Allow mounting a BitLocker encrypted partition

Add the windows module

home-manager/programs/emacs.nix

@@ -39,7 +39,11 @@
     services.emacs = {
       enable = config.nathan.programs.emacs.service;
       client.enable = true;
-      defaultEditor = true;
+    };
+    # Set editor
+    home.sessionVariables = {
+      EDITOR = "emacsclient";
+      VISUAL = "emacsclient";
     };
   };
 }

machines/levitation/configuration.nix

@@ -1,14 +1,20 @@
 { config, lib, pkgs, ... }:
 
 {
-  # sops for borg
+  # Sops setup for this machine
-  sops.secrets."borg-ssh-key" = {
+  sops.secrets = {
-    sopsFile = ../../secrets/levitation/borg.yaml;
+    "borg-ssh-key" = {
-    format = "yaml";
+      sopsFile = ../../secrets/levitation/borg.yaml;
-  };
+      format = "yaml";
-  sops.secrets."borg-password" = {
+    };
-    sopsFile = ../../secrets/levitation/borg.yaml;
+    "borg-password" = {
-    format = "yaml";
+      sopsFile = ../../secrets/levitation/borg.yaml;
+      format = "yaml";
+    };
+    "windows-bitlocker-key" = {
+      sopsFile = ../../secrets/levitation/windows.yaml;
+      format = "yaml";
+    };
   };
   # Setup system configuration
   nathan = {
@@ -32,6 +38,14 @@
       setupGrub = true;
       nix.autoUpdate = false;
       harden = false;
+      windows = {
+        enable = true;
+        mount = {
+          device = "/dev/nvme0n1p3";
+          mountPoint = "/mnt/windows";
+          keyFile = config.sops.secrets."windows-bitlocker-key".path;
+        };
+      };
     };
   };
   # Configure networking

modules/default.nix

@@ -10,6 +10,7 @@ in
     ./swaywm.nix
     ./hardware.nix
     ./virtualization.nix
+    ./windows.nix
     ./programs/games.nix
     ./programs/gpg.nix
     ./programs/utils.nix
@@ -147,6 +148,27 @@ in
           lxc = mkDefaultOption "lxc" config.nathan.config.isDesktop;
           nixos = mkDefaultOption "nixos containers" config.nathan.config.isDesktop;
         };
+        # Support for interacting with a dual booted windows system
+        windows = {
+          enable = mkEnableOption "Windows Integration";
+          mount = {
+            enable = mkDefaultOption "Mount a bitlockered windows partition" config.nathan.config.windows.enable;
+            device = mkOption {
+              description = "Device to mount";
+              example = "/dev/sda2";
+              type = types.str;
+            };
+            mountPoint = mkOption {
+              description = "Location to mount the device to";
+              example = "/dev/sda2";
+              type = types.str;
+            };
+            keyFile = mkOption {
+              description = "File containing the recovery key for the partition";
+              type = types.str;
+            };
+          };
+        };
       };
     };
   };

modules/services/borg.nix

@@ -22,6 +22,7 @@ with lib; {
           "/home/${config.nathan.config.user}/.local/share/Steam"
           "/home/${config.nathan.config.user}/*/Cache"
           "/home/*/Downloads"
+          "/var/dislocker"
         ];
         repo = "${config.nathan.services.borg.location}/${config.networking.hostName}";
         encryption = {

modules/windows.nix

@@ -0,0 +1,31 @@
+{ config, lib, pkgs, ... }:
+
+with lib;{
+  config = mkIf config.nathan.config.windows.enable {
+    # Enable ntfs support
+    boot.supportedFilesystems = [ "ntfs" ];
+    # Install dislocker for mounting bitlocker encrypted partitions
+    environment.systemPackages = with pkgs; [
+      dislocker
+    ];
+
+    systemd.services.mount-windows =
+      let
+        mount = config.nathan.config.windows.mount;
+      in
+      mkIf mount.enable {
+        description = "Mount ${mount.device} to ${mount.mountPoint}";
+        wantedBy = [ "multi-user.target" ];
+        path = with pkgs; [
+          bash
+          dislocker
+        ];
+        serviceConfig = {
+          Type = "forking";
+          ExecStart =
+            "${../scripts/windows/mount.sh} ${mount.device} ${mount.mountPoint} ${mount.keyFile}";
+          ExecStop = "${../scripts/windows/unmount.sh} ${mount.device} ${mount.mountPoint}";
+        };
+      };
+  };
+}

