modules.system.fileSystems.luks: split

devices/nas/default.nix

@@ -24,7 +24,7 @@ inputs:
               };
             };
           };
-          decrypt.manual =
+          luks.manual =
           {
             enable = true;
             devices =

devices/pc/default.nix

@@ -13,7 +13,7 @@ inputs:
             vfat."/dev/disk/by-uuid/7A60-4232" = "/boot";
             btrfs."/dev/mapper/root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
           };
-          decrypt.auto =
+          luks.auto =
           {
             "/dev/disk/by-uuid/4c73288c-bcd8-4a7e-b683-693f9eed2d81" = { mapper = "root1"; ssd = true; };
             "/dev/disk/by-uuid/4be45329-a054-4c20-8965-8c5b7ee6b35d" =
@@ -41,7 +41,7 @@ inputs:
             # SERIALIZE SGX WAITPKG WIDEKL XSAVE XSAVEOPT
             "alderlake"
           ];
-          remote.master = { enable = true; hosts = [ "xmupc1" "xmupc2" "srv1-node0" "srv1-node1" ]; };
+          remote.master = { enable = true; hosts = [ "xmupc1" "xmupc2" ]; };
           githubToken.enable = true;
         };
         nixpkgs =

devices/surface/default.nix

@@ -14,7 +14,7 @@ inputs:
             vfat."/dev/disk/by-uuid/4596-D670" = "/boot";
             btrfs."/dev/mapper/root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
           };
-          decrypt.auto =
+          luks.auto =
           {
             "/dev/disk/by-uuid/eda0042b-ffd5-47d1-b828-4cf99d744c9f" = { mapper = "root1"; ssd = true; };
             "/dev/disk/by-uuid/41d83848-f3dd-4b2f-946f-de1d2ae1cbd4" = { mapper = "swap"; ssd = true; };

devices/vps4/default.nix

@@ -16,7 +16,7 @@ inputs:
               "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
             };
           };
-          decrypt.manual =
+          luks.manual =
           {
             enable = true;
             devices."/dev/disk/by-uuid/bf7646f9-496c-484e-ada0-30335da57068" = { mapper = "root"; ssd = true; };

devices/vps6/default.nix

@@ -16,7 +16,7 @@ inputs:
               "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
             };
           };
-          decrypt.manual =
+          luks.manual =
           {
             enable = true;
             devices."/dev/disk/by-uuid/4f8aca22-9ec6-4fad-b21a-fd9d8d0514e8" = { mapper = "root"; ssd = true; };

devices/vps7/default.nix

@@ -16,7 +16,7 @@ inputs:
               "/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
             };
           };
-          decrypt.manual =
+          luks.manual =
           {
             enable = true;
             devices."/dev/disk/by-uuid/db48c8de-bcf7-43ae-a977-60c4f390d5c4" = { mapper = "root"; ssd = true; };

