Ensure mountpoints exist
This commit is contained in:
parent
0a6f6b794d
commit
cbf87fe8cf
@ -4,9 +4,24 @@ with lib;
|
|||||||
let
|
let
|
||||||
hostname = config.instance.hostname;
|
hostname = config.instance.hostname;
|
||||||
host-filesystems = config.fudo.hosts.${hostname}.encrypted-filesystems;
|
host-filesystems = config.fudo.hosts.${hostname}.encrypted-filesystems;
|
||||||
|
|
||||||
|
optionalOrDefault = tst: str: default: if tst then str else default;
|
||||||
|
|
||||||
in {
|
in {
|
||||||
config = {
|
config = {
|
||||||
systemd = {
|
systemd = {
|
||||||
|
|
||||||
|
# Ensure the mountpoints exist
|
||||||
|
tmpfiles = let
|
||||||
|
mountpointToPath = mp: mpOpts:
|
||||||
|
"d '${mp}' - root ${optionalOrDefault mpOpts.group "-"} - -";
|
||||||
|
filesystemsToMountpointLists = mapAttrsToList
|
||||||
|
(fs: fsOpts: fsOpts.mountpoints);
|
||||||
|
mountpointListsToPaths = mapConcat
|
||||||
|
(mps: mapAttrsToList mountpointToPath mps);
|
||||||
|
in mountpointListsToPaths (filesystemsToMountpointLists host-filesystems);
|
||||||
|
|
||||||
|
# Actual mounts of decrypted filesystems
|
||||||
mounts = let
|
mounts = let
|
||||||
filesystems = mapAttrsToList
|
filesystems = mapAttrsToList
|
||||||
(fs: opts: { filesystem = fs; opts = opts; })
|
(fs: opts: { filesystem = fs; opts = opts; })
|
||||||
@ -26,8 +41,9 @@ in {
|
|||||||
})
|
})
|
||||||
fs.opts.mountpoints)
|
fs.opts.mountpoints)
|
||||||
filesystems;
|
filesystems;
|
||||||
in builtins.trace mounts mounts;
|
in mounts;
|
||||||
|
|
||||||
|
# Jobs to decrypt the encrypted devices
|
||||||
services = mapAttrs' (filesystem-name: opts:
|
services = mapAttrs' (filesystem-name: opts:
|
||||||
nameValuePair "${filesystem-name}-decrypt"
|
nameValuePair "${filesystem-name}-decrypt"
|
||||||
{
|
{
|
||||||
@ -35,8 +51,10 @@ in {
|
|||||||
description = "Decrypt the ${filesystem-name} filesystem when the key is available at ${opts.key-path}";
|
description = "Decrypt the ${filesystem-name} filesystem when the key is available at ${opts.key-path}";
|
||||||
path = with pkgs; [ cryptsetup ];
|
path = with pkgs; [ cryptsetup ];
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
RemainAfterExit = true;
|
||||||
ExecStart = pkgs.writeShellScript "decrypt-${filesystem-name}.sh" ''
|
ExecStart = pkgs.writeShellScript "decrypt-${filesystem-name}.sh" ''
|
||||||
cryptsetup open --type luks --key-file ${opts.key-path} ${opts.encrypted-device} ${filesystem-name}
|
[ ! -d /dev/mapper/${filesystem-name} ] || cryptsetup open --type luks --key-file ${opts.key-path} ${opts.encrypted-device} ${filesystem-name}
|
||||||
'';
|
'';
|
||||||
ExecStop = pkgs.writeShellScript "close-${filesystem-name}.sh" ''
|
ExecStop = pkgs.writeShellScript "close-${filesystem-name}.sh" ''
|
||||||
cryptsetup close /dev/mapper/${filesystem-name}
|
cryptsetup close /dev/mapper/${filesystem-name}
