encrypted laptop root and better setup guide

LAPPY_SETUP_GUIDE.md

@@ -9,10 +9,11 @@ export DEVICE_UNENCRYPTED_ROOT=/dev/mapper/${DEVICE_UNENCRYPTED_ROOT_NAME}
 export ENCRYPTION_KEY_PATH=mount/encryption-keys/lappy.key
 
 parted /dev/${DEVICE_ROOT} -- mklabel gpt
-parted /dev/${DEVICE_ROOT} -- mkpart primary 512MiB -8GiB
+parted /dev/${DEVICE_ROOT} -- mkpart ESP fat32 1MiB 512MiB
-parted /dev/${DEVICE_ROOT} -- mkpart ESP fat32 1MiB 500MiB
+parted /dev/${DEVICE_ROOT} -- mkpart primary 620MiB -1MiB
-parted /dev/${DEVICE_ROOT} -- set 3 esp on
+parted /dev/${DEVICE_ROOT} -- set 1 esp on
-
+parted /dev/${DEVICE_ROOT} -- name 1 nixboot
+parted /dev/${DEVICE_ROOT} -- name 2 nixos_encrypted
 mkfs.fat -n nixboot ${DEVICE_BOOT_PART}
 
 cryptsetup luksFormat ${DEVICE_ENCRYPTED_ROOT_PART}
@@ -20,28 +21,63 @@ cryptsetup luksAddKey ${DEVICE_ENCRYPTED_ROOT_PART} ${ENCRYPTION_KEY_PATH}
 cryptsetup luksOpen ${DEVICE_ENCRYPTED_ROOT_PART} ${DEVICE_UNENCRYPTED_ROOT_NAME}
 mkfs.ext4 -L nixos ${DEVICE_UNENCRYPTED_ROOT}
 ```
+## SSH Key
 ## NetworkManager
 Grab passwords from Vault
 ## Browser (vivaldi)
-Open up browser and install the following extensions:
+### Settings
-- - Stylus
+#### General
-- - Tampermonkey
+Home Page: Start Page
-- - uBlock Origin
+Startup With: Start Page
+#### Appearance
+Use Animation: NO!
+User Interface Zoom: 145%
+#### Themes
+Theme: Private
+#### Tabs
+- Display Close Button: Permanantly
+- Active Tab Minimum Width: 150px
+- Tab Stacking: Disable
+- Mute Tab Audio: Play only in active tab
+#### Search
+- Default search engine: Google
+- Always search in new tab: ON
+#### Privacy
+- Phishing and Malware Protection: OFF
+- DNS to help resolve navigation errors: OFF
+- Form AutoFill Assist: OFF
+- Ask websites not to track me: ON
+- No Blocking
+- Save Webpage Passwords: OFF
+#### Downloads
+- Save without asking: ON
+#### Webpages
+- Default Webpage Zoom: 145%
+- Disable Use Tab Zoom
+- Disable Use Ctrl+Scroll Zoom
+- Plugins: Enable All
+- Fonts: All to Comic Sans apart from Monospace which is Comic Code
+- Reader: Colour Scheme: Dark
+### Extensions
+Install the following extensions:
+- Stylus
+- Tampermonkey
+- uBlock Origin
 Then install all userscripts and userstyles from [Here](https://gitlab.com/ChaotiCryptidz/userstyles-userscripts/-/tree/main)
 ## Telegram Desktop (kotatogram)
 - Set interface size to 200%
-- Recent stickers: show 30 stickers
+- Recent stickers: show 40 stickers
-- Sticker Height: 100px
+- Sticker Height: 140px
 - Upload Speed Boost: Slight
-- Main Font & Semibold Font: Comic Sans
+- Main Font & Semibold Font: Comic Sans MS
 - Monospaced Font: Comic Code
 - Confirm before calling: on
 ## Quassel Client
-- Set theme to config dir's style.qss
 ### Interface
-- Widget Style Fusion
+- Set theme to config dir's style.qss
+- Widget Style: Fusion
+- Fallback Icon Theme: Fusion
 - Show System Tray Icon
-- Invert system tray icon brightness
 ### Chat View
 - Chat Window Font: Comic Code 20pt
 ### Chat View Colours
@@ -59,6 +95,8 @@ Other: #00dda6
 ```
 ### Input Widget
 - Custom Font: Comic Code 18pt
+### Topic Widget
+- Custom Font: Comic Code 14pt
 ### Backlog Fetching
 - Amount: 500
 - Method: Fixed

