chaos/nixfiles
1
0
Fork 0
Code Issues 2 Releases Activity

start work on arm for vault

Browse source
This commit is contained in:
chaos 2023-09-20 15:46:20 +01:00
parent ebca60021d
commit 1223d1b98b
No known key found for this signature in database
22 changed files with 226 additions and 132 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
data/drives/encryptedDrive.nix Normal file
View file

@ -0,0 +1,25 @@
# This works with both UEFI and BIOS based systems
rec {
# Mountpoints
mountpoint = "/";
bootMountpoint = "/boot";
# Partition Labels
bootLabel = "nixboot";
unencryptedLabel = "nixos";
encryptedPartLabel = "nixos_encrypted";
# Partition Filesystems
unencryptedFSType = "ext4";
bootFSType = "vfat";
# Mapper Name
mapperName = "cryptroot";
# FS Paths
encryptedPath = "/dev/disk/by-partlabel/${encryptedPartLabel}";
decryptedPath = "/dev/mapper/${mapperName}";
# the /boot parition
bootPath = "/dev/disk/by-label/${bootLabel}";
}

0
data/encryptedUSB.nix → data/drives/encryptedUSB.nix
View file

2
data/normalEncryptedDrive.nix → data/serverEncryptedDrive.nix
View file

@ -20,4 +20,4 @@ rec {
decryptedPath = "/dev/mapper/${mapperName}"; decryptedPath = "/dev/mapper/${mapperName}";
bootPath = "/dev/disk/by-label/${bootLabel}"; bootPath = "/dev/disk/by-label/${bootLabel}";
} }

2
data/serverIPs.nix
View file

@ -7,7 +7,7 @@ rec {
ipv4 = "65.21.145.62"; ipv4 = "65.21.145.62";
ipv6 = "2a01:4f9:c010:6a89::1"; ipv6 = "2a01:4f9:c010:6a89::1";
}; };
"hetzner-arm" = { "vault-arm" = {
ipv4 = "65.21.0.145"; ipv4 = "65.21.0.145";
ipv6 = "2a01:4f9:c012:9b6b::1"; ipv6 = "2a01:4f9:c012:9b6b::1";
}; };

2
extras/mk-enc-usb.nix
View file

@ -4,7 +4,7 @@
e2fsprogs, e2fsprogs,
writeShellApplication, writeShellApplication,
}: let }: let
encryptedUSBData = import ../data/encryptedUSB.nix; encryptedUSBData = import ../data/drives/encryptedUSB.nix;
in (writeShellApplication { in (writeShellApplication {
name = "mk-enc-usb"; name = "mk-enc-usb";
runtimeInputs = [ runtimeInputs = [

85
extras/mk-encrypted-drive.nix Normal file
View file

@ -0,0 +1,85 @@
{
parted,
cryptsetup,
e2fsprogs,
dosfstools,
writeShellApplication,
}: let
driveData = import ../data/drives/encryptedDrive.nix;
in (writeShellApplication {
name = "mk-encrypted-drive";
runtimeInputs = [
parted
cryptsetup
e2fsprogs
dosfstools
];
text = ''
if [ -z "''${BIOS-}" ]; then
echo "If making a drive for bios then you will need to set BIOS env variable"
fi
if [ -z "''${PASSWORD_FILE-}" ]; then
echo "If the drive is for a encrypted server then password will need to be set with PASSWORD_FILE"
fi
if [ -z "''${1-}" ]; then
echo "Please specify a path to device as first argument"
exit 1
fi
if [ -z "''${2-}" ]; then
echo "Please specify a path to key file as second argument"
exit 1
fi
DRIVE_PATH=$1
KEY_FILE=$2
if echo "$DRIVE_PATH" | grep -q "[0-9]$"; then
PARTITION_SEPARATOR="p"
else
PARTITION_SEPARATOR=""
fi
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit
fi
echo "Creating Partitions..."
if [ -n "''${BIOS-}" ]; then
# EFI Install
parted "$DRIVE_PATH" -- mklabel gpt
parted "$DRIVE_PATH" -- mkpart ESP fat32 1MiB 512MiB
parted "$DRIVE_PATH" -- mkpart primary 620MiB -1MiB
parted "$DRIVE_PATH" -- set 1 esp on
parted "$DRIVE_PATH" -- name 1 "${driveData.bootLabel}"
parted "$DRIVE_PATH" -- name 2 "${driveData.encryptedPartLabel}"
else
parted "$DRIVE_PATH" -- mklabel gpt
parted "$DRIVE_PATH" -- mkpart ESP fat32 1MiB 512MiB
parted "$DRIVE_PATH" -- mkpart primary 620MiB -1MiB
parted "$DRIVE_PATH" -- set 1 boot on
parted "$DRIVE_PATH" -- name 1 "${driveData.bootLabel}"
parted "$DRIVE_PATH" -- name 2 "${driveData.encryptedPartLabel}"
fi
echo "Formatting boot partition"
mkfs.fat -n "${driveData.bootLabel}" "''${DRIVE_PATH}''${PARTITION_SEPARATOR}1"
echo "Creating Encrypted Partition"
cryptsetup luksFormat "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" --key-file "$KEY_FILE"
if [ -n "''${PASSWORD_FILE-}" ]; then
cryptsetup luksAddKey "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" --key-file "$KEY_FILE" < "$PASSWORD_FILE"
fi
echo "Opening Encrypted Partition"
cryptsetup open "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" "mk_encrypted_drive" --key-file "$KEY_FILE"
echo "Formatting Encrypted Root Filesystem"
mkfs.ext4 -L "${driveData.unencryptedLabel}" /dev/mapper/mk_encrypted_drive
echo "mount /dev/mapper/mk_encrypted_drive to install"
'';
})

