tablet

2022-11-10 11:25:33 +00:00 · 2022-11-10 11:25:33 +00:00 · 040abc67cd
parent dd4cd43c3a
commit 040abc67cd
12 changed files with 413 additions and 11 deletions
--- a/flake.lock
+++ b/flake.lock
@ -96,11 +96,11 @@
        "utils": "utils_3"
      },
      "locked": {
-        "lastModified": 1667410913,
-        "narHash": "sha256-5+S65dpXaIyMDeoPy823BzNH5HYY1wvZ6G+rzTnO8kY=",
+        "lastModified": 1667981810,
+        "narHash": "sha256-p27zd5M+OkfND46gzbGkaHlNBZsYe95M48OJuFeuuSY=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "f520832a47dbc24d1e2c4e4b9a3dbe910777d1a2",
+        "rev": "6ce3493a3c5c6a8f4cfa6f5f88723272e0cfd335",
        "type": "github"
      },
      "original": {
@ -186,11 +186,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1667231093,
-        "narHash": "sha256-RERXruzBEBuf0c7OfZeX1hxEKB+PTCUNxWeB6C1jd8Y=",
+        "lastModified": 1667901915,
+        "narHash": "sha256-IkSou5ox/yZ2YUhGpk8vxd2TNU2pwRlYtir5k55NaxE=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "d40fea9aeb8840fea0d377baa4b38e39b9582458",
+        "rev": "093268502280540a7f5bf1e2a6330a598ba3b7d0",
        "type": "github"
      },
      "original": {
@ -259,11 +259,11 @@
    },
    "utils_3": {
      "locked": {
-        "lastModified": 1667077288,
-        "narHash": "sha256-bdC8sFNDpT0HK74u9fUkpbf1MEzVYJ+ka7NXCdgBoaA=",
+        "lastModified": 1667395993,
+        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "6ee9ebb6b1ee695d2cacc4faa053a7b9baa76817",
+        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
        "type": "github"
      },
      "original": {
--- a/hosts/nixos-live/nixos-live.nix
+++ b/hosts/nixos-live/nixos-live.nix
@ -10,6 +10,6 @@
    tree.profiles.base
    tree.profiles.sshd
  ];
-
-  services.openssh.permitRootLogin = lib.mkForce "yes";
+  config.isoImage = { isoBaseName = "nixos-chaos"; compressImage = false; squashfsCompression = "zstd -Xcompression-level 1"; };
+  config.services.openssh.permitRootLogin = lib.mkForce "yes";
 }
--- a/hosts/nixos.nix
+++ b/hosts/nixos.nix
@ -32,6 +32,14 @@ in {
    modules = defaultModules ++ [ ./lappy/lappy.nix ./lappy/vm.nix ];
  };

+  tablet = nixosUnstableSystem {
+    specialArgs = defaultSpecialArgs;
+    system = "x86_64-linux";
+    modules = defaultModules ++ [ ./tablet/tablet.nix ./tablet/hardware.nix ];
+  };
+ 
+
+
  rescue-x86_64 = nixosUnstableSystem {
    specialArgs = defaultSpecialArgs;
    system = "x86_64-linux";
--- a/hosts/tablet/hardware.nix
+++ b/hosts/tablet/hardware.nix
@ -0,0 +1,67 @@
+{ pkgs, ... }:
+let
+  usb_data = import ./hardware/usb_data.nix { };
+  ssd_data = import ./hardware/ssd_data.nix { };
+in {
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+    initrd.availableKernelModules = [
+      "xhci_pci"
+      "ahci"
+      "nvme"
+      "usb_storage"
+      "sd_mod"
+      "rtsx_pci_sdmmc"
+      "xhci_pci" "nvme" "usb_storage" "usbhid" "sd_mod" "rtsx_pci_sdmmc"
+      "uas"
+      "usbcore"
+      "usb_storage"
+      "vfat"
+      "nls_cp437"
+      "nls_iso8859_1"
+      "aesni_intel"
+      "cryptd"
+    ];
+    kernelModules = [ "kvm-intel" ];
+
+    initrd.postDeviceCommands = pkgs.lib.mkBefore ''
+      mkdir -m 0755 -p ${usb_data.mountpoint}
+
+      while !(test -b ${usb_data.encrypted_path})
+      do
+        echo "Please Plug In USB"
