg6ituA9umAEWFA1vmJ+s6e1WqUt2+webIi24zPrEUbdZGmmkgRLRJ9hXT0WOS35vtHQtZJYdz8fWKkId9jKVNgXNyrTzp5yFY4ySBfHGR0JxCjmAxVpaq7TQUh+c5qpu9+6wsQhi31t11TrJMoZ09DKJEWJ/lAuGsGvyAI6E2qqxK0lRaHIDZWbyCzf51+aOYlNRK5Z4OCeDahx08iFuA3CbZB981D6PQTLZ+40a6Xi2CeLGC3aL6hyBV4t/+btHad6u4SNGFD09AZkSHB9kKiJ8gMJw3iPwdbOnNTi6ExIuEY/Hcafq+8GFc0nT9aeaef3hFrThWhvmoXZMDWllwFRYWrKZL3IhsNTLIdWNWsV+huDiwmPeYMBVX3dX+SxQ31DRjSxr1ybUrb3JgrsrnJ1nDZcJxKHGtqKlv3bsKooZq2Lgoq2o5lvv3xIlfNSt4w+ehIM/9VzcYI48vvWl/tiHXAxzbD9qOFH7Y4agNn7lTtb/9kF70qDFUguUOk/GX+ec65b9SassmTTdQw7wREaTThF+v88HAez30A8ZzWHVKh0pfacnNAZZqdy3EYiUUkxmTQbnS/ASCNruFEyekAF0v5sGTKe7tgXZRoZB0T0Iy9lDT8IkEYOBTPn4qFjUq2v3Sg12zB5qs5ghnvBG9JW4SqXP0yx5s5Nzc4lZvcPsuEPzMA0GQM+iDU6AUw5sjE2PSsaarflLStotayU5fAQBJGOV/Oo1tsZWqhWlbIOXiky1xo3S1XTaV523MvChY0h3TbjVRDcP41BNgVQ7Q2SiF3j5WAxj6ry8vvR2RBcgglQXZMq+RYHZD81vU4JUFtV9QMDhlI3X53jnbOkignGq5gk3Pv1jV9C8SXXGqgtm8cH2LkNG1JRwt+IEGbKcL6XPAs/mUaT4m0bTE3Wl2HeGjEWHklEFaS0Kl5+m+wwTmO/qspJc8ap+ilQ7dFcyGlPFVl8ddyIPnUYSPND7OLd4OvvIA4+Dga9ngVFNKgQb1eho6gtQQRiO6J/y956uks98OmdOwkf/cZq3O/9GHamHoF5N2eN4okrvnsgF5rANN24ufVo7K+vSqVrCYqxCwcZwtrBqit5eKDceyhiM9MVm1iV2JolIiL3c7gHc3KG4l8LuQ2ET3ijI2eulsHbqssloB8wGNG/iihfMRYH9lNSSaRDMG5BBXWAz0hJp08CqqVnuEnlFagOAqHg4VfArkZE+0e34ybjq6gw0X/8L5ULQg1sICsjad/wT8DTLuaNT1/uvBDeG/V+OIycM/HYg8x2eqfBClQ3YMR4OfLzXNcwQAFjFHTLuuiHY8PXWtVDpfRUAA90lr/YfGqa4mHwcvvd3WyyrMoWkNyQ7jhsPtwF0qVQUZUAIsv3NbucRNfocE1CyeeQxyffkN2stMhZLJUJEDrIE4IRQV/qdgtFnaUC5OcCQ/z3P5dIueAKOUCynu7r/jImLaS4Bdeyh2VS5bQjBAVXoN30fk+E6JmRnfnvgN/5xvkK8ycCmt5j40Msbn68hXYLmxJnflpJHLeTwY2rS7JBLRHc1jNmUhi8QIWD9FeUrtWF875/5ZTo48KH1Ny2aQM26GHOhcGlJb2BCvieXsawtIDFtEw6T9q,iv:3Q2gIetHriabpmTvw7D4+TnKWCTQaKYWmLCMuj1RK0g=,tag:S7T/CgPyu9BwVB550BALmQ==,type:str]
 sops:
    kms: []
@ -8,8 +9,8 @@ sops:
    azure_kv: []
    hc_vault: []
    age: []
-    lastmodified: "2024-02-06T19:46:55Z"
-    mac: ENC[AES256_GCM,data:3ym1NPnMnkad+vOIfqX5ibJ2cn79ed8j+jA94yRv3WDugyq7bUvZTNLEHbOijhPQlVMxYxLD5CG8ms8LxoEDhjfYHI4Ahpl+oHlPZ+pTsvoe7vkSoMhk84OiOTs3f2WJfc0xeejuyOa7TYr9ayzxauaDIBYtrMXFcPa99jq/j/0=,iv:92L7ylr+nvN1KraUxsPQGE5IB374TnFKausD/aHaF9I=,tag:ifbqxe60Heq9a6S7R3lg8g==,type:str]
+    lastmodified: "2024-02-09T18:13:35Z"
+    mac: ENC[AES256_GCM,data:NQKG8hz0PWWb0eYC+OTz6pY6bFXhMIxPk8aOh+GX9BsUO4o9gb/ElzuIkVXVhQMETXb85c09JggIbVpx+eagvQt2roVouzDBDWohNwhI++q16I5RwbDrSM+AgiGPzIs6a1fTVQV6wJWIH6tpWw9NpJuSrIXKtdlR8y28KLy4I+M=,iv:izUDLBCSLHo3Qofj4GoUyEwSlDL1gv1O2qjPifIPRXo=,tag:+7k5CmSTtR1Xm61vv5Y5kA==,type:str]
    pgp:
        - created_at: "2024-02-06T20:12:44Z"
          enc: |-
Author	SHA1	Message	Date
Dmitriy Kholkin	48f202132f	mount encrypted partition with sops key	2024-02-09 21:22:02 +03:00
Dmitriy Kholkin	a73ffd1934	add zsh-z	2024-02-09 21:21:36 +03:00
Dmitriy Kholkin	66b156e23b	use dns-01 challenge	2024-02-09 21:21:20 +03:00