titaniumtown/server-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
server-config/usb-secrets.nix

58 lines
1.4 KiB
Nix
Raw Blame History

{
config,
lib,
pkgs,
...
}:
{
# Extract USB secrets key in main system before agenix
systemd.services.usb-secrets = {
description = "Extract USB secrets key";
wantedBy = [ "sysinit.target" ];
before = [ "agenix.service" ];
wants = [ "local-fs.target" ];
after = [ "local-fs.target" ];
unitConfig.DefaultDependencies = false;
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
mkdir -p /run/secrets /mnt/usb
# Check if key already exists
if [ -f /run/secrets/usb-secrets-key ]; then
echo "USB secrets key already loaded"
exit 0
fi
# Wait for USB devices
for i in {1..30}; do
[ -e /dev/disk/by-label/SECRETS ] && break
sleep 1
done
# Mount USB and copy key
if mount /dev/disk/by-label/SECRETS /mnt/usb 2>/dev/null; then
if [ -f /mnt/usb/usb-secrets-key ]; then
install -m 600 /mnt/usb/usb-secrets-key /run/secrets/usb-secrets-key
umount /mnt/usb
echo "USB secrets key loaded"
else
umount /mnt/usb
echo "Key file not found"
exit 1
fi
else
echo "USB not found"
exit 1
fi
'';
};
age.identityPaths = [ "/run/secrets/usb-secrets-key" ];
systemd.tmpfiles.rules = [
"d /run/secrets 0700 root root -"
];
}
Reference in New Issue View Git Blame Copy Permalink