+        sleep 1
+      done
+
+      echo "Please Decrypt USB"
+
+      cryptsetup luksOpen ${usb_data.encrypted_path} ${usb_data.mapper_name}
+
+      mount -n -t ${usb_data.unencrypted_fs_type} -o ro ${usb_data.mapper_path} ${usb_data.mountpoint}
+    '';
+
+    initrd.luks.devices = {
+      "${ssd_data.root_mapper_name}" = {
+        device = "${ssd_data.encrypted_root_path}";
+        keyFile = "${usb_data.lappy_encryption_key_path}";
+        preLVM = false;
+        allowDiscards = true;
+      };
+    };
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "${ssd_data.decrypted_root_path}";
+      fsType = "${ssd_data.unencrypted_root_fs_type}";
+    };
+    "/boot" = {
+      device = "${ssd_data.boot_path}";
+      fsType = "${ssd_data.boot_fs_type}";
+    };
+  };
+
+}
--- a/hosts/tablet/hardware/ssd_data.nix
+++ b/hosts/tablet/hardware/ssd_data.nix
@ -0,0 +1,24 @@
+{ }: rec {
+  # Mountpoints
+  root_mountpoint = "/";
+  boot_mountpoint = "/boot";
+
+  # Partition Labels
+  boot_label = "nixboot";
+  unencrypted_root_label = "nixos";
+  encrypted_root_partlabel = "nixos_encrypted";
+
+  # Partition Filesystems
+  unencrypted_root_fs_type = "ext4";
+  boot_fs_type = "vfat";
+
+  # Mapper Name
+  root_mapper_name = "cryptroot";
+
+  # FS Paths
+  encrypted_root_path = "/dev/disk/by-partlabel/${encrypted_root_partlabel}";
+  decrypted_root_path = "/dev/mapper/${root_mapper_name}";
+
+  boot_path = "/dev/disk/by-label/${boot_label}";
+
+}
--- a/hosts/tablet/hardware/usb_data.nix
+++ b/hosts/tablet/hardware/usb_data.nix
@ -0,0 +1,28 @@
+{ ... }: rec {
+  # Mountpoints
+  mountpoint = "/usb";
+
+  # Partition Labels
+  encrypted_partlabel = "usb";
+  unencrypted_label = "usb_unencrypted";
+
+  # Partition Filesystems
+  unencrypted_fs_type = "ext4";
+
+  # Mapper Information
+  mapper_name = "usb_unencrypted";
+
+  # FS Paths
+  encrypted_path = "/dev/disk/by-partlabel/${encrypted_partlabel}";
+  unencrypted_path = "/dev/disk/by-label/${unencrypted_label}";
+  mapper_path = "/dev/mapper/${mapper_name}";
+
+  # Paths to some important files
+  lappy_encryption_key_path = "${mountpoint}/encryption-keys/lappy.key";
+
+  chaos_age_privkey_path = "${mountpoint}/age-keys/chaoskey.priv";
+  chaos_age_pubkey_path = "${mountpoint}/age-keys/chaoskey.pub";
+
+  ssh_priv_path = "${mountpoint}/ssh-keys/chaos.priv";
+  ssh_pub_path = "${mountpoint}/ssh-keys/chaos.pub";
+}
--- a/hosts/tablet/profiles/harry-vpn.nix
+++ b/hosts/tablet/profiles/harry-vpn.nix
@ -0,0 +1,19 @@
+{ pkgs, ... }: {
+  environment.systemPackages = with pkgs; [ wireguard-tools ];
+  networking.wg-quick.interfaces = {
+    wg-harry-vpn = {
+      autostart = false;
+      address = [ "185.186.9.71/26" "2a0b:6b84:2022:6::1/64" ];
+      dns = [ "8.8.8.8" ];
+      mtu = 1280;
+      privateKeyFile = "/secrets/harry_vpn_wg_priv";
+
+      peers = [{
+        publicKey = "7B6KSFqTHM7A7Nv24GIeUhDDh2XnlT7UqG5U+Si+zmc=";
+        allowedIPs = [ "0.0.0.0/0" "::/0" ];
+        endpoint = "185.186.9.1:8081";
+        persistentKeepalive = 25;
+      }];
+    };
+  };
+}
--- a/hosts/tablet/profiles/macos-vm.nix
+++ b/hosts/tablet/profiles/macos-vm.nix
@ -0,0 +1,15 @@
+{ pkgs, ... }: {
+  virtualisation.libvirtd.enable = true;
+  programs.dconf.enable = true;
+  environment.systemPackages = with pkgs; [
+    virt-manager
+    p7zip