modules/system/fileSystems/default.nix

@@ -1,5 +1,6 @@
 inputs:
 {
+  imports = inputs.localLib.findModules ./.;
   options.nixos.system.fileSystems = let inherit (inputs.lib) mkOption types; in
   {
     mount =
@@ -9,41 +10,6 @@ inputs:
       # device.subvol = mountPoint;
       btrfs = mkOption { type = types.attrsOf (types.attrsOf types.nonEmptyStr); default = {}; };
     };
-    decrypt =
-    {
-      auto = mkOption
-      {
-        type = types.attrsOf (types.submodule
-        {
-          options =
-          {
-            mapper = mkOption { type = types.nonEmptyStr; };
-            ssd = mkOption { type = types.bool; default = false; };
-            before = mkOption { type = types.nullOr (types.listOf types.nonEmptyStr); default = null; };
-          };
-        });
-        default = {};
-      };
-      manual =
-      {
-        enable = mkOption { type = types.bool; default = false; };
-        devices = mkOption
-        {
-          type = types.attrsOf (types.submodule
-          {
-            options =
-            {
-              mapper = mkOption { type = types.nonEmptyStr; };
-              ssd = mkOption { type = types.bool; default = false; };
-            };
-          });
-          default = {};
-        };
-        keyFile = mkOption
-          { type = types.path; default = ./. + "/${inputs.config.nixos.system.networking.hostname}.key"; };
-        delayedMount = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
-      };
-    };
     # generate using: sudo mdadm --examine --scan
     mdadm = mkOption { type = types.nullOr types.lines; default = null; };
     swap = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
@@ -117,87 +83,6 @@ inputs:
           )
           (attrsToList fileSystems.mount.btrfs)));
       }
-      # decrypt.auto
-      (
-        mkIf (fileSystems.decrypt.auto != null)
-        {
-          boot.initrd =
-          {
-            luks.devices = (listToAttrs (map
-              (
-                device:
-                {
-                  name = device.value.mapper;
-                  value =
-                  {
-                    device = device.name;
-                    allowDiscards = device.value.ssd;
-                    bypassWorkqueues = device.value.ssd;
-                    crypttabExtraOpts = [ "fido2-device=auto" "x-initrd.attach" ];
-                  };
-                }
-              )
-              (attrsToList fileSystems.decrypt.auto)));
-            systemd.services =
-              let
-                createService = device:
-                {
-                  name = "systemd-cryptsetup@${device.value.mapper}";
-                  value =
-                  {
-                    before = map (device: "systemd-cryptsetup@${device}.service") device.value.before;
-                    overrideStrategy = "asDropin";
-                  };
-                };
-              in
-                listToAttrs (map createService
-                  (builtins.filter (device: device.value.before != null) (attrsToList fileSystems.decrypt.auto)));
-          };
-        }
-      )
-      # decrypt.manual
-      (
-        mkIf (fileSystems.decrypt.manual.enable)
-        {
-          boot.initrd =
-          {
-            luks.forceLuksSupportInInitrd = true;
-            systemd =
-            {
-              extraBin =
-              {
-                cryptsetup = "${inputs.pkgs.cryptsetup.bin}/bin/cryptsetup";
-                usbip = "${inputs.config.boot.kernelPackages.usbip}/bin/usbip";
-                sed = "${inputs.pkgs.gnused}/bin/sed";
-                awk = "${inputs.pkgs.gawk}/bin/awk";
-                decrypt = inputs.pkgs.writeShellScript "decrypt"
-                ''
-                  modprobe vhci-hcd
-                  busid=$(usbip list -r 127.0.0.1 | head -n4 | tail -n1 | awk '{print $1}' | sed 's/://')
-                  usbip attach -r 127.0.0.1 -b $busid
-                  ${concatStringsSep "\n" (map
-                    (device: ''systemd-cryptsetup attach ${device.value.mapper} ${device.name} "" fido2-device=auto''
-                      + (if device.value.ssd then ",discard" else ""))
-                    (attrsToList fileSystems.decrypt.manual.devices))}
-                '';
-              };
-              services.wait-manual-decrypt =
-              {
-                wantedBy = [ "initrd-root-fs.target" ];
-                before = [ "roll-rootfs.service" ];
-                unitConfig.DefaultDependencies = false;
-                serviceConfig.Type = "oneshot";
-                script = concatStringsSep "\n" (map
-                  (device: "while [ ! -e /dev/mapper/${device.value.mapper} ]; do sleep 1; done")
-                  (attrsToList fileSystems.decrypt.manual.devices));
-              };
-            };
-          };
-          fileSystems = listToAttrs (map
-            (mount: { name = mount; value.options = [ "x-systemd.device-timeout=48h" ]; })
-            fileSystems.decrypt.manual.delayedMount);
-        }
-      )
       # mdadm
       (
         mkIf (fileSystems.mdadm != null)

