cwyc

veracrypt

Declarative veracrypt mounts as systemd services. Takes an attribute set where names correspond to the mount point. Does not support protecting hidden volume yet. Note that NTFS volumes don't carry linux file permissions and will be owned by root, unless uidUser, uidGroup, and umask options are used to adjust permissions.

type

attribute set of submodule

default

{
  veracrypt = {};
}

veracrypt.<name>.device

Path to device or container file to mount

type

string

veracrypt.<name>.extraCommandLineOptions

Extra command line options for veracrypt

type

strings concatenated with " "

example

{
  veracrypt.<name>.extraCommandLineOptions = "--fs-options='umask=007,uid=1000,gid=1000'";
}

default

{
  veracrypt.<name>.extraCommandLineOptions = "";
}

veracrypt.<name>.extraFSOptions

Extra filesystem mount options.

type

list of string

default

{
  veracrypt.<name>.extraFSOptions = [];
}

veracrypt.<name>.extraUnitEntries

Extra entries in the [Unit] section of the systemd unit

type

strings concatenated with "\n"

example

{
  veracrypt.<name>.extraUnitEntries = "Wants=dev-sda6.device";
}

default

{
  veracrypt.<name>.extraUnitEntries = "";
}

veracrypt.<name>.gidGroup

The group to own the filesystem. Sets the gid mount option. Keep null to omit.

type

null or string

example

{
  veracrypt.<name>.gidGroup = "users";
}

default

{
  veracrypt.<name>.gidGroup = null;
}

veracrypt.<name>.keyfiles

List of paths to keyfiles

type

list of string

default

{
  veracrypt.<name>.keyfiles = [];
}

veracrypt.<name>.onBoot

Whether to have systemd mount this volume on boot

type

boolean

default

{
  veracrypt.<name>.onBoot = true;
}

veracrypt.<name>.passwordFile

Path to a file containing the password. Don't set for an empty password.

type

null or string

default

{
  veracrypt.<name>.passwordFile = null;
}

veracrypt.<name>.pim

type

unsigned integer, meaning >=0

default

{
  veracrypt.<name>.pim = 0;
}

veracrypt.<name>.uidUser

The user to own the filesystem. Sets the uid mount option. Keep null to omit.

type

null or string

example

{
  veracrypt.<name>.uidUser = "admin";
}

default

{
  veracrypt.<name>.uidUser = null;
}

veracrypt.<name>.umask

The umask mount option. Keep null to omit.

type

null or string

example

{
  veracrypt.<name>.umask = "000";
}

default

{
  veracrypt.<name>.umask = null;
}