From 8fd724874fa9a60fcdade9b92836c7c2c3b41b3f Mon Sep 17 00:00:00 2001 From: Matei Adriel Date: Wed, 17 Jan 2024 11:16:36 +0100 Subject: [PATCH] Use systemd mounts instead of handwritten script --- hosts/nixos/lapetus/filesystems/zfs.nix | 108 +++++++----------------- 1 file changed, 31 insertions(+), 77 deletions(-) diff --git a/hosts/nixos/lapetus/filesystems/zfs.nix b/hosts/nixos/lapetus/filesystems/zfs.nix index 1c39ca9..1e07ee7 100644 --- a/hosts/nixos/lapetus/filesystems/zfs.nix +++ b/hosts/nixos/lapetus/filesystems/zfs.nix @@ -1,87 +1,41 @@ -{ config, pkgs, ... }: { +{ config, pkgs, ... }: +let secretMountpoint = "/hermes"; +in +{ # Configure ZFS boot.supportedFilesystems = [ "zfs" ]; boot.zfs.extraPools = [ "zroot" ]; boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; boot.kernelParams = [ "nohibernate" ]; - boot.initrd.systemd.services = - let secretMountpoint = "/hermes"; - in - { - # {{{ Mount usb - mountSecrets = { - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - unitConfig.DefaultDependencies = "no"; - wantedBy = [ "zfs-import.target" ]; - before = [ "zfs-import.target" ]; - script = '' - MOUNTPOINT="${secretMountpoint}" - USB="/dev/sdb" + # {{{ Mount usb for zfs secrets + boot.initrd.systemd.systemd.mounts.hermes = { + where = "/hermes"; + what = "/dev/sdb"; + type = "exfat"; - echo "Waiting for $USB" - for I in {1..20}; do - if [ -e "$USB" ]; then break; fi - echo -n . - sleep 1 - done + # The usb contains sensitive data that should only be readable to root + mountConfig.DirectoryMode = "0750"; - echo "Found $USB" - sleep 1 + wantedBy = [ "zfs-import.target" ]; + before = [ "zfs-import.target" ]; + }; + # }}} - if [ -e "$USB" ]; then - echo "Mounting $USB" - mkdir -p $MOUNTPOINT - mount -o ro "$USB" $MOUNTPOINT - if [ $? -eq 0 ]; then - exit 0 - else - echo "Error mounting $USB" >&2 - fi - else - echo "Cannot find $USB" >&2 - fi - ''; - }; - # }}} - # {{{ Unmount usb - unmountSecrets = { - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - unitConfig.DefaultDependencies = "no"; - wantedBy = [ "initrd.target" ]; - after = [ "zfs-mount.service" ]; - script = '' - MOUNTPOINT="${secretMountpoint}" - if [ -e "$MOUNTPOINT" ]; then - echo "Clearing $MOUNTPOINT" - umount $MOUNTPOINT - rmdir $MOUNTPOINT - echo "Unmounted $MOUNTPOINT" - else - echo "Nothing to unmount" - fi - ''; - }; - # }}} - # # {{{ Rollback - # rollback = { - # path = [ pkgs.zfs ]; - # serviceConfig = { - # Type = "oneshot"; - # RemainAfterExit = true; - # }; - # unitConfig.DefaultDependencies = "no"; - # wantedBy = [ "initrd.target" ]; - # after = [ "zfs-import.target" ]; - # before = [ "sysroot.mount" ]; - # script = "zfs rollback -r zroot@blank"; - # }; - # # }}} - }; + boot.initrd.systemd.services = { + # # {{{ Rollback + # rollback = { + # path = [ pkgs.zfs ]; + # serviceConfig = { + # Type = "oneshot"; + # RemainAfterExit = true; + # }; + # unitConfig.DefaultDependencies = "no"; + # wantedBy = [ "initrd.target" ]; + # after = [ "zfs-import.target" ]; + # before = [ "sysroot.mount" ]; + # script = "zfs rollback -r zroot@blank"; + # }; + # # }}} + }; }