feat: add encrypted storagebox

Signed-off-by: Lander Van den Bulcke <landervandenbulcke@gmail.com>
2025-09-11 22:38:26 +02:00 · 2025-09-11 22:38:26 +02:00 · a767bcc039
commit a767bcc039
parent a373a0dc20
2 changed files with 52 additions and 3 deletions
--- a/hosts/hosting-02/default.nix
+++ b/hosts/hosting-02/default.nix
@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, pkgs, ... }:
 {
  imports = [
    ./disk-config.nix
@ -87,11 +87,58 @@
    };
  };

+  environment.systemPackages = with pkgs; [
+    gocryptfs
+    sshfs
+  ];
+
+  programs.ssh.knownHosts.storageBox = {
+    hostNames = [ "u491729.your-storagebox.de" ];
+    publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs";
+  };
+
+  fileSystems."/mnt/box" = {
+    device = "u491729@u491729.your-storagebox.de:/home";
+    fsType = "fuse.sshfs";
+    options = [
+      "defaults"
+      "_netdev"
+      "allow_other"
+      "default_permissions"
+      "port=23"
+      "compression=no"
+      "reconnect"
+      "ServerAliveInterval=15"
+      "IdentityFile=${config.sops.secrets.storageboxKey.path}"
+    ];
+  };
+
+  fileSystems."/data" = {
+    depends = [
+      "/mnt/box"
+    ];
+    device = "/mnt/box/crypt";
+    fsType = "fuse.gocryptfs";
+    options = [
+      "rw"
+      "allow_other"
+      "passfile=${config.sops.secrets.storageboxCryptKey.path}"
+    ];
+  };
+
  sops.secrets = {
    wireguardKey = {
      owner = "root";
      sopsFile = ./secrets.yaml;
    };
+    storageboxKey = {
+      owner = "root";
+      sopsFile = ./secrets.yaml;
+    };
+    storageboxCryptKey = {
+      owner = "root";
+      sopsFile = ./secrets.yaml;
+    };
  };

  security.acme.defaults.email = "landervandenbulcke@gmail.com";