system/encryption.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

{pkgs, ...}: {
  environment.etc."crypttab" = {
    text = ''
      ssh-keys UUID=da31e270-80d4-4a89-9633-87dd4d736ca2 none noauto,x-systemd.device-timeout=0
    '';
  };

  fileSystems."/mnt/ssh-keys" = {
    device = "/dev/mapper/ssh-keys";
    fsType = "ext4";
    options = ["noauto" "nofail" "users" "exec"];
  };

  # define the scripts as system commands
  environment.systemPackages = with pkgs; [
    cryptsetup
    (writeShellScriptBin "keys-mount" ''
      sudo systemctl start systemd-cryptsetup@ssh\\x2dkeys.service
      sudo mount /mnt/ssh-keys
      ssh-add /mnt/ssh-keys/*
    '')
    (writeShellScriptBin "keys-umount" ''
      ssh-add -d /mnt/ssh-keys/*
      sudo umount /mnt/ssh-keys
      sudo systemctl stop systemd-cryptsetup@ssh\\x2dkeys.service
    '')
  ];

  systemd.tmpfiles.rules = [
    "d /mnt/ssh-keys 0770 root ssh-keys -"
  ];
}