home/apps/chromium.nix

@@ -1,38 +0,0 @@
-{ pkgs, lib, ... }:
-let
-  getExtension = { id, url, sha256, version, updateUrl }: {
-    inherit id;
-    crxPath = builtins.fetchurl {
-      url = "${url}";
-      name = "${id}.crx";
-      inherit sha256;
-    };
-    inherit version;
-    inherit updateUrl;
-  };
-  createChromiumExtensionFor = browserVersion:
-    { id, sha256, version }: {
-      inherit id;
-      crxPath = builtins.fetchurl {
-        url =
-          "https://clients2.google.com/service/update2/crx?response=redirect&acceptformat=crx2,crx3&prodversion=${browserVersion}&x=id%3D${id}%26installsource%3Dondemand%26uc";
-        name = "${id}.crx";
-        inherit sha256;
-      };
-      #updateUrl = "http://clients2.google.com/service/update2/crx?response=updatecheck&x=id%3D${id}%26uc";
-      updateUrl = "https://clients2.google.com/service/update2/crx";
-      inherit version;
-    };
-  createChromiumExtension =
-    createChromiumExtensionFor (lib.versions.major pkgs.vivaldi.version);
-in {
-  programs.chromium = {
-    enable = true;
-    package = pkgs.vivaldi;
-    extensions = [
-      { id = "cjpalhdlnbpafiamejdnhcphjbkeiagm"; }
-      { id = "clngdbkpkpeebahjckkjfobafhncgmne"; }
-      { id = "adicoenigffoolephelklheejpcpoolk"; }
-    ];
-  };
-}

hosts/hetzner-vm/hetzner-vm.nix

@@ -3,7 +3,7 @@
 {
   imports = with tree; [
     users.root
-    users.chaoticryptidz
+    users.chaos
 
     profiles.base
     profiles.tailscale
@@ -24,7 +24,7 @@
   home-manager.users.root = {
     imports = with tree; [ home.base home.dev.small ];
   };
-  home-manager.users.chaoticryptidz = {
+  home-manager.users.chaos = {
     imports = with tree; [ home.base home.dev.small ];
   };
 

hosts/lappy/hardware.nix

@@ -1,7 +1,7 @@
-{ ... }:
+{ pkgs, ... }:
 let
   usb_label = "my_usb";
-  encrypted_root_uuid = "";
+  encrypted_root_partlabel = "nixos_encrypted";
   unencrypted_root_uuid = "";
 in {
   boot = {
@@ -26,33 +26,29 @@ in {
       "cryptd"
     ];
     kernelModules = [ "kvm-intel" ];
+  
+
+  initrd.postDeviceCommands = pkgs.lib.mkBefore ''
+    mkdir -m 0755 -p /key
+    sleep 3
+    mount -n -t vfat -o ro `findfs LABEL=${usb_label}` /key
+  '';
+
+  initrd.luks.devices."cryptroot".device =
+    "/dev/disk/by-partlabel/${encrypted_root_partlabel}";
+
+  initrd.luks.devices."cryptroot" = {
+    keyFile = "/key/encryption-keys/lappy.key";
+    preLVM = false;
+    allowDiscards = true;
   };
-
+};
-  # TODO: encrypted storage
-  #initrd.postDeviceCommands = pkgs.lib.mkBefore ''
-  #  mkdir -m 0755 -p /key
-  #  sleep 3
-  #  mount -n -t vfat -o ro `findfs LABEL=${usb_label}` /key
-  #'';
-
-  #boot.initrd.luks.devices."cryptroot".device =
-  #  "/dev/disk/by-uuid/${encrypted_root_uuid}";
-
-  #initrd.luks.devices."cryptroot" = {
-  #  keyFile = "/key/encryption-keys/lappy.key";
-  #  preLVM = false;
-  #  allowDiscards = true;
-  #};
 
