chaos/nixfiles
1
0
Fork 0
Code Issues 2 Releases Activity

start work on arm for vault

Browse source
This commit is contained in:
chaos 2023-09-20 15:46:20 +01:00
parent ebca60021d
commit 1223d1b98b
No known key found for this signature in database
22 changed files with 226 additions and 132 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
data/drives/encryptedDrive.nix Normal file
View file

@ -0,0 +1,25 @@
# This works with both UEFI and BIOS based systems
rec {
# Mountpoints
mountpoint = "/";
bootMountpoint = "/boot";
# Partition Labels
bootLabel = "nixboot";
unencryptedLabel = "nixos";
encryptedPartLabel = "nixos_encrypted";
# Partition Filesystems
unencryptedFSType = "ext4";
bootFSType = "vfat";
# Mapper Name
mapperName = "cryptroot";
# FS Paths
encryptedPath = "/dev/disk/by-partlabel/${encryptedPartLabel}";
decryptedPath = "/dev/mapper/${mapperName}";
# the /boot parition
bootPath = "/dev/disk/by-label/${bootLabel}";
}

0
data/encryptedUSB.nix → data/drives/encryptedUSB.nix
View file

0
data/normalEncryptedDrive.nix → data/serverEncryptedDrive.nix
View file

2
data/serverIPs.nix
View file

@ -7,7 +7,7 @@ rec {
ipv4 = "65.21.145.62";
ipv6 = "2a01:4f9:c010:6a89::1";
};
"hetzner-arm" = {
"vault-arm" = {
ipv4 = "65.21.0.145";
ipv6 = "2a01:4f9:c012:9b6b::1";
};

2
extras/mk-enc-usb.nix
View file

@ -4,7 +4,7 @@
e2fsprogs,
writeShellApplication,
}: let
encryptedUSBData = import ../data/encryptedUSB.nix;
encryptedUSBData = import ../data/drives/encryptedUSB.nix;
in (writeShellApplication {
name = "mk-enc-usb";
runtimeInputs = [

85
extras/mk-encrypted-drive.nix Normal file
View file

@ -0,0 +1,85 @@
{
parted,
cryptsetup,
e2fsprogs,
dosfstools,
writeShellApplication,
}: let
driveData = import ../data/drives/encryptedDrive.nix;
in (writeShellApplication {
name = "mk-encrypted-drive";
runtimeInputs = [
parted
cryptsetup
e2fsprogs
dosfstools
];
text = ''
if [ -z "''${BIOS-}" ]; then
echo "If making a drive for bios then you will need to set BIOS env variable"
fi
if [ -z "''${PASSWORD_FILE-}" ]; then
echo "If the drive is for a encrypted server then password will need to be set with PASSWORD_FILE"
fi
if [ -z "''${1-}" ]; then
echo "Please specify a path to device as first argument"
exit 1
fi
if [ -z "''${2-}" ]; then
echo "Please specify a path to key file as second argument"
exit 1
fi
DRIVE_PATH=$1
KEY_FILE=$2
if echo "$DRIVE_PATH" | grep -q "[0-9]$"; then
PARTITION_SEPARATOR="p"
else
PARTITION_SEPARATOR=""
fi
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit
fi
echo "Creating Partitions..."
if [ -n "''${BIOS-}" ]; then
# EFI Install
parted "$DRIVE_PATH" -- mklabel gpt
parted "$DRIVE_PATH" -- mkpart ESP fat32 1MiB 512MiB
parted "$DRIVE_PATH" -- mkpart primary 620MiB -1MiB
parted "$DRIVE_PATH" -- set 1 esp on
parted "$DRIVE_PATH" -- name 1 "${driveData.bootLabel}"
parted "$DRIVE_PATH" -- name 2 "${driveData.encryptedPartLabel}"
else
parted "$DRIVE_PATH" -- mklabel gpt
parted "$DRIVE_PATH" -- mkpart ESP fat32 1MiB 512MiB
parted "$DRIVE_PATH" -- mkpart primary 620MiB -1MiB
parted "$DRIVE_PATH" -- set 1 boot on
parted "$DRIVE_PATH" -- name 1 "${driveData.bootLabel}"
parted "$DRIVE_PATH" -- name 2 "${driveData.encryptedPartLabel}"
fi
echo "Formatting boot partition"
mkfs.fat -n "${driveData.bootLabel}" "''${DRIVE_PATH}''${PARTITION_SEPARATOR}1"
echo "Creating Encrypted Partition"
cryptsetup luksFormat "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" --key-file "$KEY_FILE"
if [ -n "''${PASSWORD_FILE-}" ]; then
cryptsetup luksAddKey "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" --key-file "$KEY_FILE" < "$PASSWORD_FILE"
fi
echo "Opening Encrypted Partition"
cryptsetup open "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" "mk_encrypted_drive" --key-file "$KEY_FILE"
echo "Formatting Encrypted Root Filesystem"
mkfs.ext4 -L "${driveData.unencryptedLabel}" /dev/mapper/mk_encrypted_drive
echo "mount /dev/mapper/mk_encrypted_drive to install"
'';
})

