Use systemd mounts instead of handwritten script

2024-01-17 11:16:36 +01:00 · 2024-01-17 11:16:36 +01:00 · 8fd724874f
parent 014673205c
commit 8fd724874f
1 changed files with 31 additions and 77 deletions
--- a/hosts/nixos/lapetus/filesystems/zfs.nix
+++ b/hosts/nixos/lapetus/filesystems/zfs.nix
@ -1,87 +1,41 @@
-{ config, pkgs, ... }: {
+{ config, pkgs, ... }:
 let secretMountpoint = "/hermes";
 in
 {
  # Configure ZFS
  boot.supportedFilesystems = [ "zfs" ];
  boot.zfs.extraPools = [ "zroot" ];
  boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
  boot.kernelParams = [ "nohibernate" ];
-  boot.initrd.systemd.services =
+  # {{{ Mount usb for zfs secrets
-    let secretMountpoint = "/hermes";
+  boot.initrd.systemd.systemd.mounts.hermes = {
-    in
+    where = "/hermes";
-    {
+    what = "/dev/sdb";
-      # {{{ Mount usb 
+    type = "exfat";
      mountSecrets = {
        serviceConfig = {
          Type = "oneshot";
          RemainAfterExit = true;
        };
        unitConfig.DefaultDependencies = "no";
        wantedBy = [ "zfs-import.target" ];
        before = [ "zfs-import.target" ];
        script = ''
          MOUNTPOINT="${secretMountpoint}"
          USB="/dev/sdb"
-          echo "Waiting for $USB"
+    # The usb contains sensitive data that should only be readable to root
-          for I in {1..20}; do
+    mountConfig.DirectoryMode = "0750";
              if [ -e "$USB" ]; then break; fi
              echo -n .
              sleep 1
          done
-          echo "Found $USB"
+    wantedBy = [ "zfs-import.target" ];
-          sleep 1
+    before = [ "zfs-import.target" ];
  };
  # }}}
-          if [ -e "$USB" ]; then
+  boot.initrd.systemd.services = {
-              echo "Mounting $USB"
+    # # {{{ Rollback 
-              mkdir -p $MOUNTPOINT
+    # rollback = {
-              mount -o ro "$USB" $MOUNTPOINT
+    #   path = [ pkgs.zfs ];
-              if [ $? -eq 0 ]; then
+    #   serviceConfig = {
-                  exit 0
+    #     Type = "oneshot";
-              else
+    #     RemainAfterExit = true;
-                  echo "Error mounting $USB" >&2
+    #   };
-              fi
+    #   unitConfig.DefaultDependencies = "no";
-          else
+    #   wantedBy = [ "initrd.target" ];
-              echo "Cannot find $USB" >&2
+    #   after = [ "zfs-import.target" ];
-          fi
+    #   before = [ "sysroot.mount" ];
-        '';
+    #   script = "zfs rollback -r zroot@blank";
-      };
+    # };
-      # }}}
+    # # }}}
-      # {{{ Unmount usb 
+  };
      unmountSecrets = {
        serviceConfig = {
          Type = "oneshot";
          RemainAfterExit = true;
        };
        unitConfig.DefaultDependencies = "no";
        wantedBy = [ "initrd.target" ];
        after = [ "zfs-mount.service" ];
        script = ''
          MOUNTPOINT="${secretMountpoint}"
          if [ -e "$MOUNTPOINT" ]; then
              echo "Clearing $MOUNTPOINT"
              umount $MOUNTPOINT
              rmdir $MOUNTPOINT
              echo "Unmounted $MOUNTPOINT"
          else
              echo "Nothing to unmount"
          fi
        '';
      };
      # }}}
      # # {{{ Rollback 
      # rollback = {
      #   path = [ pkgs.zfs ];
      #   serviceConfig = {
      #     Type = "oneshot";
      #     RemainAfterExit = true;
      #   };
      #   unitConfig.DefaultDependencies = "no";
      #   wantedBy = [ "initrd.target" ];
      #   after = [ "zfs-import.target" ];
      #   before = [ "sysroot.mount" ];
      #   script = "zfs rollback -r zroot@blank";
      # };
      # # }}}
    };
 }