   fileSystems = {
     "/" = {
-      device = "/dev/disk/by-label/nixos";
+      device = "/dev/mapper/cryptroot";
       fsType = "ext4";
     };
-    #"/" = {
-    #  device = "/dev/mapper/cryptroot";
-    #  fsType = "ext4";
-    #};
     "/boot" = {
       device = "/dev/disk/by-label/nixboot";
       fsType = "vfat";

hosts/lappy/lappy.nix

@@ -5,7 +5,7 @@
     ./hardware.nix
 
     users.root
-    users.chaoticryptidz
+    users.chaos
     profiles.tailscale
     profiles.dnscrypt
     profiles.printing
@@ -41,7 +41,7 @@
   ];
 
   home-manager.users.root = { imports = with tree; [ home.base ]; };
-  home-manager.users.chaoticryptidz = {
+  home-manager.users.chaos = {
     imports = with tree; [
       home.base
       home.dev.all
@@ -61,7 +61,6 @@
       home.apps.vivaldi
       home.apps.telegram
       home.apps.quassel
-      home.apps.chromium
 
       home.programming
       #home.programming.languages.go
@@ -70,7 +69,7 @@
   };
 
   services.getty.extraArgs =
-    [ "--skip-login" "--login-options" "chaoticryptidz" ];
+    [ "--skip-login" "--login-options" "chaos" ];
 
   networking.firewall.enable = true;
   # let vscode, vivaldi, etc work.

hosts/raspberry/raspberry.nix

@@ -3,7 +3,7 @@
 {
   imports = with tree; [
     users.root
-    users.chaoticryptidz
+    users.chaos
 
     profiles.base
     profiles.tailscale
@@ -21,7 +21,7 @@
   home-manager.users.root = {
     imports = with tree; [ home.base home.dev.small ];
   };
-  home-manager.users.chaoticryptidz = {
+  home-manager.users.chaos = {
     imports = with tree; [ home.base home.dev.small ];
   };
 

hosts/rescue/rescue.nix

@@ -3,7 +3,7 @@
 {
   imports = with tree; [
     users.root
-    users.chaoticryptidz
+    users.chaos
     profiles.base
     profiles.gui
     profiles.gui.environments.sway
@@ -16,7 +16,7 @@
   home-manager.users.root = {
     imports = with tree; [ home.base home.dev.all ];
   };
-  home-manager.users.chaoticryptidz = {
+  home-manager.users.chaos = {
     imports = with tree; [
       home.base
       home.gui

users/chaos.nix

@@ -1,5 +1,5 @@
 { config, ... }: {
-  users.users.chaoticryptidz = {
+  users.users.chaos = {
     uid = 1000;
     isNormalUser = true;
     extraGroups = [
@@ -13,7 +13,7 @@
       "uinput"
     ];
     openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL4L1eBZzYXZNGBucTn/eOFp48el9JPiYt9iXQDpBSg/ chaoticryptidz@owo.monster"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAeN3T1aZkTm5xS0b66cRDyKUbdEQCFyzVWXeW+eIbsa chaos@chaos"
     ];
   };
 }

users/root.nix

@@ -1,7 +1,7 @@
 { config, ... }: {
   users.users.root = {
     openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL4L1eBZzYXZNGBucTn/eOFp48el9JPiYt9iXQDpBSg/ chaoticryptidz@owo.monster"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAeN3T1aZkTm5xS0b66cRDyKUbdEQCFyzVWXeW+eIbsa chaos@chaos"
     ];
   };
 }