64
extras/mk-normal-enc-ssd.nix
View file

@ -1,64 +0,0 @@
{
parted,
cryptsetup,
e2fsprogs,
dosfstools,
writeShellApplication,
}: let
ssdData = import ../data/normalEncryptedDrive.nix;
in (writeShellApplication {
name = "mk-normal-enc-ssd";
runtimeInputs = [
parted
cryptsetup
e2fsprogs
dosfstools
];
text = ''
if [ -z "''${1-}" ]; then
echo "Please specify a path to device as first argument"
exit 1
fi
if [ -z "''${2-}" ]; then
echo "Please specify a path to key file as second argument"
exit 1
fi
SSD_PATH=$1
KEY_FILE=$2
if echo "$SSD_PATH" | grep -q "[0-9]$"; then
PARTITION_SEPARATOR="p"
else
PARTITION_SEPARATOR=""
fi
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit
fi
echo "Creating Partitions..."
parted "$SSD_PATH" -- mklabel gpt
parted "$SSD_PATH" -- mkpart ESP fat32 1MiB 512MiB
parted "$SSD_PATH" -- mkpart primary 620MiB -1MiB
parted "$SSD_PATH" -- set 1 esp on
parted "$SSD_PATH" -- name 1 "${ssdData.bootLabel}"
parted "$SSD_PATH" -- name 2 "${ssdData.encryptedPartLabel}"
echo "Formatting boot partition"
mkfs.fat -n "${ssdData.bootLabel}" "''${SSD_PATH}''${PARTITION_SEPARATOR}1"
echo "Creating Encrypted Partition"
cryptsetup luksFormat "''${SSD_PATH}''${PARTITION_SEPARATOR}2" --key-file "$KEY_FILE"
echo "Opening Encrypted Partition"
cryptsetup open "''${SSD_PATH}''${PARTITION_SEPARATOR}2" "mk_normal_enc_ssd" --key-file "$KEY_FILE"
echo "Formatting Encrypted Root Filesystem"
mkfs.ext4 -L "${ssdData.unencryptedLabel}" /dev/mapper/mk_normal_enc_ssd
echo "mount /dev/mapper/mk_normal_enc_ssd to install"
'';
})

2
home/base/zsh.nix
View file

@ -3,7 +3,7 @@
pkgs,
...
}: let
encryptedUSBData = import "${self}/data/encryptedUSB.nix";
encryptedUSBData = import "${self}/data/drives/encryptedUSB.nix";
in {
home.packages = with pkgs; [eza bat ripgrep vault-bin libarchive age];
programs.zsh = {

2
home/dev/all/extra.nix
View file

@ -17,7 +17,7 @@
'')
mk-enc-usb
mk-normal-enc-ssd
mk-encrypted-drive
mk-raspberry-ext-drive
];
}

2
home/sshUSB.nix
View file

@ -1,5 +1,5 @@
{...}: let
encryptedUSBData = import ../data/encryptedUSB.nix;
encryptedUSBData = import ../data/drives/encryptedUSB.nix;
in {
programs.ssh.matchBlocks."*".identityFile = "${encryptedUSBData.sshPrivateKeyPath}";
programs.git.extraConfig = {

4
hosts/lappy-t495/hardware.nix
View file

@ -1,5 +1,7 @@
{tree, ...}: {
imports = with tree; [presets.nixos.normalEncryptedDrive];
imports = with tree; [
presets.nixos.encryptedDrive
];
boot = {
loader = {

2
hosts/nixos.nix
View file

@ -111,7 +111,7 @@ in {
// {
hostPath = ./vault;
};
system = "x86_64-linux";
system = "aarch64-linux";
modules = defaultModules ++ [./vault/vault.nix];
};

6
hosts/vault/hardware.nix Normal file
View file

@ -0,0 +1,6 @@
{...}: {
boot.loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
}