64
extras/mk-normal-enc-ssd.nix
View file

@ -1,64 +0,0 @@
{
parted,
cryptsetup,
e2fsprogs,
dosfstools,
writeShellApplication,
}: let
ssdData = import ../data/normalEncryptedDrive.nix;
in (writeShellApplication {
name = "mk-normal-enc-ssd";
runtimeInputs = [
parted
cryptsetup
e2fsprogs
dosfstools
];
text = ''
if [ -z "''${1-}" ]; then
echo "Please specify a path to device as first argument"
exit 1
fi
if [ -z "''${2-}" ]; then
echo "Please specify a path to key file as second argument"
exit 1
fi
SSD_PATH=$1
KEY_FILE=$2
if echo "$SSD_PATH" | grep -q "[0-9]$"; then
PARTITION_SEPARATOR="p"
else
PARTITION_SEPARATOR=""
fi
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit
fi
echo "Creating Partitions..."
parted "$SSD_PATH" -- mklabel gpt
parted "$SSD_PATH" -- mkpart ESP fat32 1MiB 512MiB
parted "$SSD_PATH" -- mkpart primary 620MiB -1MiB
parted "$SSD_PATH" -- set 1 esp on
parted "$SSD_PATH" -- name 1 "${ssdData.bootLabel}"
parted "$SSD_PATH" -- name 2 "${ssdData.encryptedPartLabel}"
echo "Formatting boot partition"
mkfs.fat -n "${ssdData.bootLabel}" "''${SSD_PATH}''${PARTITION_SEPARATOR}1"
echo "Creating Encrypted Partition"
cryptsetup luksFormat "''${SSD_PATH}''${PARTITION_SEPARATOR}2" --key-file "$KEY_FILE"
echo "Opening Encrypted Partition"
cryptsetup open "''${SSD_PATH}''${PARTITION_SEPARATOR}2" "mk_normal_enc_ssd" --key-file "$KEY_FILE"
echo "Formatting Encrypted Root Filesystem"
mkfs.ext4 -L "${ssdData.unencryptedLabel}" /dev/mapper/mk_normal_enc_ssd
echo "mount /dev/mapper/mk_normal_enc_ssd to install"
'';
})

2
home/base/zsh.nix
View file

@ -3,7 +3,7 @@
pkgs, pkgs,
... ...
}: let }: let
encryptedUSBData = import "${self}/data/encryptedUSB.nix"; encryptedUSBData = import "${self}/data/drives/encryptedUSB.nix";
in { in {
home.packages = with pkgs; [eza bat ripgrep vault-bin libarchive age]; home.packages = with pkgs; [eza bat ripgrep vault-bin libarchive age];
programs.zsh = { programs.zsh = {

2
home/dev/all/extra.nix
View file

@ -17,7 +17,7 @@
'') '')
mk-enc-usb mk-enc-usb
mk-normal-enc-ssd mk-encrypted-drive
mk-raspberry-ext-drive mk-raspberry-ext-drive
]; ];
} }

