From 040abc67cdb806ddf83b4391bb400b06c62cc160 Mon Sep 17 00:00:00 2001 From: Chaos Date: Thu, 10 Nov 2022 11:25:33 +0000 Subject: [PATCH] tablet --- flake.lock | 18 +-- hosts/nixos-live/nixos-live.nix | 4 +- hosts/nixos.nix | 8 ++ hosts/tablet/hardware.nix | 67 ++++++++++ hosts/tablet/hardware/ssd_data.nix | 24 ++++ hosts/tablet/hardware/usb_data.nix | 28 +++++ hosts/tablet/profiles/harry-vpn.nix | 19 +++ hosts/tablet/profiles/macos-vm.nix | 15 +++ hosts/tablet/profiles/mpd.nix | 32 +++++ hosts/tablet/profiles/usb-automount.nix | 40 ++++++ hosts/tablet/tablet.nix | 158 ++++++++++++++++++++++++ hosts/tablet/vm.nix | 11 ++ 12 files changed, 413 insertions(+), 11 deletions(-) create mode 100644 hosts/tablet/hardware.nix create mode 100644 hosts/tablet/hardware/ssd_data.nix create mode 100644 hosts/tablet/hardware/usb_data.nix create mode 100644 hosts/tablet/profiles/harry-vpn.nix create mode 100644 hosts/tablet/profiles/macos-vm.nix create mode 100644 hosts/tablet/profiles/mpd.nix create mode 100644 hosts/tablet/profiles/usb-automount.nix create mode 100644 hosts/tablet/tablet.nix create mode 100644 hosts/tablet/vm.nix diff --git a/flake.lock b/flake.lock index 3b1d0f5..9cab2c3 100644 --- a/flake.lock +++ b/flake.lock @@ -96,11 +96,11 @@ "utils": "utils_3" }, "locked": { - "lastModified": 1667410913, - "narHash": "sha256-5+S65dpXaIyMDeoPy823BzNH5HYY1wvZ6G+rzTnO8kY=", + "lastModified": 1667981810, + "narHash": "sha256-p27zd5M+OkfND46gzbGkaHlNBZsYe95M48OJuFeuuSY=", "owner": "nix-community", "repo": "home-manager", - "rev": "f520832a47dbc24d1e2c4e4b9a3dbe910777d1a2", + "rev": "6ce3493a3c5c6a8f4cfa6f5f88723272e0cfd335", "type": "github" }, "original": { @@ -186,11 +186,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1667231093, - "narHash": "sha256-RERXruzBEBuf0c7OfZeX1hxEKB+PTCUNxWeB6C1jd8Y=", + "lastModified": 1667901915, + "narHash": "sha256-IkSou5ox/yZ2YUhGpk8vxd2TNU2pwRlYtir5k55NaxE=", "owner": "nixos", "repo": "nixpkgs", - "rev": "d40fea9aeb8840fea0d377baa4b38e39b9582458", + "rev": "093268502280540a7f5bf1e2a6330a598ba3b7d0", "type": "github" }, "original": { @@ -259,11 +259,11 @@ }, "utils_3": { "locked": { - "lastModified": 1667077288, - "narHash": "sha256-bdC8sFNDpT0HK74u9fUkpbf1MEzVYJ+ka7NXCdgBoaA=", + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", "owner": "numtide", "repo": "flake-utils", - "rev": "6ee9ebb6b1ee695d2cacc4faa053a7b9baa76817", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", "type": "github" }, "original": { diff --git a/hosts/nixos-live/nixos-live.nix b/hosts/nixos-live/nixos-live.nix index 67401ce..4056c4a 100644 --- a/hosts/nixos-live/nixos-live.nix +++ b/hosts/nixos-live/nixos-live.nix @@ -10,6 +10,6 @@ tree.profiles.base tree.profiles.sshd ]; - - services.openssh.permitRootLogin = lib.mkForce "yes"; + config.isoImage = { isoBaseName = "nixos-chaos"; compressImage = false; squashfsCompression = "zstd -Xcompression-level 1"; }; + config.services.openssh.permitRootLogin = lib.mkForce "yes"; } diff --git a/hosts/nixos.nix b/hosts/nixos.nix index bef6c6f..2fa089b 100644 --- a/hosts/nixos.nix +++ b/hosts/nixos.nix @@ -32,6 +32,14 @@ in { modules = defaultModules ++ [ ./lappy/lappy.nix ./lappy/vm.nix ]; }; + tablet = nixosUnstableSystem { + specialArgs = defaultSpecialArgs; + system = "x86_64-linux"; + modules = defaultModules ++ [ ./tablet/tablet.nix ./tablet/hardware.nix ]; + }; + + + rescue-x86_64 = nixosUnstableSystem { specialArgs = defaultSpecialArgs; system = "x86_64-linux"; diff --git a/hosts/tablet/hardware.nix b/hosts/tablet/hardware.nix new file mode 100644 index 