diff --git a/devices/nas/default.nix b/devices/nas/default.nix index 791a5747..56bf9f46 100644 --- a/devices/nas/default.nix +++ b/devices/nas/default.nix @@ -24,7 +24,7 @@ inputs: }; }; }; - decrypt.manual = + luks.manual = { enable = true; devices = diff --git a/devices/pc/default.nix b/devices/pc/default.nix index 6768ed6e..d84a90bf 100644 --- a/devices/pc/default.nix +++ b/devices/pc/default.nix @@ -13,7 +13,7 @@ inputs: vfat."/dev/disk/by-uuid/7A60-4232" = "/boot"; btrfs."/dev/mapper/root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; }; }; - decrypt.auto = + luks.auto = { "/dev/disk/by-uuid/4c73288c-bcd8-4a7e-b683-693f9eed2d81" = { mapper = "root1"; ssd = true; }; "/dev/disk/by-uuid/4be45329-a054-4c20-8965-8c5b7ee6b35d" = diff --git a/devices/surface/default.nix b/devices/surface/default.nix index 4817e1c6..534da119 100644 --- a/devices/surface/default.nix +++ b/devices/surface/default.nix @@ -14,7 +14,7 @@ inputs: vfat."/dev/disk/by-uuid/4596-D670" = "/boot"; btrfs."/dev/mapper/root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; }; }; - decrypt.auto = + luks.auto = { "/dev/disk/by-uuid/eda0042b-ffd5-47d1-b828-4cf99d744c9f" = { mapper = "root1"; ssd = true; }; "/dev/disk/by-uuid/41d83848-f3dd-4b2f-946f-de1d2ae1cbd4" = { mapper = "swap"; ssd = true; }; diff --git a/devices/vps4/default.nix b/devices/vps4/default.nix index 18658a25..b528b0ef 100644 --- a/devices/vps4/default.nix +++ b/devices/vps4/default.nix @@ -16,7 +16,7 @@ inputs: "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; }; }; }; - decrypt.manual = + luks.manual = { enable = true; devices."/dev/disk/by-uuid/bf7646f9-496c-484e-ada0-30335da57068" = { mapper = "root"; ssd = true; }; diff --git a/devices/vps6/default.nix b/devices/vps6/default.nix index 2529d42b..d382494f 100644 --- a/devices/vps6/default.nix +++ b/devices/vps6/default.nix @@ -16,7 +16,7 @@ inputs: "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; }; }; }; - decrypt.manual = + luks.manual = { enable = true; devices."/dev/disk/by-uuid/4f8aca22-9ec6-4fad-b21a-fd9d8d0514e8" = { mapper = "root"; ssd = true; }; diff --git a/devices/vps7/default.nix b/devices/vps7/default.nix index a3da33e1..1597bf53 100644 --- a/devices/vps7/default.nix +++ b/devices/vps7/default.nix @@ -16,7 +16,7 @@ inputs: "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; }; }; }; - decrypt.manual = + luks.manual = { enable = true; devices."/dev/disk/by-uuid/db48c8de-bcf7-43ae-a977-60c4f390d5c4" = { mapper = "root"; ssd = true; }; diff --git a/modules/system/fileSystems/default.nix b/modules/system/fileSystems/default.nix index 4622cf0b..fc803dde 100644 --- a/modules/system/fileSystems/default.nix +++ b/modules/system/fileSystems/default.nix @@ -1,5 +1,6 @@ inputs: { + imports = inputs.localLib.findModules ./.; options.nixos.system.fileSystems = let inherit (inputs.lib) mkOption types; in { mount = @@ -9,41 +10,6 @@ inputs: # device.subvol = mountPoint; btrfs = mkOption { type = types.attrsOf (types.attrsOf types.nonEmptyStr); default = {}; }; }; - decrypt = - { - auto = mkOption - { - type = types.attrsOf (types.submodule - { - options = - { - mapper = mkOption { type = types.nonEmptyStr; }; - ssd = mkOption { type = types.bool; default = false; }; - before = mkOption { type = types.nullOr (types.listOf types.nonEmptyStr); default = null; }; - }; - }); - default = {}; - }; - manual = - { - enable = mkOption { type = types.bool; default = false; }; - devices = mkOption - { - type = types.attrsOf (types.submodule - { - options = - { - mapper = mkOption { type = types.nonEmptyStr; }; - ssd = mkOption { type = types.bool; default = false; }; - }; - }); - default = {}; - }; - keyFile = mkOption - { type = types.path; default = ./. + "/${inputs.config.nixos.system.networking.hostname}.key"; }; - delayedMount = mkOption { type = types.listOf types.nonEmptyStr; default = []; }; - }; - }; # generate using: sudo mdadm --examine --scan mdadm = mkOption { type = types.nullOr types.lines; default = null; }; swap = mkOption { type = types.listOf types.nonEmptyStr; default = []; }; @@ -117,87 +83,6 @@ inputs: ) (attrsToList fileSystems.mount.btrfs))); } - # decrypt.auto - ( - mkIf (fileSystems.decrypt.auto != null) - { - boot.initrd = - { - luks.devices = (listToAttrs (map - ( - device: - { - name = device.value.mapper; - value = - { - device = device.name; - allowDiscards = device.value.ssd; - bypassWorkqueues = device.value.ssd; - crypttabExtraOpts = [ "fido2-device=auto" "x-initrd.attach" ]; - }; - } - ) - (attrsToList fileSystems.decrypt.auto))); - systemd.services = - let - createService = device: - { - name = "systemd-cryptsetup@${device.value.mapper}"; - value = - { - before = map (device: "systemd-cryptsetup@${device}.service") device.value.before; - overrideStrategy = "asDropin"; - }; - }; - in - listToAttrs (map createService - (builtins.filter (device: device.value.before != null) (attrsToList fileSystems.decrypt.auto))); - }; - } - ) - # decrypt.manual - ( - mkIf (fileSystems.decrypt.manual.enable) - { - boot.initrd = - { - luks.forceLuksSupportInInitrd = true; - systemd = - { - extraBin = - { - cryptsetup = "${inputs.pkgs.cryptsetup.bin}/bin/cryptsetup"; - usbip = "${inputs.config.boot.kernelPackages.usbip}/bin/usbip"; - sed = "${inputs.pkgs.gnused}/bin/sed"; - awk = "${inputs.pkgs.gawk}/bin/awk"; - decrypt = inputs.pkgs.writeShellScript "decrypt" - '' - modprobe vhci-hcd - busid=$(usbip list -r 127.0.0.1 | head -n4 | tail -n1 | awk '{print $1}' | sed 's/://') - usbip attach -r 127.0.0.1 -b $busid - ${concatStringsSep "\n" (map - (device: ''systemd-cryptsetup attach ${device.value.mapper} ${device.name} "" fido2-device=auto'' - + (if device.value.ssd then ",discard" else "")) - (attrsToList fileSystems.decrypt.manual.devices))} - ''; - }; - services.wait-manual-decrypt = - { - wantedBy = [ "initrd-root-fs.target" ]; - before = [ "roll-rootfs.service" ]; - unitConfig.DefaultDependencies = false; - serviceConfig.Type = "oneshot"; - script = concatStringsSep "\n" (map - (device: "while [ ! -e /dev/mapper/${device.value.mapper} ]; do sleep 1; done") - (attrsToList fileSystems.decrypt.manual.devices)); - }; - }; - }; - fileSystems = listToAttrs (map - (mount: { name = mount; value.options = [ "x-systemd.device-timeout=48h" ]; }) - fileSystems.decrypt.manual.delayedMount); - } - ) # mdadm ( mkIf (fileSystems.mdadm != null) diff --git a/modules/system/fileSystems/luks/default.nix b/modules/system/fileSystems/luks/default.nix new file mode 100644 index 00000000..9e3ce493 --- /dev/null +++ b/modules/system/fileSystems/luks/default.nix @@ -0,0 +1,80 @@ +inputs: +{ + options.nixos.system.fileSystems.luks = let inherit (inputs.lib) mkOption types; in + { + auto = mkOption + { + type = types.attrsOf (types.submodule { options = + { + mapper = mkOption { type = types.nonEmptyStr; }; + ssd = mkOption { type = types.bool; default = false; }; + before = mkOption { type = types.nullOr (types.listOf types.nonEmptyStr); default = null; }; + };}); + default = {}; + }; + manual = + { + enable = mkOption { type = types.bool; default = false; }; + devices = mkOption + { + type = types.attrsOf (types.submodule { options = + { + mapper = mkOption { type = types.nonEmptyStr; }; + ssd = mkOption { type = types.bool; default = false; }; + };}); + default = {}; + }; + delayedMount = mkOption { type = types.listOf types.nonEmptyStr; default = []; }; + }; + }; + config = let inherit (inputs.config.nixos.system.fileSystem) luks; in inputs.lib.mkMerge + [ + (inputs.lib.mkIf (luks.auto != null) { boot.initrd = + { + luks.devices = (builtins.listToAttrs (builtins.map + (device: + { + name = device.value.mapper; + value = + { + device = device.name; + allowDiscards = device.value.ssd; + bypassWorkqueues = device.value.ssd; + crypttabExtraOpts = [ "fido2-device=auto" "x-initrd.attach" ]; + }; + }) + (inputs.localLib.attrsToList luks.auto))); + systemd.services = builtins.listToAttrs (builtins.map + (device: + { + name = "systemd-cryptsetup@${device.value.mapper}"; + value = + { + before = map (device: "systemd-cryptsetup@${device}.service") device.value.before; + overrideStrategy = "asDropin"; + }; + }) + (builtins.filter (device: device.value.before != null) (inputs.localLib.attrsToList luks.auto))); + };}) + (inputs.lib.mkIf luks.manual.enable + { + boot.initrd = + { + luks.forceLuksSupportInInitrd = true; + systemd.services.wait-manual-decrypt = + { + wantedBy = [ "initrd-root-fs.target" ]; + before = [ "roll-rootfs.service" ]; + unitConfig.DefaultDependencies = false; + serviceConfig.Type = "oneshot"; + script = builtins.concatStringsSep "\n" (builtins.map + (device: "while [ ! -e /dev/mapper/${device.value.mapper} ]; do sleep 1; done") + (inputs.localLib.attrsToList luks.manual.devices)); + }; + }; + fileSystems = builtins.listToAttrs (builtins.map + (mount: { name = mount; value.options = [ "x-systemd.device-timeout=48h" ]; }) + luks.manual.delayedMount); + }) + ]; +} diff --git a/modules/system/fileSystems/nas.key b/modules/system/fileSystems/luks/nas.key similarity index 100% rename from modules/system/fileSystems/nas.key rename to modules/system/fileSystems/luks/nas.key diff --git a/modules/system/fileSystems/vps4.key b/modules/system/fileSystems/luks/vps4.key similarity index 100% rename from modules/system/fileSystems/vps4.key rename to modules/system/fileSystems/luks/vps4.key diff --git a/modules/system/fileSystems/vps6.key b/modules/system/fileSystems/luks/vps6.key similarity index 100% rename from modules/system/fileSystems/vps6.key rename to modules/system/fileSystems/luks/vps6.key diff --git a/modules/system/fileSystems/vps7.key b/modules/system/fileSystems/luks/vps7.key similarity index 100% rename from modules/system/fileSystems/vps7.key rename to modules/system/fileSystems/luks/vps7.key diff --git a/modules/user/chn/default.nix b/modules/user/chn/default.nix index f17fb0ec..dfd10cd1 100644 --- a/modules/user/chn/default.nix +++ b/modules/user/chn/default.nix @@ -68,7 +68,8 @@ inputs: (builtins.map (system: builtins.concatStringsSep "\n" [ "decrypt-${system.name}() {" - " key=$(${cat} ${system.value.keyFile} | ${gpg} --decrypt)" + " key=$(${cat} ${inputs.topInputs.self}/modules/system/fileSystems/luks/${system.name}.key \\" + " | ${gpg} --decrypt)" (builtins.concatStringsSep "\n" (builtins.map (device: " echo $key | ${ssh} root@initrd.${system.name}.chn.moe cryptsetup luksOpen " + (if device.value.ssd then "--allow-discards " else "")