2
home/sshUSB.nix
View file

@ -1,5 +1,5 @@
{...}: let {...}: let
encryptedUSBData = import ../data/encryptedUSB.nix; encryptedUSBData = import ../data/drives/encryptedUSB.nix;
in { in {
programs.ssh.matchBlocks."*".identityFile = "${encryptedUSBData.sshPrivateKeyPath}"; programs.ssh.matchBlocks."*".identityFile = "${encryptedUSBData.sshPrivateKeyPath}";
programs.git.extraConfig = { programs.git.extraConfig = {

4
hosts/lappy-t495/hardware.nix
View file

@ -1,5 +1,7 @@
{tree, ...}: { {tree, ...}: {
imports = with tree; [presets.nixos.normalEncryptedDrive]; imports = with tree; [
presets.nixos.encryptedDrive
];
boot = { boot = {
loader = { loader = {

2
hosts/nixos.nix
View file

@ -111,7 +111,7 @@ in {
// { // {
hostPath = ./vault; hostPath = ./vault;
}; };
system = "x86_64-linux"; system = "aarch64-linux";
modules = defaultModules ++ [./vault/vault.nix]; modules = defaultModules ++ [./vault/vault.nix];
}; };

6
hosts/vault/hardware.nix Normal file
View file

@ -0,0 +1,6 @@
{...}: {
boot.loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
}

14
hosts/vault/secrets.nix
View file

@ -12,6 +12,8 @@
}; };
requiredVaultPaths = [ requiredVaultPaths = [
"/private-public-keys/ssh/root@vault-decrypt"
"private-public-keys/data/restic/Vault" "private-public-keys/data/restic/Vault"
"api-keys/data/storage/restic/Vault" "api-keys/data/storage/restic/Vault"
@ -22,6 +24,18 @@
manual = true; manual = true;
}; };
# this doesn't need to be a secret and can be generated at install time
# but it makes it easier to install.
# it's stored in /nix store anyway
ssh_host_ed25519_key = {
path = "/initrd_secrets/ssh_host_ed25519_key";
permissions = "600";
fetchScript = ''
[ ! -d "$SYSROOT/initrd_secrets" ] && mkdir -p "$SYSROOT/initrd_secrets"
simple_get "/private-public-keys/ssh/root@vault-decrypt" .private | base64 > "$secretFile"
'';
};
restic_password = { restic_password = {
fetchScript = '' fetchScript = ''
simple_get "/private-public-keys/restic/Vault" .password > "$secretFile" simple_get "/private-public-keys/restic/Vault" .password > "$secretFile"

1
hosts/vault/vault.nix
View file

@ -10,6 +10,7 @@
profiles.chaosInternalWireGuard profiles.chaosInternalWireGuard
./secrets.nix ./secrets.nix
./hardware.nix
] ]
++ (with hosts.vault.profiles; [ ++ (with hosts.vault.profiles; [
vault vault

28
modules/nixos/secretsLib/lib.nix
View file

@ -14,22 +14,22 @@
set -e -o pipefail set -e -o pipefail
${optionalString cfg.debug "set -x"} ${optionalString cfg.debug "set -x"}
set +u set +u
# If sysroot is set then make sure it has trailing / # If sysroot is set then make sure it has trailing /
if [ -n "$SYSROOT" ]; then if [ -n "$SYSROOT" ]; then
if ! (echo "$SYSROOT" | grep -q "/$"); then if ! (echo "$SYSROOT" | grep -q "/$"); then
SYSROOT="$SYSROOT/" SYSROOT="$SYSROOT/"
fi
fi fi
# If sysroot is empty then make sure it is empty so it doesn't error fi
[ -z "$SYSROOT" ] && SYSROOT= # If sysroot is empty then make sure it is empty so it doesn't error
set -u [ -z "$SYSROOT" ] && SYSROOT=
set -u
if [ -n "$SYSROOT" ]; then if [ -n "$SYSROOT" ]; then
echo "Using sysroot: $SYSROOT" echo "Using sysroot: $SYSROOT"
fi fi
${optionalString cfg.createSecretsDir '' ${optionalString cfg.createSecretsDir ''
if [ ! -d "$SYSROOT${cfg.secretsDir}" ]; then if [ ! -d "$SYSROOT${cfg.secretsDir}" ]; then
mkdir -p "$SYSROOT${cfg.secretsDir}" mkdir -p "$SYSROOT${cfg.secretsDir}"
chown "${userOrMappedID cfg.secretsDirUser}:${groupOrMappedID cfg.secretsDirGroup}" "$SYSROOT${cfg.secretsDir}" chown "${userOrMappedID cfg.secretsDirUser}:${groupOrMappedID cfg.secretsDirGroup}" "$SYSROOT${cfg.secretsDir}"
@ -141,7 +141,7 @@
secretPermissions = secret.permissions; secretPermissions = secret.permissions;
in '' in ''
if [[ ! -f "$SYSROOT${secretPath}" ]]; then if [[ ! -f "$SYSROOT${secretPath}" ]]; then
echo "Manual Secret ${secretPath} Doesn't Exist" echo "Manual Secret ${secretPath} Doesn't Exist; Please add before continuing"
exit 1 exit 1
fi fi

