From 2088ad70728a60c3309942c3855585e1cb0e5d71 Mon Sep 17 00:00:00 2001 From: nathan mccarty Date: Mon, 4 Jul 2022 17:41:18 -0400 Subject: [PATCH] Allow mounting a BitLocker encrypted partition Add the windows module --- home-manager/programs/emacs.nix | 6 +++++- machines/levitation/configuration.nix | 30 +++++++++++++++++++------- modules/default.nix | 22 +++++++++++++++++++ modules/services/borg.nix | 1 + modules/windows.nix | 31 +++++++++++++++++++++++++++ scripts/windows/mount.sh | 29 +++++++++++++++++++++++++ scripts/windows/unmount.sh | 24 +++++++++++++++++++++ secrets/levitation/windows.yaml | 30 ++++++++++++++++++++++++++ 8 files changed, 164 insertions(+), 9 deletions(-) create mode 100644 modules/windows.nix create mode 100755 scripts/windows/mount.sh create mode 100755 scripts/windows/unmount.sh create mode 100644 secrets/levitation/windows.yaml diff --git a/home-manager/programs/emacs.nix b/home-manager/programs/emacs.nix index 2ce90ca..71aaed3 100644 --- a/home-manager/programs/emacs.nix +++ b/home-manager/programs/emacs.nix @@ -39,7 +39,11 @@ services.emacs = { enable = config.nathan.programs.emacs.service; client.enable = true; - defaultEditor = true; + }; + # Set editor + home.sessionVariables = { + EDITOR = "emacsclient"; + VISUAL = "emacsclient"; }; }; } diff --git a/machines/levitation/configuration.nix b/machines/levitation/configuration.nix index 0a8a4aa..90ae49f 100644 --- a/machines/levitation/configuration.nix +++ b/machines/levitation/configuration.nix @@ -1,14 +1,20 @@ { config, lib, pkgs, ... }: { - # sops for borg - sops.secrets."borg-ssh-key" = { - sopsFile = ../../secrets/levitation/borg.yaml; - format = "yaml"; - }; - sops.secrets."borg-password" = { - sopsFile = ../../secrets/levitation/borg.yaml; - format = "yaml"; + # Sops setup for this machine + sops.secrets = { + "borg-ssh-key" = { + sopsFile = ../../secrets/levitation/borg.yaml; + format = "yaml"; + }; + "borg-password" = { + sopsFile = ../../secrets/levitation/borg.yaml; + format = "yaml"; + }; + "windows-bitlocker-key" = { + sopsFile = ../../secrets/levitation/windows.yaml; + format = "yaml"; + }; }; # Setup system configuration nathan = { @@ -32,6 +38,14 @@ setupGrub = true; nix.autoUpdate = false; harden = false; + windows = { + enable = true; + mount = { + device = "/dev/nvme0n1p3"; + mountPoint = "/mnt/windows"; + keyFile = config.sops.secrets."windows-bitlocker-key".path; + }; + }; }; }; # Configure networking diff --git a/modules/default.nix b/modules/default.nix index fba83b3..1758e39 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -10,6 +10,7 @@ in ./swaywm.nix ./hardware.nix ./virtualization.nix + ./windows.nix ./programs/games.nix ./programs/gpg.nix ./programs/utils.nix @@ -147,6 +148,27 @@ in lxc = mkDefaultOption "lxc" config.nathan.config.isDesktop; nixos = mkDefaultOption "nixos containers" config.nathan.config.isDesktop; }; + # Support for interacting with a dual booted windows system + windows = { + enable = mkEnableOption "Windows Integration"; + mount = { + enable = mkDefaultOption "Mount a bitlockered windows partition" config.nathan.config.windows.enable; + device = mkOption { + description = "Device to mount"; + example = "/dev/sda2"; + type = types.str; + }; + mountPoint = mkOption { + description = "Location to mount the device to"; + example = "/dev/sda2"; + type = types.str; + }; + keyFile = mkOption { + description = "File containing the recovery key for the partition"; + type = types.str; + }; + }; + }; }; }; }; diff --git a/modules/services/borg.nix b/modules/services/borg.nix index 34df290..06ccf29 100644 --- a/modules/services/borg.nix +++ b/modules/services/borg.nix @@ -22,6 +22,7 @@ with lib; { "/home/${config.nathan.config.user}/.local/share/Steam" "/home/${config.nathan.config.user}/*/Cache" "/home/*/Downloads" + "/var/dislocker" ]; repo = "${config.nathan.services.borg.location}/${config.networking.hostName}"; encryption = { diff --git a/modules/windows.nix b/modules/windows.nix new file mode 100644 index 0000000..734fd45 --- /dev/null +++ b/modules/windows.nix @@ -0,0 +1,31 @@ +{ config, lib, pkgs, ... }: + +with lib;{ + config = mkIf config.nathan.config.windows.enable { + # Enable ntfs support + boot.supportedFilesystems = [ "ntfs" ]; + # Install dislocker for mounting bitlocker encrypted partitions + environment.systemPackages = with pkgs; [ + dislocker + ]; + + systemd.services.mount-windows = + let + mount = config.nathan.config.windows.mount; + in + mkIf mount.enable { + description = "Mount ${mount.device} to ${mount.mountPoint}"; + wantedBy = [ "multi-user.target" ]; + path = with pkgs; [ + bash + dislocker + ]; + serviceConfig = { + Type = "forking"; + ExecStart = + "${../scripts/windows/mount.sh} ${mount.device} ${mount.mountPoint} ${mount.keyFile}"; + ExecStop = "${../scripts/windows/unmount.sh} ${mount.device} ${mount.mountPoint}"; + }; + }; + }; +} diff --git a/scripts/windows/mount.sh b/scripts/windows/mount.sh new file mode 100755 index 0000000..6f233eb --- /dev/null +++ b/scripts/windows/mount.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash +### Mounts the given, bitlocker encrypted, ntfs partition +### +### Arguments: +### 1. The device to mount +### 2. The path to mount at +### 3. The path to the recovery code file + +### +## Setup +### +# Turn on the guard rails +set -eou pipefail +# Parse out the name of the device +DEVICE_NAME=$(basename $1) +# Make sure our /var directory exists +mkdir -p /var/dislocker/$DEVICE_NAME +# Make sure that the mountpoint exists +mkdir -p $2 + +### +## Mount dislocker +### +dislocker-fuse -V $1 -p"$(cat $3)" -- /var/dislocker/$DEVICE_NAME + +### +## Mount the underlying ntfs partition +### +/run/wrappers/bin/mount -t ntfs-3g -o loop /var/dislocker/$DEVICE_NAME/dislocker-file $2 diff --git a/scripts/windows/unmount.sh b/scripts/windows/unmount.sh new file mode 100755 index 0000000..4792c8e --- /dev/null +++ b/scripts/windows/unmount.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash +### Unmounts the given, bitlocker encrypted, ntfs partition +### +### Arguments: +### 1. The device to mount +### 2. The path to mount at + +### +## Setup +### +# Turn on the guard rails +set -xeou pipefail +# Parse out the name of the device +DEVICE_NAME=$(basename $1) + +### +## Unmount the NTFS Partiion +### +umount $2 + +### +## Unmount the dislocker-file +### +/run/wrappers/bin/umount /var/dislocker/$DEVICE_NAME/ diff --git a/secrets/levitation/windows.yaml b/secrets/levitation/windows.yaml new file mode 100644 index 0000000..aecb4fc --- /dev/null +++ b/secrets/levitation/windows.yaml @@ -0,0 +1,30 @@ +windows-bitlocker-key: ENC[AES256_GCM,data:44FRgH2jVyou2+MGBb35cS+GTRyx4AYPvLtLo5tvf5T6LcboPRparVMVk4JhnNwy4arEEUuh1A==,iv:QEVUz4nyiFL0UgQ+pEeng/CNhSSmZxpWJ7y9PO8wNKU=,tag:c3/zWa8g6i4IrYWmehLcHg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1ud80054jwf6ff7xx65ta6g7qxx2flc24r5gyyfjz43kvppjutqyskr2qm2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2dnJuYjFiY2c2QUE4V204 + QlFLV0tZZHpqdmx0YThuOHhVL0tUOXhFb1NjCmE0TnQ1RFY0WWNYOGRZUFkvbjRl + L3BtbDM3eWVUTUhwTXZEZWREdjR4OEUKLS0tIHArSXhDc2dIaXU3emNwc2haYTZy + Q2RxRXpqdkdKNGFtN0M0Y3VEbC9pSDgKYqmhvzyuDsO0s8ZkOO8nuF05aPHPiRxJ + QCLAyh92/O4GOKv1WczpdSUmsEk6J3/krjtyn1qH56RvqfRfUwZaSA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1tsq68swufcjq6qavqpzrtse4474p5gs58v6qp6w7gum49yz45cgsegxhuw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyNHhiTnBZbUh4OTNMS3VJ + WDZyam8vSEVMYkh5bXljcitzS3N1TGxKN2wwCjZsRWNyWU94WGpCcE5Nb3g3WEhs + YTNhd0tzRU1ON0NWUjl2N3J4bHNkUFUKLS0tIFF5eTZIUXpVU3k2ZExvSDJLZElB + YUlNT1crUjZtcDBWWHZVM3N3SDkvUjAKRrUqT0aRYZXYXpphh8OKz9h+BXkq+RLn + Hop/TKukRIK70B0cd/PnbEwaA2qw/uRsDdOJCPUupO/U0rm0b0iiOA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-07-05T04:40:28Z" + mac: ENC[AES256_GCM,data:e6IQs7sbZCaa0Faiv8OtP8V0DnJgwAMTcUu3Y85HXjne1VaM4CAv8ufJQQYU8o5T1D/1+ys1AbrzHtMMWeM/svF+6rAD+GGHbbDcDb+50Ad22Xiq90T/x0fz/TmXpR+zyhsjIsl3s1JGRALiodPvUcgRLcnDavTVeRbckQYgkNI=,iv:MaUrsxozwc5nySB/BeYFKQ0PN26k9MdeWCPy0mrdaIU=,tag:zt1rIYw+Ipas+RKmZkTpvw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3