scripts/windows/mount.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+### Mounts the given, bitlocker encrypted, ntfs partition
+###
+### Arguments:
+### 1. The device to mount
+### 2. The path to mount at
+### 3. The path to the recovery code file
+
+###
+## Setup
+###
+# Turn on the guard rails
+set -eou pipefail
+# Parse out the name of the device
+DEVICE_NAME=$(basename $1)
+# Make sure our /var directory exists
+mkdir -p /var/dislocker/$DEVICE_NAME
+# Make sure that the mountpoint exists
+mkdir -p $2
+
+###
+## Mount dislocker
+###
+dislocker-fuse -V $1 -p"$(cat $3)" -- /var/dislocker/$DEVICE_NAME
+
+###
+## Mount the underlying ntfs partition
+###
+/run/wrappers/bin/mount -t ntfs-3g -o loop /var/dislocker/$DEVICE_NAME/dislocker-file $2

scripts/windows/unmount.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+### Unmounts the given, bitlocker encrypted, ntfs partition
+###
+### Arguments:
+### 1. The device to mount
+### 2. The path to mount at
+
+###
+## Setup
+###
+# Turn on the guard rails
+set -xeou pipefail
+# Parse out the name of the device
+DEVICE_NAME=$(basename $1)
+
+###
+## Unmount the NTFS Partiion
+###
+umount $2
+
+###
+## Unmount the dislocker-file
+###
+/run/wrappers/bin/umount /var/dislocker/$DEVICE_NAME/

secrets/levitation/windows.yaml

@@ -0,0 +1,30 @@
+windows-bitlocker-key: ENC[AES256_GCM,data:44FRgH2jVyou2+MGBb35cS+GTRyx4AYPvLtLo5tvf5T6LcboPRparVMVk4JhnNwy4arEEUuh1A==,iv:QEVUz4nyiFL0UgQ+pEeng/CNhSSmZxpWJ7y9PO8wNKU=,tag:c3/zWa8g6i4IrYWmehLcHg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1ud80054jwf6ff7xx65ta6g7qxx2flc24r5gyyfjz43kvppjutqyskr2qm2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2dnJuYjFiY2c2QUE4V204
+            QlFLV0tZZHpqdmx0YThuOHhVL0tUOXhFb1NjCmE0TnQ1RFY0WWNYOGRZUFkvbjRl
+            L3BtbDM3eWVUTUhwTXZEZWREdjR4OEUKLS0tIHArSXhDc2dIaXU3emNwc2haYTZy
+            Q2RxRXpqdkdKNGFtN0M0Y3VEbC9pSDgKYqmhvzyuDsO0s8ZkOO8nuF05aPHPiRxJ
+            QCLAyh92/O4GOKv1WczpdSUmsEk6J3/krjtyn1qH56RvqfRfUwZaSA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1tsq68swufcjq6qavqpzrtse4474p5gs58v6qp6w7gum49yz45cgsegxhuw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyNHhiTnBZbUh4OTNMS3VJ
+            WDZyam8vSEVMYkh5bXljcitzS3N1TGxKN2wwCjZsRWNyWU94WGpCcE5Nb3g3WEhs
+            YTNhd0tzRU1ON0NWUjl2N3J4bHNkUFUKLS0tIFF5eTZIUXpVU3k2ZExvSDJLZElB
+            YUlNT1crUjZtcDBWWHZVM3N3SDkvUjAKRrUqT0aRYZXYXpphh8OKz9h+BXkq+RLn
+            Hop/TKukRIK70B0cd/PnbEwaA2qw/uRsDdOJCPUupO/U0rm0b0iiOA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-07-05T04:40:28Z"
+    mac: ENC[AES256_GCM,data:e6IQs7sbZCaa0Faiv8OtP8V0DnJgwAMTcUu3Y85HXjne1VaM4CAv8ufJQQYU8o5T1D/1+ys1AbrzHtMMWeM/svF+6rAD+GGHbbDcDb+50Ad22Xiq90T/x0fz/TmXpR+zyhsjIsl3s1JGRALiodPvUcgRLcnDavTVeRbckQYgkNI=,iv:MaUrsxozwc5nySB/BeYFKQ0PN26k9MdeWCPy0mrdaIU=,tag:zt1rIYw+Ipas+RKmZkTpvw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3