ringofstorms/dotfiles
ringofstorms/dotfiles
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add zitadel JWT mint service and tmpfiles; adjust juni mounts

Browse source
This commit is contained in:
RingOfStorms (Joshua Bell) 2026-01-05 11:01:39 -06:00
parent 127e6d38c1
commit e5e32593b1
2 changed files with 144 additions and 58 deletions
Download patch file Download diff file Expand all files Collapse all files

112
hosts/juni/hardware-mounts.nix
View file

@ -14,9 +14,7 @@ let
IMPERMANENCE = true;
ENCRYPTED = true;
USB_KEY = null;
USB_KEY_PATH = if USB_KEY == null then "" else USB_KEY;
USB_KEY = "/dev/disk/by-uuid/ea3e20f6-c7f2-407c-b9a2-00b4ac000178";
primaryDeviceUnit = "${utils.escapeSystemdPath PRIMARY}.device";
in
@ -221,68 +219,72 @@ lib.mkMerge [
TTYVTDisallocate = true;
};
script = ''
unlock_with_usb_key() {
if [[ -z "${USB_KEY_PATH}" ]]; then
return 2
fi
echo "Searching for USB unlock key..."
KEY_FOUND=0
# 4 second search
for i in {1..40}; do
if [ -e "${USB_KEY_PATH}" ]; then
KEY_FOUND=1
break
script =
let
USB_KEY_PATH = if USB_KEY == null then "" else USB_KEY;
in
''
unlock_with_usb_key() {
if [[ -z "${USB_KEY_PATH}" ]]; then
return 2
fi
sleep 0.1
done
if [ "$KEY_FOUND" -ne 1 ]; then
echo "USB key not found within timeout."
return 2
fi
echo "Searching for USB unlock key..."
KEY_FOUND=0
# 4 second search
for i in {1..40}; do
if [ -e "${USB_KEY_PATH}" ]; then
KEY_FOUND=1
break
fi
sleep 0.1
done
echo "USB key found at ${USB_KEY_PATH}. Attempting unlock..."
mkdir -p /tmp/usb_key_mount
if [ "$KEY_FOUND" -ne 1 ]; then
echo "USB key not found within timeout."
return 2
fi
# Mount read-only
if ! mount -t bcachefs -o ro "${USB_KEY_PATH}" /tmp/usb_key_mount; then
echo "Failed to mount USB key device."
return 1
fi
echo "USB key found at ${USB_KEY_PATH}. Attempting unlock..."
mkdir -p /tmp/usb_key_mount
if ${pkgs.bcachefs-tools}/bin/bcachefs unlock -f /tmp/usb_key_mount/key "${PRIMARY}"; then
umount /tmp/usb_key_mount || true
echo "Bcachefs unlock successful (USB key)!"
return 0
fi
# Mount read-only
if ! mount -t bcachefs -o ro "${USB_KEY_PATH}" /tmp/usb_key_mount; then
echo "Failed to mount USB key device."
return 1
fi
umount /tmp/usb_key_mount || true
echo "Failed to unlock with USB key."
return 1
}
unlock_with_passphrase_until_success() {
echo "Unlocking ${PRIMARY} (will retry on failure)..."
while true; do
if ${pkgs.bcachefs-tools}/bin/bcachefs unlock "${PRIMARY}"; then
echo "Bcachefs unlock successful (passphrase)!"
if ${pkgs.bcachefs-tools}/bin/bcachefs unlock -f /tmp/usb_key_mount/key "${PRIMARY}"; then
umount /tmp/usb_key_mount || true
echo "Bcachefs unlock successful (USB key)!"
return 0
fi
echo "Unlock failed. Try again."
sleep 0.2
done
}
# 1) Optional USB key unlock attempt (if configured)
if unlock_with_usb_key; then
exit 0
fi
umount /tmp/usb_key_mount || true
echo "Failed to unlock with USB key."
return 1
}
# 2) If USB key not configured or failed, prompt for passphrase and retry
unlock_with_passphrase_until_success
'';
unlock_with_passphrase_until_success() {
echo "Unlocking ${PRIMARY} (will retry on failure)..."
while true; do
if ${pkgs.bcachefs-tools}/bin/bcachefs unlock "${PRIMARY}"; then
echo "Bcachefs unlock successful (passphrase)!"
return 0
fi
echo "Unlock failed. Try again."
sleep 0.2
done
}
# 1) Optional USB key unlock attempt (if configured)
if unlock_with_usb_key; then
exit 0
fi
# 2) If USB key not configured or failed, prompt for passphrase and retry
unlock_with_passphrase_until_success
'';
};
})
]