modules/system/fileSystems/luks/default.nix

@@ -0,0 +1,80 @@
+inputs:
+{
+  options.nixos.system.fileSystems.luks = let inherit (inputs.lib) mkOption types; in
+  {
+    auto = mkOption
+    {
+      type = types.attrsOf (types.submodule { options =
+      {
+        mapper = mkOption { type = types.nonEmptyStr; };
+        ssd = mkOption { type = types.bool; default = false; };
+        before = mkOption { type = types.nullOr (types.listOf types.nonEmptyStr); default = null; };
+      };});
+      default = {};
+    };
+    manual =
+    {
+      enable = mkOption { type = types.bool; default = false; };
+      devices = mkOption
+      {
+        type = types.attrsOf (types.submodule { options =
+        {
+          mapper = mkOption { type = types.nonEmptyStr; };
+          ssd = mkOption { type = types.bool; default = false; };
+        };});
+        default = {};
+      };
+      delayedMount = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
+    };
+  };
+  config = let inherit (inputs.config.nixos.system.fileSystems) luks; in inputs.lib.mkMerge
+  [
+    (inputs.lib.mkIf (luks.auto != null) { boot.initrd =
+    {
+      luks.devices = (builtins.listToAttrs (builtins.map
+        (device:
+        {
+          name = device.value.mapper;
+          value =
+          {
+            device = device.name;
+            allowDiscards = device.value.ssd;
+            bypassWorkqueues = device.value.ssd;
+            crypttabExtraOpts = [ "fido2-device=auto" "x-initrd.attach" ];
+          };
+        })
+        (inputs.localLib.attrsToList luks.auto)));
+      systemd.services = builtins.listToAttrs (builtins.map
+        (device:
+        {
+          name = "systemd-cryptsetup@${device.value.mapper}";
+          value =
+          {
+            before = map (device: "systemd-cryptsetup@${device}.service") device.value.before;
+            overrideStrategy = "asDropin";
+          };
+        })
+        (builtins.filter (device: device.value.before != null) (inputs.localLib.attrsToList luks.auto)));
+    };})
+    (inputs.lib.mkIf luks.manual.enable
+    {
+      boot.initrd =
+      {
+        luks.forceLuksSupportInInitrd = true;
+        systemd.services.wait-manual-decrypt =
+        {
+          wantedBy = [ "initrd-root-fs.target" ];
+          before = [ "roll-rootfs.service" ];
+          unitConfig.DefaultDependencies = false;
+          serviceConfig.Type = "oneshot";
+          script = builtins.concatStringsSep "\n" (builtins.map
+            (device: "while [ ! -e /dev/mapper/${device.value.mapper} ]; do sleep 1; done")
+            (inputs.localLib.attrsToList luks.manual.devices));
+        };
+      };
+      fileSystems = builtins.listToAttrs (builtins.map
+        (mount: { name = mount; value.options = [ "x-systemd.device-timeout=48h" ]; })
+        luks.manual.delayedMount);
+    })
+  ];
+}

modules/user/chn/default.nix

@@ -56,7 +56,7 @@ inputs:
                     (system:
                     {
                       name = system.config.nixos.system.networking.hostname;
-                      value = system.config.nixos.system.fileSystems.decrypt.manual;
+                      value = system.config.nixos.system.fileSystems.luks.manual;
                     })
                     (builtins.attrValues inputs.topInputs.self.nixosConfigurations));
                 cat = "${inputs.pkgs.coreutils}/bin/cat";
@@ -68,7 +68,8 @@ inputs:
                   (builtins.map (system: builtins.concatStringsSep "\n"
                     [
                       "decrypt-${system.name}() {"
-                      "  key=$(${cat} ${system.value.keyFile} | ${gpg} --decrypt)"
+                      "  key=$(${cat} ${inputs.topInputs.self}/modules/system/fileSystems/luks/${system.name}.key \\"
+                      "    | ${gpg} --decrypt)"
                       (builtins.concatStringsSep "\n" (builtins.map
                         (device: "  echo $key | ${ssh} root@initrd.${system.name}.chn.moe cryptsetup luksOpen "
                           + (if device.value.ssd then "--allow-discards " else "")