+    #umlutilities
+    qemu
+    gnumake
+    libguestfs
+    python3
+  ];
+  users.users.chaos.extraGroups = [ "libvirtd" "kvm" ];
+
+}
--- a/hosts/tablet/profiles/mpd.nix
+++ b/hosts/tablet/profiles/mpd.nix
@ -0,0 +1,32 @@
+{ pkgs, tree, ... }: {
+  imports = with tree; [
+    ./mpd-music-sync.nix
+    profiles.sound.pulseaudio.pulse-recv-native-localhost
+  ];
+
+  environment.systemPackages = with pkgs; [ mpc_cli ];
+
+  systemd.tmpfiles.rules = [
+    "d /var/lib/mpd 0755 mpd mpd -"
+    "d /var/lib/mpd/data 0755 mpd mpd -"
+    "d /var/lib/mpd/playlists 0755 mpd mpd -"
+  ];
+
+  services.mpd = {
+    enable = true;
+    dataDir = "/var/lib/mpd/data";
+    playlistDirectory = "/var/lib/mpd/playlists";
+    musicDirectory = "/music";
+    extraConfig = ''
+      host_permissions "127.0.0.1 read,add,control,admin"
+      audio_output {
+        type "pulse"
+        name "Pulseaudio"
+        server "127.0.0.1"
+      }
+    '';
+  };
+
+  systemd.services.mpd.serviceConfig.StateDirectory =
+    [ "/music" "/var/lib/mpd" ];
+}
--- a/hosts/tablet/profiles/usb-automount.nix
+++ b/hosts/tablet/profiles/usb-automount.nix
@ -0,0 +1,40 @@
+{ lib, pkgs, ... }:
+let
+  usb_data = import ../hardware/usb_data.nix { };
+  mapper_name = "usb_unencrypted_afterboot";
+  mapper_path = "/dev/mapper/${mapper_name}";
+  mount_usb = pkgs.writeShellScriptBin "mount_usb" ''
+    umount ${usb_data.mountpoint} || true
+    cryptsetup close ${mapper_name} || true
+
+    cat /secrets/usb_encryption_passphrase | cryptsetup luksOpen ${usb_data.encrypted_path} ${mapper_name} -
+    mount ${mapper_path} -o rw ${usb_data.mountpoint}
+  '';
+  unmount_usb = pkgs.writeShellScriptBin "unmount_usb" ''
+    umount -flR ${usb_data.mountpoint} || true
+    cryptsetup close ${mapper_name} || true
+  '';
+in {
+  environment.systemPackages = [ mount_usb unmount_usb ];
+
+  systemd.tmpfiles.rules = [ "d ${usb_data.mountpoint} - chaos root" ];
+
+  systemd.services.usb-mount = {
+    path = [ pkgs.util-linux pkgs.cryptsetup ];
+    script = ''
+      ${mount_usb}/bin/mount_usb
+    '';
+  };
+
+  systemd.services.usb-unmount = {
+    path = [ pkgs.util-linux pkgs.cryptsetup ];
+    script = ''
+      ${unmount_usb}/bin/unmount_usb
+    '';
+  };
+
+  services.udev.extraRules = ''
+    ACTION=="add", ENV{PARTNAME}=="${usb_data.encrypted_partlabel}", ENV{SYSTEMD_WANTS}="usb-mount.service", ENV{UDISKS_PRESENTATION_HIDE}="1"
+    ACTION=="remove", ENV{PARTNAME}=="${usb_data.encrypted_partlabel}", ENV{SYSTEMD_WANTS}="usb-unmount.service"
+  '';
+}
--- a/hosts/tablet/tablet.nix
+++ b/hosts/tablet/tablet.nix
@ -0,0 +1,158 @@
+{ tree, config, pkgs, lib, ... }:
+let usb_data = import ./hardware/usb_data.nix { };
+in {
+  imports = with tree; [
+    users.root
+    users.chaos
+    profiles.tailscale
+    #profiles.dnscrypt
+    #profiles.printing
+    profiles.sshd
+
+    hosts.lappy.profiles.usb-automount
+    hosts.lappy.profiles.harry-vpn
+
+    # required for dualsense controller
+    profiles.kernels.latest
+
+    profiles.laptop
+
+    # Bluetooth
+    #profiles.connectivity.bluetooth
+
+    profiles.connectivity.network_manager
+    profiles.connectivity.ios
+
+    profiles.sound.pipewire
+
+    profiles.gui.base
+    profiles.gui.environments.gnome
+
+    profiles.gaming.steam
+
+    # for sci-hub and whenever websites break
