diff --git a/data/drives/encryptedDrive.nix b/data/drives/encryptedDrive.nix new file mode 100644 index 0000000..f60a48a --- /dev/null +++ b/data/drives/encryptedDrive.nix @@ -0,0 +1,25 @@ +# This works with both UEFI and BIOS based systems +rec { + # Mountpoints + mountpoint = "/"; + bootMountpoint = "/boot"; + + # Partition Labels + bootLabel = "nixboot"; + unencryptedLabel = "nixos"; + encryptedPartLabel = "nixos_encrypted"; + + # Partition Filesystems + unencryptedFSType = "ext4"; + bootFSType = "vfat"; + + # Mapper Name + mapperName = "cryptroot"; + + # FS Paths + encryptedPath = "/dev/disk/by-partlabel/${encryptedPartLabel}"; + decryptedPath = "/dev/mapper/${mapperName}"; + + # the /boot parition + bootPath = "/dev/disk/by-label/${bootLabel}"; +} diff --git a/data/encryptedUSB.nix b/data/drives/encryptedUSB.nix similarity index 100% rename from data/encryptedUSB.nix rename to data/drives/encryptedUSB.nix diff --git a/data/normalEncryptedDrive.nix b/data/serverEncryptedDrive.nix similarity index 99% rename from data/normalEncryptedDrive.nix rename to data/serverEncryptedDrive.nix index 9c7e358..da55ae1 100644 --- a/data/normalEncryptedDrive.nix +++ b/data/serverEncryptedDrive.nix @@ -20,4 +20,4 @@ rec { decryptedPath = "/dev/mapper/${mapperName}"; bootPath = "/dev/disk/by-label/${bootLabel}"; -} +} \ No newline at end of file diff --git a/data/serverIPs.nix b/data/serverIPs.nix index bc4eba7..b61c28f 100644 --- a/data/serverIPs.nix +++ b/data/serverIPs.nix @@ -7,7 +7,7 @@ rec { ipv4 = "65.21.145.62"; ipv6 = "2a01:4f9:c010:6a89::1"; }; - "hetzner-arm" = { + "vault-arm" = { ipv4 = "65.21.0.145"; ipv6 = "2a01:4f9:c012:9b6b::1"; }; diff --git a/extras/mk-enc-usb.nix b/extras/mk-enc-usb.nix index e8cce4c..6d50ca3 100644 --- a/extras/mk-enc-usb.nix +++ b/extras/mk-enc-usb.nix @@ -4,7 +4,7 @@ e2fsprogs, writeShellApplication, }: let - encryptedUSBData = import ../data/encryptedUSB.nix; + encryptedUSBData = import ../data/drives/encryptedUSB.nix; in (writeShellApplication { name = "mk-enc-usb"; runtimeInputs = [ diff --git a/extras/mk-encrypted-drive.nix b/extras/mk-encrypted-drive.nix new file mode 100644 index 0000000..eb46758 --- /dev/null +++ b/extras/mk-encrypted-drive.nix @@ -0,0 +1,85 @@ +{ + parted, + cryptsetup, + e2fsprogs, + dosfstools, + writeShellApplication, +}: let + driveData = import ../data/drives/encryptedDrive.nix; +in (writeShellApplication { + name = "mk-encrypted-drive"; + runtimeInputs = [ + parted + cryptsetup + e2fsprogs + dosfstools + ]; + text = '' + if [ -z "''${BIOS-}" ]; then + echo "If making a drive for bios then you will need to set BIOS env variable" + fi + + if [ -z "''${PASSWORD_FILE-}" ]; then + echo "If the drive is for a encrypted server then password will need to be set with PASSWORD_FILE" + fi + + if [ -z "''${1-}" ]; then + echo "Please specify a path to device as first argument" + exit 1 + fi + + if [ -z "''${2-}" ]; then + echo "Please specify a path to key file as second argument" + exit 1 + fi + + DRIVE_PATH=$1 + KEY_FILE=$2 + + if echo "$DRIVE_PATH" | grep -q "[0-9]$"; then + PARTITION_SEPARATOR="p" + else + PARTITION_SEPARATOR="" + fi + + if [ "$EUID" -ne 0 ]; then + echo "Please run as root" + exit + fi + + echo "Creating Partitions..." + if [ -n "''${BIOS-}" ]; then + # EFI Install + parted "$DRIVE_PATH" -- mklabel gpt + parted "$DRIVE_PATH" -- mkpart ESP fat32 1MiB 512MiB + parted "$DRIVE_PATH" -- mkpart primary 620MiB -1MiB + parted "$DRIVE_PATH" -- set 1 esp on + parted "$DRIVE_PATH" -- name 1 "${driveData.bootLabel}" + parted "$DRIVE_PATH" -- name 2 "${driveData.encryptedPartLabel}" + else + parted "$DRIVE_PATH" -- mklabel gpt + parted "$DRIVE_PATH" -- mkpart ESP fat32 1MiB 512MiB + parted "$DRIVE_PATH" -- mkpart primary 620MiB -1MiB + parted "$DRIVE_PATH" -- set 1 boot on + parted "$DRIVE_PATH" -- name 1 "${driveData.bootLabel}" + parted "$DRIVE_PATH" -- name 2 "${driveData.encryptedPartLabel}" + fi + + echo "Formatting boot partition" + mkfs.fat -n "${driveData.bootLabel}" "''${DRIVE_PATH}''${PARTITION_SEPARATOR}1" + + echo "Creating Encrypted Partition" + cryptsetup luksFormat "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" --key-file "$KEY_FILE" + if [ -n "''${PASSWORD_FILE-}" ]; then + cryptsetup luksAddKey "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" --key-file "$KEY_FILE" < "$PASSWORD_FILE" + fi + + echo "Opening Encrypted Partition" + cryptsetup open "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" "mk_encrypted_drive" --key-file "$KEY_FILE" + + echo "Formatting Encrypted Root Filesystem" + mkfs.ext4 -L "${driveData.unencryptedLabel}" /dev/mapper/mk_encrypted_drive + + echo "mount /dev/mapper/mk_encrypted_drive to install" + ''; +}) diff --git a/extras/mk-normal-enc-ssd.nix b/extras/mk-normal-enc-ssd.nix deleted file mode 100644 index 0a2f082..0000000 --- a/extras/mk-normal-enc-ssd.nix +++ /dev/null @@ -1,64 +0,0 @@ -{ - parted, - cryptsetup, - e2fsprogs, - dosfstools, - writeShellApplication, -}: let - ssdData = import ../data/normalEncryptedDrive.nix; -in (writeShellApplication { - name = "mk-normal-enc-ssd"; - runtimeInputs = [ - parted - cryptsetup - e2fsprogs - dosfstools - ]; - text = '' - if [ -z "''${1-}" ]; then - echo "Please specify a path to device as first argument" - exit 1 - fi - - if [ -z "''${2-}" ]; then - echo "Please specify a path to key file as second argument" - exit 1 - fi - - SSD_PATH=$1 - KEY_FILE=$2 - - if echo "$SSD_PATH" | grep -q "[0-9]$"; then - PARTITION_SEPARATOR="p" - else - PARTITION_SEPARATOR="" - fi - - if [ "$EUID" -ne 0 ]; then - echo "Please run as root" - exit - fi - - echo "Creating Partitions..." - parted "$SSD_PATH" -- mklabel gpt - parted "$SSD_PATH" -- mkpart ESP fat32 1MiB 512MiB - parted "$SSD_PATH" -- mkpart primary 620MiB -1MiB - parted "$SSD_PATH" -- set 1 esp on - parted "$SSD_PATH" -- name 1 "${ssdData.bootLabel}" - parted "$SSD_PATH" -- name 2 "${ssdData.encryptedPartLabel}" - - echo "Formatting boot partition" - mkfs.fat -n "${ssdData.bootLabel}" "''${SSD_PATH}''${PARTITION_SEPARATOR}1" - - echo "Creating Encrypted Partition" - cryptsetup luksFormat "''${SSD_PATH}''${PARTITION_SEPARATOR}2" --key-file "$KEY_FILE" - - echo "Opening Encrypted Partition" - cryptsetup open "''${SSD_PATH}''${PARTITION_SEPARATOR}2" "mk_normal_enc_ssd" --key-file "$KEY_FILE" - - echo "Formatting Encrypted Root Filesystem" - mkfs.ext4 -L "${ssdData.unencryptedLabel}" /dev/mapper/mk_normal_enc_ssd - - echo "mount /dev/mapper/mk_normal_enc_ssd to install" - ''; -}) diff --git a/home/base/zsh.nix b/home/base/zsh.nix index fb45700..307e949 100644 --- a/home/base/zsh.nix +++ b/home/base/zsh.nix @@ -3,7 +3,7 @@ pkgs, ... }: let - encryptedUSBData = import "${self}/data/encryptedUSB.nix"; + encryptedUSBData = import "${self}/data/drives/encryptedUSB.nix"; in { home.packages = with pkgs; [eza bat ripgrep vault-bin libarchive age]; programs.zsh = { diff --git a/home/dev/all/extra.nix b/home/dev/all/extra.nix index f48b440..fddc166 100644 --- a/home/dev/all/extra.nix +++ b/home/dev/all/extra.nix @@ -17,7 +17,7 @@ '') mk-enc-usb - mk-normal-enc-ssd + mk-encrypted-drive mk-raspberry-ext-drive ]; } diff --git a/home/sshUSB.nix b/home/sshUSB.nix index 5706237..6ebe5aa 100644 --- a/home/sshUSB.nix +++ b/home/sshUSB.nix @@ -1,5 +1,5 @@ {...}: let - encryptedUSBData = import ../data/encryptedUSB.nix; + encryptedUSBData = import ../data/drives/encryptedUSB.nix; in { programs.ssh.matchBlocks."*".identityFile = "${encryptedUSBData.sshPrivateKeyPath}"; programs.git.extraConfig = { diff --git a/hosts/lappy-t495/hardware.nix b/hosts/lappy-t495/hardware.nix index a773085..042cc5b 100644 --- a/hosts/lappy-t495/hardware.nix +++ b/hosts/lappy-t495/hardware.nix @@ -1,5 +1,7 @@ {tree, ...}: { - imports = with tree; [presets.nixos.normalEncryptedDrive]; + imports = with tree; [ + presets.nixos.encryptedDrive + ]; boot = { loader = { diff --git a/hosts/nixos.nix b/hosts/nixos.nix index 832478e..d33dde8 100644 --- a/hosts/nixos.nix +++ b/hosts/nixos.nix @@ -111,7 +111,7 @@ in { // { hostPath = ./vault; }; - system = "x86_64-linux"; + system = "aarch64-linux"; modules = defaultModules ++ [./vault/vault.nix]; }; diff --git a/hosts/vault/hardware.nix b/hosts/vault/hardware.nix new file mode 100644 index 0000000..2b0447b --- /dev/null +++ b/hosts/vault/hardware.nix @@ -0,0 +1,6 @@ +{...}: { + boot.loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; +} diff --git a/hosts/vault/secrets.nix b/hosts/vault/secrets.nix index 3c37325..ee144f7 100644 --- a/hosts/vault/secrets.nix +++ b/hosts/vault/secrets.nix @@ -12,6 +12,8 @@ }; requiredVaultPaths = [ + "/private-public-keys/ssh/root@vault-decrypt" + "private-public-keys/data/restic/Vault" "api-keys/data/storage/restic/Vault" @@ -22,6 +24,18 @@ manual = true; }; + # this doesn't need to be a secret and can be generated at install time + # but it makes it easier to install. + # it's stored in /nix store anyway + ssh_host_ed25519_key = { + path = "/initrd_secrets/ssh_host_ed25519_key"; + permissions = "600"; + fetchScript = '' + [ ! -d "$SYSROOT/initrd_secrets" ] && mkdir -p "$SYSROOT/initrd_secrets" + simple_get "/private-public-keys/ssh/root@vault-decrypt" .private | base64 > "$secretFile" + ''; + }; + restic_password = { fetchScript = '' simple_get "/private-public-keys/restic/Vault" .password > "$secretFile" diff --git a/hosts/vault/vault.nix b/hosts/vault/vault.nix index 38bb617..2c4c412 100644 --- a/hosts/vault/vault.nix +++ b/hosts/vault/vault.nix @@ -10,6 +10,7 @@ profiles.chaosInternalWireGuard ./secrets.nix + ./hardware.nix ] ++ (with hosts.vault.profiles; [ vault diff --git a/modules/nixos/secretsLib/lib.nix b/modules/nixos/secretsLib/lib.nix index 4d4b86d..a3e6980 100644 --- a/modules/nixos/secretsLib/lib.nix +++ b/modules/nixos/secretsLib/lib.nix @@ -14,22 +14,22 @@ set -e -o pipefail ${optionalString cfg.debug "set -x"} - set +u - # If sysroot is set then make sure it has trailing / - if [ -n "$SYSROOT" ]; then - if ! (echo "$SYSROOT" | grep -q "/$"); then - SYSROOT="$SYSROOT/" - fi + set +u + # If sysroot is set then make sure it has trailing / + if [ -n "$SYSROOT" ]; then + if ! (echo "$SYSROOT" | grep -q "/$"); then + SYSROOT="$SYSROOT/" fi - # If sysroot is empty then make sure it is empty so it doesn't error - [ -z "$SYSROOT" ] && SYSROOT= - set -u + fi + # If sysroot is empty then make sure it is empty so it doesn't error + [ -z "$SYSROOT" ] && SYSROOT= + set -u - if [ -n "$SYSROOT" ]; then - echo "Using sysroot: $SYSROOT" - fi + if [ -n "$SYSROOT" ]; then + echo "Using sysroot: $SYSROOT" + fi - ${optionalString cfg.createSecretsDir '' + ${optionalString cfg.createSecretsDir '' if [ ! -d "$SYSROOT${cfg.secretsDir}" ]; then mkdir -p "$SYSROOT${cfg.secretsDir}" chown "${userOrMappedID cfg.secretsDirUser}:${groupOrMappedID cfg.secretsDirGroup}" "$SYSROOT${cfg.secretsDir}" @@ -141,7 +141,7 @@ secretPermissions = secret.permissions; in '' if [[ ! -f "$SYSROOT${secretPath}" ]]; then - echo "Manual Secret ${secretPath} Doesn't Exist" + echo "Manual Secret ${secretPath} Doesn't Exist; Please add before continuing" exit 1 fi diff --git a/outputs.nix b/outputs.nix index c5a47ea..093327a 100644 --- a/outputs.nix +++ b/outputs.nix @@ -30,7 +30,7 @@ in formatter = pkgs.alejandra; devShell = pkgs.mkShell { - VAULT_API_ADDR = "https://vault.owo.monster"; + VAULT_ADDR = "https://vault.owo.monster"; packages = (with pkgs; [ git @@ -41,14 +41,14 @@ in ]) ++ (with self.packages."${system}"; [ mk-enc-usb - mk-normal-enc-ssd + mk-encrypted-drive mk-raspberry-ext-drive ]); }; packages = { inherit (pkgs) comic-code comic-sans; - inherit (pkgs) mk-enc-usb mk-normal-enc-ssd mk-raspberry-ext-drive; + inherit (pkgs) mk-enc-usb mk-encrypted-drive mk-raspberry-ext-drive; inherit (pkgs) gotosocial; inherit (pkgs) cockroachdb; inherit (pkgs) piped-backend piped-frontend piped-proxy; diff --git a/overlay/default.nix b/overlay/default.nix index a6e573d..2699960 100644 --- a/overlay/default.nix +++ b/overlay/default.nix @@ -5,7 +5,7 @@ final: prev: rec { gobar = final.callPackage ./gobar {}; mk-enc-usb = final.callPackage ../extras/mk-enc-usb.nix {}; - mk-normal-enc-ssd = final.callPackage ../extras/mk-normal-enc-ssd.nix {}; + mk-encrypted-drive = final.callPackage ../extras/mk-encrypted-drive.nix {}; mk-raspberry-ext-drive = final.callPackage ../extras/mk-raspberry-ext-drive.nix {}; kitty-terminfo = final.runCommand "kitty-terminfo" {} '' diff --git a/presets/nixos/normalEncryptedDrive.nix b/presets/nixos/encryptedDrive.nix similarity index 96% rename from presets/nixos/normalEncryptedDrive.nix rename to presets/nixos/encryptedDrive.nix index 943403b..19f654b 100644 --- a/presets/nixos/normalEncryptedDrive.nix +++ b/presets/nixos/encryptedDrive.nix @@ -8,7 +8,7 @@ inherit (lib.modules) mkBefore; encryptedUSB = import "${self}/data/encryptedUSB.nix"; - driveData = import "${self}/data/normalEncryptedDrive.nix"; + driveData = import "${self}/data/drives/normalEncryptedDrive.nix"; in { boot = { initrd.availableKernelModules = [ diff --git a/presets/nixos/serverEncryptedDrive.nix b/presets/nixos/serverEncryptedDrive.nix index d0a52b8..a65b972 100644 --- a/presets/nixos/serverEncryptedDrive.nix +++ b/presets/nixos/serverEncryptedDrive.nix @@ -1,38 +1,60 @@ { + self, config, tree, + lib, + pkgs, ... -}: { +}: let + inherit (lib.modules) mkForce; + inherit (lib.lists) optional; + + system = pkgs.system; + + driveData = import "${self}/data/drives/encryptedDrive.nix"; +in { imports = with tree; [ profiles.sshd ]; boot = { - loader.systemd-boot.enable = false; + loader.supportsInitrdSecrets = true; + initrd = { + availableKernelModules = + [ + "nvme" + "ahci" + "ehci_pci" + "xhci_pci" + "sd_mod" + "sr_mod" + "usbhid" + "virtio_pci" + "virtio_net" + "dm_crypt" + "dm_mod" + "cryptd" + ] + ++ (lib.optionals (system == "x86_64_linux") ["aesni_intel"]); - loader.grub = { - enable = true; - efiSupport = false; - enableCryptodisk = true; - device = "/dev/sda"; + secrets = { + # This will need to be generated before install or installed with secrets-init + # To keep it same across reinstalls add the ssh key and pubkey to secrets module + "/ssh_host_ed25519_key" = mkForce "/initrd_secrets/ssh_host_ed25519_key"; + }; + + luks = { + forceLuksSupportInInitrd = true; + devices = { + "${driveData.mapperName}" = { + device = "${driveData.encryptedPath}"; + preLVM = false; + allowDiscards = true; + }; + }; + }; }; - initrd.availableKernelModules = [ - "nvme" - "ahci" - "xhci_pci" - "virtio_pci" - "sd_mod" - "sr_mod" # For Storage - "virtio_net" # For Hetzner VMs Networking - - # For Cryptography - "aesni_intel" - "cryptd" - ]; - - loader.supportsInitrdSecrets = true; - initrd.luks.forceLuksSupportInInitrd = true; initrd.network = { enable = true; ssh = { @@ -45,28 +67,16 @@ echo 'cryptsetup-askpass' >> /root/.profile ''; }; - - initrd.secrets = { - "/ssh_host_ed25519_key" = "/ssh_host_ed25519_key"; - }; - - initrd.luks.devices = { - "nixos_unencrypted" = { - device = "/dev/sda3"; - preLVM = false; - allowDiscards = true; - }; - }; }; fileSystems = { "/" = { - device = "/dev/mapper/nixos_unencrypted"; - fsType = "ext4"; + device = "${driveData.decryptedPath}"; + fsType = "${driveData.unencryptedFSType}"; }; "/boot" = { - device = "/dev/sda2"; - fsType = "vfat"; + device = "${driveData.bootPath}"; + fsType = "${driveData.bootFSType}"; }; }; } diff --git a/presets/nixos/serverHetzner.nix b/presets/nixos/serverHetzner.nix index ea35751..fac9d81 100644 --- a/presets/nixos/serverHetzner.nix +++ b/presets/nixos/serverHetzner.nix @@ -2,15 +2,22 @@ self, config, modulesPath, + pkgs, lib, ... }: let + inherit (lib.lists) optionals; inherit (lib.modules) mkForce; + system = pkgs.system; + container-ips = import "${self}/data/serverIPs.nix"; hostName = config.networking.hostName; serverIPs = container-ips.${hostName}; + + gateway = "172.31.1.1"; + netmask = "255.255.255.255"; in { imports = [ (modulesPath + "/profiles/qemu-guest.nix") @@ -25,6 +32,13 @@ in { dhcpcd.enable = false; }; + boot.kernelParams = + [ + "console=tty0" + "ip=${serverIPs.ipv4}::${gateway}:${netmask}:${hostName}:eth0:any" + ] + ++ (lib.optionals (system == "aarch64-linux") ["console=ttyAMA0,115200" "console=ttyS0,115200"]); + systemd.network = { enable = true; networks."eth0" = { diff --git a/scripts/nixFlakes.sh b/scripts/nixFlakes.sh index 2e59f47..6527455 100755 --- a/scripts/nixFlakes.sh +++ b/scripts/nixFlakes.sh @@ -1,3 +1,4 @@ -#!/usr/bin/env bash +#!/usr/bin/env nix-shell +#!nix-shell -i bash -p nixFlakes -nix-shell -p nixFlakes --run "nix --experimental-features \"nix-command flakes\" $@" \ No newline at end of file +nix --experimental-features "nix-command flakes" "$@" \ No newline at end of file