6
outputs.nix
View file

@ -30,7 +30,7 @@ in
formatter = pkgs.alejandra; formatter = pkgs.alejandra;
devShell = pkgs.mkShell { devShell = pkgs.mkShell {
VAULT_API_ADDR = "https://vault.owo.monster"; VAULT_ADDR = "https://vault.owo.monster";
packages = packages =
(with pkgs; [ (with pkgs; [
git git
@ -41,14 +41,14 @@ in
]) ])
++ (with self.packages."${system}"; [ ++ (with self.packages."${system}"; [
mk-enc-usb mk-enc-usb
mk-normal-enc-ssd mk-encrypted-drive
mk-raspberry-ext-drive mk-raspberry-ext-drive
]); ]);
}; };
packages = { packages = {
inherit (pkgs) comic-code comic-sans; inherit (pkgs) comic-code comic-sans;
inherit (pkgs) mk-enc-usb mk-normal-enc-ssd mk-raspberry-ext-drive; inherit (pkgs) mk-enc-usb mk-encrypted-drive mk-raspberry-ext-drive;
inherit (pkgs) gotosocial; inherit (pkgs) gotosocial;
inherit (pkgs) cockroachdb; inherit (pkgs) cockroachdb;
inherit (pkgs) piped-backend piped-frontend piped-proxy; inherit (pkgs) piped-backend piped-frontend piped-proxy;

2
overlay/default.nix
View file

@ -5,7 +5,7 @@ final: prev: rec {
gobar = final.callPackage ./gobar {}; gobar = final.callPackage ./gobar {};
mk-enc-usb = final.callPackage ../extras/mk-enc-usb.nix {}; mk-enc-usb = final.callPackage ../extras/mk-enc-usb.nix {};
mk-normal-enc-ssd = final.callPackage ../extras/mk-normal-enc-ssd.nix {}; mk-encrypted-drive = final.callPackage ../extras/mk-encrypted-drive.nix {};
mk-raspberry-ext-drive = final.callPackage ../extras/mk-raspberry-ext-drive.nix {}; mk-raspberry-ext-drive = final.callPackage ../extras/mk-raspberry-ext-drive.nix {};
kitty-terminfo = final.runCommand "kitty-terminfo" {} '' kitty-terminfo = final.runCommand "kitty-terminfo" {} ''

2
presets/nixos/normalEncryptedDrive.nix → presets/nixos/encryptedDrive.nix
View file

@ -8,7 +8,7 @@
inherit (lib.modules) mkBefore; inherit (lib.modules) mkBefore;
encryptedUSB = import "${self}/data/encryptedUSB.nix"; encryptedUSB = import "${self}/data/encryptedUSB.nix";
driveData = import "${self}/data/normalEncryptedDrive.nix"; driveData = import "${self}/data/drives/normalEncryptedDrive.nix";
in { in {
boot = { boot = {
initrd.availableKernelModules = [ initrd.availableKernelModules = [