0000000..c606835 --- /dev/null +++ b/hosts/tablet/hardware.nix @@ -0,0 +1,67 @@ +{ pkgs, ... }: +let + usb_data = import ./hardware/usb_data.nix { }; + ssd_data = import ./hardware/ssd_data.nix { }; +in { + boot = { + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "nvme" + "usb_storage" + "sd_mod" + "rtsx_pci_sdmmc" + "xhci_pci" "nvme" "usb_storage" "usbhid" "sd_mod" "rtsx_pci_sdmmc" + "uas" + "usbcore" + "usb_storage" + "vfat" + "nls_cp437" + "nls_iso8859_1" + "aesni_intel" + "cryptd" + ]; + kernelModules = [ "kvm-intel" ]; + + initrd.postDeviceCommands = pkgs.lib.mkBefore '' + mkdir -m 0755 -p ${usb_data.mountpoint} + + while !(test -b ${usb_data.encrypted_path}) + do + echo "Please Plug In USB" + sleep 1 + done + + echo "Please Decrypt USB" + + cryptsetup luksOpen ${usb_data.encrypted_path} ${usb_data.mapper_name} + + mount -n -t ${usb_data.unencrypted_fs_type} -o ro ${usb_data.mapper_path} ${usb_data.mountpoint} + ''; + + initrd.luks.devices = { + "${ssd_data.root_mapper_name}" = { + device = "${ssd_data.encrypted_root_path}"; + keyFile = "${usb_data.lappy_encryption_key_path}"; + preLVM = false; + allowDiscards = true; + }; + }; + }; + + fileSystems = { + "/" = { + device = "${ssd_data.decrypted_root_path}"; + fsType = "${ssd_data.unencrypted_root_fs_type}"; + }; + "/boot" = { + device = "${ssd_data.boot_path}"; + fsType = "${ssd_data.boot_fs_type}"; + }; + }; + +} diff --git a/hosts/tablet/hardware/ssd_data.nix b/hosts/tablet/hardware/ssd_data.nix new file mode 100644 index 0000000..6bc8aa2 --- /dev/null +++ b/hosts/tablet/hardware/ssd_data.nix @@ -0,0 +1,24 @@ +{ }: rec { + # Mountpoints + root_mountpoint = "/"; + boot_mountpoint = "/boot"; + + # Partition Labels + boot_label = "nixboot"; + unencrypted_root_label = "nixos"; + encrypted_root_partlabel = "nixos_encrypted"; + + # Partition Filesystems + unencrypted_root_fs_type = "ext4"; + boot_fs_type = "vfat"; + + # Mapper Name + root_mapper_name = "cryptroot"; + + # FS Paths + encrypted_root_path = "/dev/disk/by-partlabel/${encrypted_root_partlabel}"; + decrypted_root_path = "/dev/mapper/${root_mapper_name}"; + + boot_path = "/dev/disk/by-label/${boot_label}"; + +} diff --git a/hosts/tablet/hardware/usb_data.nix b/hosts/tablet/hardware/usb_data.nix new file mode 100644 index 0000000..98a5f3a --- /dev/null +++ b/hosts/tablet/hardware/usb_data.nix @@ -0,0 +1,28 @@ +{ ... }: rec { + # Mountpoints + mountpoint = "/usb"; + + # Partition Labels + encrypted_partlabel = "usb"; + unencrypted_label = "usb_unencrypted"; + + # Partition Filesystems + unencrypted_fs_type = "ext4"; + + # Mapper Information + mapper_name = "usb_unencrypted"; + + # FS Paths + encrypted_path = "/dev/disk/by-partlabel/${encrypted_partlabel}"; + unencrypted_path = "/dev/disk/by-label/${unencrypted_label}"; + mapper_path = "/dev/mapper/${mapper_name}"; + + # Paths to some important files + lappy_encryption_key_path = "${mountpoint}/encryption-keys/lappy.key"; + + chaos_age_privkey_path = "${mountpoint}/age-keys/chaoskey.priv"; + chaos_age_pubkey_path = "${mountpoint}/age-keys/chaoskey.pub"; + + ssh_priv_path = "${mountpoint}/ssh-keys/chaos.priv"; + ssh_pub_path = "${mountpoint}/ssh-keys/chaos.pub"; +} diff --git a/hosts/tablet/profiles/harry-vpn.nix b/hosts/tablet/profiles/harry-vpn.nix new file mode 100644 index 0000000..77a6c08 --- /dev/null +++ b/hosts/tablet/profiles/harry-vpn.nix @@ -0,0 +1,19 @@ +{ pkgs, ... }: { + environment.systemPackages = with pkgs; [ wireguard-tools ]; + networking.wg-quick.interfaces = { + wg-harry-vpn = { + autostart = false; + address = [ "185.186.9.71/26" "2a0b:6b84:2022:6::1/64" ]; + dns = [ "8.8.8.8" ]; + mtu = 1280; + privateKeyFile = "/secrets/harry_vpn_wg_priv"; + + peers = [{ + publicKey = "7B6KSFqTHM7A7Nv24GIeUhDDh2XnlT7UqG5U+Si+zmc="; + allowedIPs = [ "0.0.0.0/0" "::/0" ]; + endpoint = "185.186.9.1:8081"; + persistentKeepalive = 25; + }]; + }; + }; +} diff --git a/hosts/tablet/profiles/macos-vm.nix b/hosts/tablet/profiles/macos-vm.nix new file mode 100644 index 0000000..8ce179a --- /dev/null +++ b/hosts/tablet/profiles/macos-vm.nix @@ -0,0 +1,15 @@ +{ pkgs, ... }: { + virtualisation.libvirtd.enable = true; + programs.dconf.enable = true; + environment.systemPackages = with pkgs; [ + virt-manager + p7zip + #umlutilities + qemu + gnumake + libguestfs + python3 + ]; + users.users.chaos.extraGroups = [ "libvirtd" "kvm" ]; + +} diff --git a/hosts/tablet/profiles/mpd.nix b/hosts/tablet/profiles/mpd.nix new file mode 100644 index 0000000..da7fba7 --- /dev/null +++ b/hosts/tablet/profiles/mpd.nix @@ -0,0 +1,32 @@ +{ pkgs, tree, ... }: { + imports = with tree; [ + ./mpd-music-sync.nix + profiles.sound.pulseaudio.pulse-recv-native-localhost + ]; + + environment.systemPackages = with pkgs; [ mpc_cli ]; + + systemd.tmpfiles.rules = [ + "d /var/lib/mpd 0755 mpd mpd -" + "d /var/lib/mpd/data 0755 mpd mpd -" + "d /var/lib/mpd/playlists 0755 mpd mpd -" + ]; + + services.mpd = { + enable = true; + dataDir = "/var/lib/mpd/data"; + playlistDirectory = "/var/lib/mpd/playlists"; + musicDirectory = "/music"; + extraConfig = '' + host_permissions "127.0.0.1 read,add,control,admin" + audio_output { + type "pulse" + name "Pulseaudio" + server "127.0.0.1" + } + ''; + }; + + systemd.services.mpd.serviceConfig.StateDirectory = + [ "/music" "/var/lib/mpd" ]; +} diff --git a/hosts/tablet/profiles/usb-automount.nix b/hosts/tablet/profiles/usb-automount.nix new file mode 100644 index 0000000..d0d3773 --- /dev/null +++ b/hosts/tablet/profiles/usb-automount.nix @@ -0,0 +1,40 @@ +{ lib, pkgs, ... }: +let + usb_data = import ../hardware/usb_data.nix { }; + mapper_name = "usb_unencrypted_afterboot"; + mapper_path = "/dev/mapper/${mapper_name}"; + mount_usb = pkgs.writeShellScriptBin "mount_usb" '' + umount ${usb_data.mountpoint} || true + cryptsetup close ${mapper_name} || true + + cat /secrets/usb_encryption_passphrase | cryptsetup luksOpen ${usb_data.encrypted_path} ${mapper_name} - + mount ${mapper_path} -o rw ${usb_data.mountpoint} + ''; + unmount_usb = pkgs.writeShellScriptBin "unmount_usb" '' + umount -flR ${usb_data.mountpoint} || true + cryptsetup close ${mapper_name} || true + ''; +in { + environment.systemPackages = [ mount_usb unmount_usb ]; + + systemd.tmpfiles.rules = [ "d ${usb_data.mountpoint} - chaos root" ]; + + systemd.services.usb-mount = { + path = [ pkgs.util-linux pkgs.cryptsetup ]; + script = '' + ${mount_usb}/bin/mount_usb + ''; + }; + + systemd.services.usb-unmount = { + path = [ pkgs.util-linux pkgs.cryptsetup ]; + script = '' + ${unmount_usb}/bin/unmount_usb + ''; + }; + + services.udev.extraRules = '' + ACTION=="add", ENV{PARTNAME}=="${usb_data.encrypted_partlabel}", ENV{SYSTEMD_WANTS}="usb-mount.service", ENV{UDISKS_PRESENTATION_HIDE}="1" + ACTION=="remove", ENV{PARTNAME}=="${usb_data.encrypted_partlabel}", ENV{SYSTEMD_WANTS}="usb-unmount.service" + ''; +} diff --git a/hosts/tablet/tablet.nix b/hosts/tablet/tablet.nix new file mode 100644 index 0000000..bff89da --- /dev/null +++ b/hosts/tablet/tablet.nix @@ -0,0 +1,158 @@ +{ tree, config, pkgs, lib, ... }: +let usb_data = import ./hardware/usb_data.nix { }; +in { + imports = with tree; [ + users.root + users.chaos + profiles.tailscale + #profiles.dnscrypt + #profiles.printing + profiles.sshd + + hosts.lappy.profiles.usb-automount + hosts.lappy.profiles.harry-vpn + + # required for dualsense controller + profiles.kernels.latest + + profiles.laptop + + # Bluetooth + #profiles.connectivity.bluetooth + + profiles.connectivity.network_manager + profiles.connectivity.ios + + profiles.sound.pipewire + + profiles.gui.base + profiles.gui.environments.gnome + + profiles.gaming.steam + + # for sci-hub and whenever websites break + profiles.tor + + # For cross compiling and deploying to raspberry + profiles.cross.arm64 + + profiles.force_dns + #extras.shenanigans-hotspot + ]; + + services.mullvad-vpn.enable = true; + + home-manager.users.root = { + imports = with tree; [ home.base ]; + home.stateVersion = "22.05"; + }; + home-manager.users.chaos = { + programs.ssh.matchBlocks."*".identityFile = "${usb_data.ssh_priv_path}"; + programs.git.extraConfig = { + gpg.format = "ssh"; + commit.gpgsign = "true"; + tag.gpgsign = "true"; + user = { signingKey = "${usb_data.ssh_priv_path}"; }; + }; + imports = with tree; [ + home.base + home.dev.all + #home.reversing + + home.gui.base + home.gui.environments.gnome + + #home.gaming.emulators.ds + #home.gaming.games.minecraft + #home.gaming.games.osu + #home.gaming.platforms.steam + + #home.bluetooth + #home.network_manager + + home.apps.vivaldi + home.apps.telegram + home.apps.quassel + home.apps.mpv + home.apps.strawberry + home.apps.file-roller + home.apps.nautilus + home.apps.nicotine-plus + home.apps.musicutil + home.apps.pavucontrol + home.apps.mullvad + home.apps.aria2 + home.apps.rclone + home.apps.restic + + home.programming.editors.vscode + home.programming.languages.go + home.programming.languages.nix + ]; + home.stateVersion = "22.05"; + }; + + hardware.opengl.extraPackages = with pkgs; [ + vaapiIntel + vaapiVdpau + libvdpau-va-gl + intel-media-driver + ]; + + #services.getty.extraArgs = [ "--skip-login" "--login-options" "chaos" ]; + + networking.firewall.enable = true; + networking.firewall.allowPing = true; + + # Allow Soulseek + networking.firewall.allowedTCPPorts = [ 8080 2235 ]; + networking.firewall.allowedTCPPortRanges = [ + # Allow aria2 to work + { + from = 6881; + to = 6999; + } + { + from = 50101; + to = 50109; + } + ]; + networking.firewall.allowedUDPPortRanges = [ + # Allow aria2 to work + { + from = 6881; + to = 6999; + } + { + from = 50101; + to = 50109; + } + ]; + + networking.enableIPv6 = true; + systemd.services.NetworkManager-wait-online.enable = false; + + # let vscode, vivaldi, etc work. + security.unprivilegedUsernsClone = true; + + nix.settings.auto-optimise-store = true; + nix.gc = { + automatic = true; + dates = "daily"; + options = "--delete-older-than 30d"; + }; + + nix.extraOptions = '' + keep-outputs = true + keep-derivations = true + builders-use-substitutes = true + ''; + + networking.hostName = "tablet"; + time.timeZone = "Europe/London"; + + services.fstrim.enable = true; + + system.stateVersion = "21.11"; +} + diff --git a/hosts/tablet/vm.nix b/hosts/tablet/vm.nix new file mode 100644 index 0000000..735e1d6 --- /dev/null +++ b/hosts/tablet/vm.nix @@ -0,0 +1,11 @@ +{ lib, inputs, ... }: { + imports = [ "${inputs.nixpkgs}/nixos/modules/virtualisation/qemu-vm.nix" ]; + users.users.root.password = "owo"; + users.users.chaos.password = "owo"; + home-manager.users.chaos.home.sessionVariables = { + WLR_RENDERER_ALLOW_SOFTWARE = "1"; + }; + services.getty.extraArgs = lib.mkForce [ ]; + virtualisation.cores = 4; + virtualisation.qemu.options = [ "-vga" "qxl" ]; +}