|
||||||
@ -45,6 +63,7 @@ in {
|
|||||||
})
|
})
|
||||||
host-filesystems;
|
host-filesystems;
|
||||||
|
|
||||||
|
# Watch the path of the key, trigger decrypt when it's available
|
||||||
paths = mapAttrs' (filesystem-name: opts:
|
paths = mapAttrs' (filesystem-name: opts:
|
||||||
nameValuePair "${filesystem-name}-decrypt"
|
nameValuePair "${filesystem-name}-decrypt"
|
||||||
{
|
{
|
||||||
|
|||||||
@ -74,23 +74,6 @@ in {
|
|||||||
in concatStringsSep "\n" sorted-unique;
|
in concatStringsSep "\n" sorted-unique;
|
||||||
};
|
};
|
||||||
|
|
||||||
# fudo.hosts.${hostname}.build-pubkeys =
|
|
||||||
# map builtins.readFile
|
|
||||||
# (map (build-key-path: "${build-key-path}/${hostname}.key.pub")
|
|
||||||
# (optional (site.build-key-path != null) site.build-key-path));
|
|
||||||
|
|
||||||
# nix = mkIf
|
|
||||||
# (has-build-servers && has-build-keys && site.enable-distributed-builds) {
|
|
||||||
# buildMachines = mapAttrsToList (hostname: buildOpts: {
|
|
||||||
# hostName = "${hostname}.${domain-name}";
|
|
||||||
# maxJobs = buildOpts.max-jobs;
|
|
||||||
# speedFactor = buildOpts.speed-factor;
|
|
||||||
# supportedFeatures = buildOpts.supported-features;
|
|
||||||
# sshKey = config.fudo.secrets.host-secrets.${hostname}.build-private-key.target-file;
|
|
||||||
# }) site.build-servers;
|
|
||||||
# distributedBuilds = true;
|
|
||||||
# };
|
|
||||||
|
|
||||||
time.timeZone = site.timezone;
|
time.timeZone = site.timezone;
|
||||||
|
|
||||||
krb5.libdefaults.default_realm = domain.gssapi-realm;
|
krb5.libdefaults.default_realm = domain.gssapi-realm;
|
||||||
@ -152,30 +135,5 @@ in {
|
|||||||
};
|
};
|
||||||
|
|
||||||
boot.tmpOnTmpfs = host-cfg.tmp-on-tmpfs;
|
boot.tmpOnTmpfs = host-cfg.tmp-on-tmpfs;
|
||||||
|
|
||||||
# programs.ssh.knownHosts = let
|
|
||||||
# keyed-hosts =
|
|
||||||
# filterAttrs (host: opts: opts.ssh-pubkeys != []) config.fudo.hosts;
|
|
||||||
|
|
||||||
# crossProduct = f: list0: list1:
|
|
||||||
# concatMap (el0: map (el1: f el0 el1) list1) list0;
|
|
||||||
|
|
||||||
# getHostnames = hostOpts:
|
|
||||||
# [ hostOpts.hostname ]
|
|
||||||
# ++ (crossProduct (host: domain: "${host}.${domain}")
|
|
||||||
# ([ hostOpts.hostname ] ++ hostOpts.aliases)
|
|
||||||
# ([ hostOpts.domain ] ++ hostOpts.extra-domains));
|
|
||||||
|
|
||||||
# getHostEntryPairs = host:
|
|
||||||
# map (hostname: nameValuePair hostname { publicKey = host.ssh-pubkey; })
|
|
||||||
# (getHostnames host);
|
|
||||||
|
|
||||||
# hostAttrsToList = hostAttrs:
|
|
||||||
# mapAttrsToList (hostname: opts: { hostname = hostname; } // opts)
|
|
||||||
# hostAttrs;
|
|
||||||
|
|
||||||
# getKnownHosts = hosts:
|
|
||||||
# concatMap getHostEntryPairs (hostAttrsToList hosts);
|
|
||||||
# in listToAttrs (getKnownHosts keyed-hosts);
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user