system/encryption.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

{pkgs, ...}: {
  environment.etc."crypttab" = {
    text = ''
      ssh-keys UUID=da31e270-80d4-4a89-9633-87dd4d736ca2 none noauto,x-systemd.device-timeout=0
    '';
  };

  fileSystems."/mnt/ssh-keys" = {
    device = "/dev/mapper/ssh-keys";
    fsType = "ext4";
    options = ["noauto" "nofail" "users" "exec"];
  };

  # define the scripts as system commands
  environment.systemPackages = with pkgs; [
    cryptsetup
    (writeShellScriptBin "keys-mount" ''
      sudo systemctl start systemd-cryptsetup@ssh\\x2dkeys.service
      sudo mount /mnt/ssh-keys
      # Add all of my ssh-keys on the usb
      ssh-add /mnt/ssh-keys/poseidon
    '')
    (writeShellScriptBin "keys-umount" ''
      # Do the same here
      ssh-add -d /mnt/ssh-keys/poseidon
      sudo umount /mnt/ssh-keys
      sudo systemctl stop systemd-cryptsetup@ssh\\x2dkeys.service
    '')
  ];

  systemd.services."ssh-keys-permissions" = {
    wantedBy = ["multi-user.target"];
    after = ["dev-mapper-ssh\\x2dkeys.device"];
    script = ''
      chown -R root:ssh-keys /mnt/ssh-keys
      chmod 750 /mnt/ssh-keys
      # And here
      chmod 640 /mnt/ssh-keys/poseidon
    '';
  };
}