14
hosts/vault/secrets.nix
View file

@ -12,6 +12,8 @@
};
requiredVaultPaths = [
"/private-public-keys/ssh/root@vault-decrypt"
"private-public-keys/data/restic/Vault"
"api-keys/data/storage/restic/Vault"
@ -22,6 +24,18 @@
manual = true;
};
# this doesn't need to be a secret and can be generated at install time
# but it makes it easier to install.
# it's stored in /nix store anyway
ssh_host_ed25519_key = {
path = "/initrd_secrets/ssh_host_ed25519_key";
permissions = "600";
fetchScript = ''
[ ! -d "$SYSROOT/initrd_secrets" ] && mkdir -p "$SYSROOT/initrd_secrets"
simple_get "/private-public-keys/ssh/root@vault-decrypt" .private | base64 > "$secretFile"
'';
};
restic_password = {
fetchScript = ''
simple_get "/private-public-keys/restic/Vault" .password > "$secretFile"

1
hosts/vault/vault.nix
View file

@ -10,6 +10,7 @@
profiles.chaosInternalWireGuard
./secrets.nix
./hardware.nix
]
++ (with hosts.vault.profiles; [
vault

28
modules/nixos/secretsLib/lib.nix
View file

@ -14,22 +14,22 @@
set -e -o pipefail
${optionalString cfg.debug "set -x"}
set +u
# If sysroot is set then make sure it has trailing /
if [ -n "$SYSROOT" ]; then
if ! (echo "$SYSROOT" | grep -q "/$"); then
SYSROOT="$SYSROOT/"
fi
set +u
# If sysroot is set then make sure it has trailing /
if [ -n "$SYSROOT" ]; then
if ! (echo "$SYSROOT" | grep -q "/$"); then
SYSROOT="$SYSROOT/"
fi
# If sysroot is empty then make sure it is empty so it doesn't error
[ -z "$SYSROOT" ] && SYSROOT=
set -u
fi
# If sysroot is empty then make sure it is empty so it doesn't error
[ -z "$SYSROOT" ] && SYSROOT=
set -u
if [ -n "$SYSROOT" ]; then
echo "Using sysroot: $SYSROOT"
fi
if [ -n "$SYSROOT" ]; then
echo "Using sysroot: $SYSROOT"
fi
${optionalString cfg.createSecretsDir ''
${optionalString cfg.createSecretsDir ''
if [ ! -d "$SYSROOT${cfg.secretsDir}" ]; then
mkdir -p "$SYSROOT${cfg.secretsDir}"
chown "${userOrMappedID cfg.secretsDirUser}:${groupOrMappedID cfg.secretsDirGroup}" "$SYSROOT${cfg.secretsDir}"
@ -141,7 +141,7 @@
secretPermissions = secret.permissions;
in ''
if [[ ! -f "$SYSROOT${secretPath}" ]]; then
echo "Manual Secret ${secretPath} Doesn't Exist"
echo "Manual Secret ${secretPath} Doesn't Exist; Please add before continuing"
exit 1
fi

6
outputs.nix
View file

@ -30,7 +30,7 @@ in
formatter = pkgs.alejandra;
devShell = pkgs.mkShell {
VAULT_API_ADDR = "https://vault.owo.monster";
VAULT_ADDR = "https://vault.owo.monster";
packages =
(with pkgs; [
git
@ -41,14 +41,14 @@ in
])
++ (with self.packages."${system}"; [
mk-enc-usb
mk-normal-enc-ssd
mk-encrypted-drive
mk-raspberry-ext-drive
]);
};
packages = {
inherit (pkgs) comic-code comic-sans;
inherit (pkgs) mk-enc-usb mk-normal-enc-ssd mk-raspberry-ext-drive;
inherit (pkgs) mk-enc-usb mk-encrypted-drive mk-raspberry-ext-drive;
inherit (pkgs) gotosocial;
inherit (pkgs) cockroachdb;
inherit (pkgs) piped-backend piped-frontend piped-proxy;

2
overlay/default.nix
View file

@ -5,7 +5,7 @@ final: prev: rec {
gobar = final.callPackage ./gobar {};
mk-enc-usb = final.callPackage ../extras/mk-enc-usb.nix {};
mk-normal-enc-ssd = final.callPackage ../extras/mk-normal-enc-ssd.nix {};
mk-encrypted-drive = final.callPackage ../extras/mk-encrypted-drive.nix {};
mk-raspberry-ext-drive = final.callPackage ../extras/mk-raspberry-ext-drive.nix {};
kitty-terminfo = final.runCommand "kitty-terminfo" {} ''