88
presets/nixos/serverEncryptedDrive.nix
View file

@ -1,38 +1,60 @@
{ {
self,
config, config,
tree, tree,
lib,
pkgs,
... ...
}: { }: let
inherit (lib.modules) mkForce;
inherit (lib.lists) optional;
system = pkgs.system;
driveData = import "${self}/data/drives/encryptedDrive.nix";
in {
imports = with tree; [ imports = with tree; [
profiles.sshd profiles.sshd
]; ];
boot = { boot = {
loader.systemd-boot.enable = false; loader.supportsInitrdSecrets = true;
initrd = {
availableKernelModules =
[
"nvme"
"ahci"
"ehci_pci"
"xhci_pci"
"sd_mod"
"sr_mod"
"usbhid"
"virtio_pci"
"virtio_net"
"dm_crypt"
"dm_mod"
"cryptd"
]
++ (lib.optionals (system == "x86_64_linux") ["aesni_intel"]);
loader.grub = { secrets = {
enable = true; # This will need to be generated before install or installed with secrets-init
efiSupport = false; # To keep it same across reinstalls add the ssh key and pubkey to secrets module
enableCryptodisk = true; "/ssh_host_ed25519_key" = mkForce "/initrd_secrets/ssh_host_ed25519_key";
device = "/dev/sda"; };
luks = {
forceLuksSupportInInitrd = true;
devices = {
"${driveData.mapperName}" = {
device = "${driveData.encryptedPath}";
preLVM = false;
allowDiscards = true;
};
};
};
}; };
initrd.availableKernelModules = [
"nvme"
"ahci"
"xhci_pci"
"virtio_pci"
"sd_mod"
"sr_mod" # For Storage
"virtio_net" # For Hetzner VMs Networking
# For Cryptography
"aesni_intel"
"cryptd"
];
loader.supportsInitrdSecrets = true;
initrd.luks.forceLuksSupportInInitrd = true;
initrd.network = { initrd.network = {
enable = true; enable = true;
ssh = { ssh = {
@ -45,28 +67,16 @@
echo 'cryptsetup-askpass' >> /root/.profile echo 'cryptsetup-askpass' >> /root/.profile
''; '';
}; };
initrd.secrets = {
"/ssh_host_ed25519_key" = "/ssh_host_ed25519_key";
};
initrd.luks.devices = {
"nixos_unencrypted" = {
device = "/dev/sda3";
preLVM = false;
allowDiscards = true;
};
};
}; };
fileSystems = { fileSystems = {
"/" = { "/" = {
device = "/dev/mapper/nixos_unencrypted"; device = "${driveData.decryptedPath}";
fsType = "ext4"; fsType = "${driveData.unencryptedFSType}";
}; };
"/boot" = { "/boot" = {
device = "/dev/sda2"; device = "${driveData.bootPath}";
fsType = "vfat"; fsType = "${driveData.bootFSType}";
}; };
}; };
} }

14
presets/nixos/serverHetzner.nix
View file

@ -2,15 +2,22 @@
self, self,
config, config,
modulesPath, modulesPath,
pkgs,
lib, lib,
... ...
}: let }: let
inherit (lib.lists) optionals;
inherit (lib.modules) mkForce; inherit (lib.modules) mkForce;
system = pkgs.system;
container-ips = import "${self}/data/serverIPs.nix"; container-ips = import "${self}/data/serverIPs.nix";
hostName = config.networking.hostName; hostName = config.networking.hostName;
serverIPs = container-ips.${hostName}; serverIPs = container-ips.${hostName};
gateway = "172.31.1.1";
netmask = "255.255.255.255";
in { in {
imports = [ imports = [
(modulesPath + "/profiles/qemu-guest.nix") (modulesPath + "/profiles/qemu-guest.nix")
@ -25,6 +32,13 @@ in {
dhcpcd.enable = false; dhcpcd.enable = false;
}; };
boot.kernelParams =
[
"console=tty0"
"ip=${serverIPs.ipv4}::${gateway}:${netmask}:${hostName}:eth0:any"
]
++ (lib.optionals (system == "aarch64-linux") ["console=ttyAMA0,115200" "console=ttyS0,115200"]);
systemd.network = { systemd.network = {
enable = true; enable = true;
networks."eth0" = { networks."eth0" = {

5
scripts/nixFlakes.sh
View file

@ -1,3 +1,4 @@
#!/usr/bin/env bash #!/usr/bin/env nix-shell
#!nix-shell -i bash -p nixFlakes
nix-shell -p nixFlakes --run "nix --experimental-features \"nix-command flakes\" $@" nix --experimental-features "nix-command flakes" "$@"