nix/nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Ensure mountpoints exist

Browse Source
This commit is contained in:
niten 2021-10-18 07:03:01 -07:00
parent 0a6f6b794d
commit cbf87fe8cf
2 changed files with 21 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
lib/fudo/host-filesystems.nix
View File

@ -4,9 +4,24 @@ with lib;
let
hostname = config.instance.hostname;
host-filesystems = config.fudo.hosts.${hostname}.encrypted-filesystems;
optionalOrDefault = tst: str: default: if tst then str else default;
in {
config = {
systemd = {
# Ensure the mountpoints exist
tmpfiles = let
mountpointToPath = mp: mpOpts:
"d '${mp}' - root ${optionalOrDefault mpOpts.group "-"} - -";
filesystemsToMountpointLists = mapAttrsToList
(fs: fsOpts: fsOpts.mountpoints);
mountpointListsToPaths = mapConcat
(mps: mapAttrsToList mountpointToPath mps);
in mountpointListsToPaths (filesystemsToMountpointLists host-filesystems);
# Actual mounts of decrypted filesystems
mounts = let
filesystems = mapAttrsToList
(fs: opts: { filesystem = fs; opts = opts; })
@ -26,8 +41,9 @@ in {
})
fs.opts.mountpoints)
filesystems;
in builtins.trace mounts mounts;
in mounts;
# Jobs to decrypt the encrypted devices
services = mapAttrs' (filesystem-name: opts:
nameValuePair "${filesystem-name}-decrypt"
{
@ -35,8 +51,10 @@ in {
description = "Decrypt the ${filesystem-name} filesystem when the key is available at ${opts.key-path}";
path = with pkgs; [ cryptsetup ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = pkgs.writeShellScript "decrypt-${filesystem-name}.sh" ''
cryptsetup open --type luks --key-file ${opts.key-path} ${opts.encrypted-device} ${filesystem-name}
[ ! -d /dev/mapper/${filesystem-name} ] || cryptsetup open --type luks --key-file ${opts.key-path} ${opts.encrypted-device} ${filesystem-name}
'';
ExecStop = pkgs.writeShellScript "close-${filesystem-name}.sh" ''
cryptsetup close /dev/mapper/${filesystem-name}
@ -45,6 +63,7 @@ in {
})
host-filesystems;
# Watch the path of the key, trigger decrypt when it's available
paths = mapAttrs' (filesystem-name: opts:
nameValuePair "${filesystem-name}-decrypt"
{

42
lib/fudo/hosts.nix
View File

@ -74,23 +74,6 @@ in {
in concatStringsSep "\n" sorted-unique;
};
# fudo.hosts.${hostname}.build-pubkeys =
# map builtins.readFile
# (map (build-key-path: "${build-key-path}/${hostname}.key.pub")
# (optional (site.build-key-path != null) site.build-key-path));
# nix = mkIf
# (has-build-servers && has-build-keys && site.enable-distributed-builds) {
# buildMachines = mapAttrsToList (hostname: buildOpts: {
# hostName = "${hostname}.${domain-name}";
# maxJobs = buildOpts.max-jobs;
# speedFactor = buildOpts.speed-factor;
# supportedFeatures = buildOpts.supported-features;
# sshKey = config.fudo.secrets.host-secrets.${hostname}.build-private-key.target-file;
# }) site.build-servers;
# distributedBuilds = true;
# };
time.timeZone = site.timezone;
krb5.libdefaults.default_realm = domain.gssapi-realm;
@ -152,30 +135,5 @@ in {
};
boot.tmpOnTmpfs = host-cfg.tmp-on-tmpfs;
# programs.ssh.knownHosts = let
# keyed-hosts =
# filterAttrs (host: opts: opts.ssh-pubkeys != []) config.fudo.hosts;
# crossProduct = f: list0: list1:
# concatMap (el0: map (el1: f el0 el1) list1) list0;
# getHostnames = hostOpts:
# [ hostOpts.hostname ]
# ++ (crossProduct (host: domain: "${host}.${domain}")
# ([ hostOpts.hostname ] ++ hostOpts.aliases)
# ([ hostOpts.domain ] ++ hostOpts.extra-domains));
# getHostEntryPairs = host:
# map (hostname: nameValuePair hostname { publicKey = host.ssh-pubkey; })
# (getHostnames host);
# hostAttrsToList = hostAttrs:
# mapAttrsToList (hostname: opts: { hostname = hostname; } // opts)
# hostAttrs;
# getKnownHosts = hosts:
# concatMap getHostEntryPairs (hostAttrsToList hosts);
# in listToAttrs (getKnownHosts keyed-hosts);
};
}