2
presets/nixos/normalEncryptedDrive.nix → presets/nixos/encryptedDrive.nix
View file

@ -8,7 +8,7 @@
inherit (lib.modules) mkBefore;
encryptedUSB = import "${self}/data/encryptedUSB.nix";
driveData = import "${self}/data/normalEncryptedDrive.nix";
driveData = import "${self}/data/drives/normalEncryptedDrive.nix";
in {
boot = {
initrd.availableKernelModules = [

88
presets/nixos/serverEncryptedDrive.nix
View file

@ -1,38 +1,60 @@
{
self,
config,
tree,
lib,
pkgs,
...
}: {
}: let
inherit (lib.modules) mkForce;
inherit (lib.lists) optional;
system = pkgs.system;
driveData = import "${self}/data/drives/encryptedDrive.nix";
in {
imports = with tree; [
profiles.sshd
];
boot = {
loader.systemd-boot.enable = false;
loader.supportsInitrdSecrets = true;
initrd = {
availableKernelModules =
[
"nvme"
"ahci"
"ehci_pci"
"xhci_pci"
"sd_mod"
"sr_mod"
"usbhid"
"virtio_pci"
"virtio_net"
"dm_crypt"
"dm_mod"
"cryptd"
]
++ (lib.optionals (system == "x86_64_linux") ["aesni_intel"]);
loader.grub = {
enable = true;
efiSupport = false;
enableCryptodisk = true;
device = "/dev/sda";
secrets = {
# This will need to be generated before install or installed with secrets-init
# To keep it same across reinstalls add the ssh key and pubkey to secrets module
"/ssh_host_ed25519_key" = mkForce "/initrd_secrets/ssh_host_ed25519_key";
};
luks = {
forceLuksSupportInInitrd = true;
devices = {
"${driveData.mapperName}" = {
device = "${driveData.encryptedPath}";
preLVM = false;
allowDiscards = true;
};
};
};
};
initrd.availableKernelModules = [
"nvme"
"ahci"
"xhci_pci"
"virtio_pci"
"sd_mod"
"sr_mod" # For Storage
"virtio_net" # For Hetzner VMs Networking
# For Cryptography
"aesni_intel"
"cryptd"
];
loader.supportsInitrdSecrets = true;
initrd.luks.forceLuksSupportInInitrd = true;
initrd.network = {
enable = true;
ssh = {
@ -45,28 +67,16 @@
echo 'cryptsetup-askpass' >> /root/.profile
'';
};
initrd.secrets = {
"/ssh_host_ed25519_key" = "/ssh_host_ed25519_key";
};
initrd.luks.devices = {
"nixos_unencrypted" = {
device = "/dev/sda3";
preLVM = false;
allowDiscards = true;
};
};
};
fileSystems = {
"/" = {
device = "/dev/mapper/nixos_unencrypted";
fsType = "ext4";
device = "${driveData.decryptedPath}";
fsType = "${driveData.unencryptedFSType}";
};
"/boot" = {
device = "/dev/sda2";
fsType = "vfat";
device = "${driveData.bootPath}";
fsType = "${driveData.bootFSType}";
};
};
}

14
presets/nixos/serverHetzner.nix
View file

@ -2,15 +2,22 @@
self,
config,
modulesPath,
pkgs,
lib,
...
}: let
inherit (lib.lists) optionals;
inherit (lib.modules) mkForce;
system = pkgs.system;
container-ips = import "${self}/data/serverIPs.nix";
hostName = config.networking.hostName;
serverIPs = container-ips.${hostName};
gateway = "172.31.1.1";
netmask = "255.255.255.255";
in {
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
@ -25,6 +32,13 @@ in {
dhcpcd.enable = false;
};
boot.kernelParams =
[
"console=tty0"
"ip=${serverIPs.ipv4}::${gateway}:${netmask}:${hostName}:eth0:any"
]
++ (lib.optionals (system == "aarch64-linux") ["console=ttyAMA0,115200" "console=ttyS0,115200"]);
systemd.network = {
enable = true;
networks."eth0" = {

5
scripts/nixFlakes.sh
View file

@ -1,3 +1,4 @@
#!/usr/bin/env bash
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p nixFlakes
nix-shell -p nixFlakes --run "nix --experimental-features \"nix-command flakes\" $@"
nix --experimental-features "nix-command flakes" "$@"