From 50dee3ac9feb715d69554eb76b493e1246c0c61e Mon Sep 17 00:00:00 2001
From: Nathan Reiner <nathan@nathanreiner.xyz>
Date: Tue, 17 Sep 2024 20:05:34 +0200
Subject: add usbauth module

---
 modules/usbauth/default.nix | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 modules/usbauth/default.nix

(limited to 'modules/usbauth/default.nix')

diff --git a/modules/usbauth/default.nix b/modules/usbauth/default.nix
new file mode 100644
index 0000000..aca217e
--- /dev/null
+++ b/modules/usbauth/default.nix
@@ -0,0 +1,36 @@
+{
+  config,
+  lib,
+  modulesPath,
+  pkgs,
+  ...
+}:
+{
+
+  imports = [ (modulesPath + "/profiles/all-hardware.nix") ];
+
+  options.usbauth = lib.mkOption {
+    description = "USB Auth";
+    type = lib.types.submodule {
+      options = lib.mkOption {
+        device = lib.types.str;
+        keyname = lib.types.str;
+        uuid = lib.types.str;
+      };
+    };
+  };
+
+  config = {
+    boot.initrd.postDeviceCommands = pkgs.lib.mkBefore ''
+      mkdir -m 0755 -p /key
+      lsblk -o NAME,UUID
+      while ! findfs UUID=${config.usbauth.uuid} 2> /dev/null; do sleep 0.1; done
+      cryptsetup open $(findfs UUID=${config.usbauth.uuid}) _key
+      mount -o ro "/dev/mapper/_key" /key
+    '';
+
+    boot.initrd.luks.devices."${config.usbauth.device
+    }".keyFile = "/key/.keys/${config.usbauth.keyname}";
+    boot.initrd.luks.devices."${config.usbauth.device}".preLVM = false;
+  };
+}
-- 
cgit v1.2.3-70-g09d2