+    profiles.tor
+
+    # For cross compiling and deploying to raspberry
+    profiles.cross.arm64
+
+    profiles.force_dns
+    #extras.shenanigans-hotspot
+  ];
+
+  services.mullvad-vpn.enable = true;
+
+  home-manager.users.root = {
+    imports = with tree; [ home.base ];
+    home.stateVersion = "22.05";
+  };
+  home-manager.users.chaos = {
+    programs.ssh.matchBlocks."*".identityFile = "${usb_data.ssh_priv_path}";
+    programs.git.extraConfig = {
+      gpg.format = "ssh";
+      commit.gpgsign = "true";
+      tag.gpgsign = "true";
+      user = { signingKey = "${usb_data.ssh_priv_path}"; };
+    };
+    imports = with tree; [
+      home.base
+      home.dev.all
+      #home.reversing
+
+      home.gui.base
+      home.gui.environments.gnome
+
+      #home.gaming.emulators.ds
+      #home.gaming.games.minecraft
+      #home.gaming.games.osu
+      #home.gaming.platforms.steam
+
+      #home.bluetooth
+      #home.network_manager
+
+      home.apps.vivaldi
+      home.apps.telegram
+      home.apps.quassel
+      home.apps.mpv
+      home.apps.strawberry
+      home.apps.file-roller
+      home.apps.nautilus
+      home.apps.nicotine-plus
+      home.apps.musicutil
+      home.apps.pavucontrol
+      home.apps.mullvad
+      home.apps.aria2
+      home.apps.rclone
+      home.apps.restic
+
+      home.programming.editors.vscode
+      home.programming.languages.go
+      home.programming.languages.nix
+    ];
+    home.stateVersion = "22.05";
+  };
+
+  hardware.opengl.extraPackages = with pkgs; [
+    vaapiIntel
+    vaapiVdpau
+    libvdpau-va-gl
+    intel-media-driver
+  ];
+
+  #services.getty.extraArgs = [ "--skip-login" "--login-options" "chaos" ];
+
+  networking.firewall.enable = true;
+  networking.firewall.allowPing = true;
+
+  # Allow Soulseek
+  networking.firewall.allowedTCPPorts = [ 8080 2235 ];
+  networking.firewall.allowedTCPPortRanges = [
+    # Allow aria2 to work
+    {
+      from = 6881;
+      to = 6999;
+    }
+    {
+      from = 50101;
+      to = 50109;
+    }
+  ];
+  networking.firewall.allowedUDPPortRanges = [
+    # Allow aria2 to work
+    {
+      from = 6881;
+      to = 6999;
+    }
+    {
+      from = 50101;
+      to = 50109;
+    }
+  ];
+
+  networking.enableIPv6 = true;
+  systemd.services.NetworkManager-wait-online.enable = false;
+
+  # let vscode, vivaldi, etc work.
+  security.unprivilegedUsernsClone = true;
+
+  nix.settings.auto-optimise-store = true;
+  nix.gc = {
+    automatic = true;
+    dates = "daily";
+    options = "--delete-older-than 30d";
+  };
+
+  nix.extraOptions = ''
+    keep-outputs = true
+    keep-derivations = true
+    builders-use-substitutes = true
+  '';
+
+  networking.hostName = "tablet";
+  time.timeZone = "Europe/London";
+
+  services.fstrim.enable = true;
+
+  system.stateVersion = "21.11";
+}
+
--- a/hosts/tablet/vm.nix
+++ b/hosts/tablet/vm.nix
@ -0,0 +1,11 @@
+{ lib, inputs, ... }: {
+  imports = [ "${inputs.nixpkgs}/nixos/modules/virtualisation/qemu-vm.nix" ];
+  users.users.root.password = "owo";
+  users.users.chaos.password = "owo";
+  home-manager.users.chaos.home.sessionVariables = {
+    WLR_RENDERER_ALLOW_SOFTWARE = "1";
+  };
+  services.getty.extraArgs = lib.mkForce [ ];
+  virtualisation.cores = 4;
+  virtualisation.qemu.options = [ "-vga" "qxl" ];
+}