diff options
| author | Natasha Moongrave <natasha@256phi.eu> | 2026-05-11 13:40:19 +0200 |
|---|---|---|
| committer | Natasha Moongrave <natasha@256phi.eu> | 2026-05-11 13:40:19 +0200 |
| commit | daf29614e7418fa1507c7c5d06d0616202cb7056 (patch) | |
| tree | b7a2bbe7583b8cae662d2b1f1a82d7b09f5a7e7d | |
| parent | ffa0c8fca4d01657c6f5d335274259edeb69426a (diff) | |
Fixed the mounting
| -rw-r--r-- | system/encryption.nix | 69 |
1 files changed, 44 insertions, 25 deletions
diff --git a/system/encryption.nix b/system/encryption.nix index b53efc9..4172542 100644 --- a/system/encryption.nix +++ b/system/encryption.nix @@ -1,41 +1,60 @@ {pkgs, ...}: { - environment.etc."crypttab" = { - text = '' - ssh-keys UUID=da31e270-80d4-4a89-9633-87dd4d736ca2 none noauto,x-systemd.device-timeout=0 - ''; - }; + # The encrypted USB is NOT part of boot anymore + # We do NOT use crypttab or systemd-cryptsetup units at all fileSystems."/mnt/ssh-keys" = { device = "/dev/mapper/ssh-keys"; fsType = "ext4"; - options = ["noauto" "nofail" "users" "exec"]; + + # keep it fully manual/on-demand + options = ["noauto" "nofail"]; }; - # define the scripts as system commands environment.systemPackages = with pkgs; [ cryptsetup + + # 🔓 Mount + unlock + load SSH key (writeShellScriptBin "keys-mount" '' - sudo systemctl start systemd-cryptsetup@ssh\\x2dkeys.service - sudo mount /mnt/ssh-keys - # Add all of my ssh-keys on the usb - ssh-add /mnt/ssh-keys/poseidon + set -e + + DEVICE="/dev/disk/by-uuid/da31e270-80d4-4a89-9633-87dd4d736ca2" + NAME="ssh-keys" + MNT="/mnt/ssh-keys" + + echo "🔐 Unlocking encrypted USB..." + sudo cryptsetup open "$DEVICE" "$NAME" + + echo "📂 Mounting..." + sudo mount "/dev/mapper/$NAME" "$MNT" + + echo "🔑 Adding SSH key..." + ssh-add "$MNT/poseidon" + + echo "✅ Done" '') + + # 🔒 Clean unmount + lock (writeShellScriptBin "keys-umount" '' - # Do the same here - ssh-add -d /mnt/ssh-keys/poseidon - sudo umount /mnt/ssh-keys - sudo systemctl stop systemd-cryptsetup@ssh\\x2dkeys.service + set -e + + MNT="/mnt/ssh-keys" + NAME="ssh-keys" + + echo "🔑 Removing SSH key..." + ssh-add -d "$MNT/poseidon" 2>/dev/null || true + + echo "📤 Unmounting..." + sudo umount "$MNT" || true + + echo "🔒 Closing encrypted device..." + sudo cryptsetup close "$NAME" || true + + echo "✅ Done" '') ]; - systemd.services."ssh-keys-permissions" = { - wantedBy = ["multi-user.target"]; - after = ["dev-mapper-ssh\\x2dkeys.device"]; - script = '' - chown -R root:ssh-keys /mnt/ssh-keys - chmod 750 /mnt/ssh-keys - # And here - chmod 640 /mnt/ssh-keys/poseidon - ''; - }; + # Create mountpoint safely (but do NOT enforce permissions on contents) + systemd.tmpfiles.rules = [ + "d /mnt/ssh-keys 0755 root root -" + ]; } |