encrypted laptop root and better setup guide

This commit is contained in:
ChaotiCryptidz 2022-01-29 21:44:38 +00:00
parent e4903a0de3
commit 56b4daa7fd
9 changed files with 83 additions and 88 deletions

View file

@ -9,10 +9,11 @@ export DEVICE_UNENCRYPTED_ROOT=/dev/mapper/${DEVICE_UNENCRYPTED_ROOT_NAME}
export ENCRYPTION_KEY_PATH=mount/encryption-keys/lappy.key
parted /dev/${DEVICE_ROOT} -- mklabel gpt
parted /dev/${DEVICE_ROOT} -- mkpart primary 512MiB -8GiB
parted /dev/${DEVICE_ROOT} -- mkpart ESP fat32 1MiB 500MiB
parted /dev/${DEVICE_ROOT} -- set 3 esp on
parted /dev/${DEVICE_ROOT} -- mkpart ESP fat32 1MiB 512MiB
parted /dev/${DEVICE_ROOT} -- mkpart primary 620MiB -1MiB
parted /dev/${DEVICE_ROOT} -- set 1 esp on
parted /dev/${DEVICE_ROOT} -- name 1 nixboot
parted /dev/${DEVICE_ROOT} -- name 2 nixos_encrypted
mkfs.fat -n nixboot ${DEVICE_BOOT_PART}
cryptsetup luksFormat ${DEVICE_ENCRYPTED_ROOT_PART}
@ -20,28 +21,63 @@ cryptsetup luksAddKey ${DEVICE_ENCRYPTED_ROOT_PART} ${ENCRYPTION_KEY_PATH}
cryptsetup luksOpen ${DEVICE_ENCRYPTED_ROOT_PART} ${DEVICE_UNENCRYPTED_ROOT_NAME}
mkfs.ext4 -L nixos ${DEVICE_UNENCRYPTED_ROOT}
```
## SSH Key
## NetworkManager
Grab passwords from Vault
## Browser (vivaldi)
Open up browser and install the following extensions:
- - Stylus
- - Tampermonkey
- - uBlock Origin
### Settings
#### General
Home Page: Start Page
Startup With: Start Page
#### Appearance
Use Animation: NO!
User Interface Zoom: 145%
#### Themes
Theme: Private
#### Tabs
- Display Close Button: Permanantly
- Active Tab Minimum Width: 150px
- Tab Stacking: Disable
- Mute Tab Audio: Play only in active tab
#### Search
- Default search engine: Google
- Always search in new tab: ON
#### Privacy
- Phishing and Malware Protection: OFF
- DNS to help resolve navigation errors: OFF
- Form AutoFill Assist: OFF
- Ask websites not to track me: ON
- No Blocking
- Save Webpage Passwords: OFF
#### Downloads
- Save without asking: ON
#### Webpages
- Default Webpage Zoom: 145%
- Disable Use Tab Zoom
- Disable Use Ctrl+Scroll Zoom
- Plugins: Enable All
- Fonts: All to Comic Sans apart from Monospace which is Comic Code
- Reader: Colour Scheme: Dark
### Extensions
Install the following extensions:
- Stylus
- Tampermonkey
- uBlock Origin
Then install all userscripts and userstyles from [Here](https://gitlab.com/ChaotiCryptidz/userstyles-userscripts/-/tree/main)
## Telegram Desktop (kotatogram)
- Set interface size to 200%
- Recent stickers: show 30 stickers
- Sticker Height: 100px
- Recent stickers: show 40 stickers
- Sticker Height: 140px
- Upload Speed Boost: Slight
- Main Font & Semibold Font: Comic Sans
- Main Font & Semibold Font: Comic Sans MS
- Monospaced Font: Comic Code
- Confirm before calling: on
## Quassel Client
- Set theme to config dir's style.qss
### Interface
- Widget Style Fusion
- Set theme to config dir's style.qss
- Widget Style: Fusion
- Fallback Icon Theme: Fusion
- Show System Tray Icon
- Invert system tray icon brightness
### Chat View
- Chat Window Font: Comic Code 20pt
### Chat View Colours
@ -59,6 +95,8 @@ Other: #00dda6
```
### Input Widget
- Custom Font: Comic Code 18pt
### Topic Widget
- Custom Font: Comic Code 14pt
### Backlog Fetching
- Amount: 500
- Method: Fixed

View file

@ -1,38 +0,0 @@
{ pkgs, lib, ... }:
let
getExtension = { id, url, sha256, version, updateUrl }: {
inherit id;
crxPath = builtins.fetchurl {
url = "${url}";
name = "${id}.crx";
inherit sha256;
};
inherit version;
inherit updateUrl;
};
createChromiumExtensionFor = browserVersion:
{ id, sha256, version }: {
inherit id;
crxPath = builtins.fetchurl {
url =
"https://clients2.google.com/service/update2/crx?response=redirect&acceptformat=crx2,crx3&prodversion=${browserVersion}&x=id%3D${id}%26installsource%3Dondemand%26uc";
name = "${id}.crx";
inherit sha256;
};
#updateUrl = "http://clients2.google.com/service/update2/crx?response=updatecheck&x=id%3D${id}%26uc";
updateUrl = "https://clients2.google.com/service/update2/crx";
inherit version;
};
createChromiumExtension =
createChromiumExtensionFor (lib.versions.major pkgs.vivaldi.version);
in {
programs.chromium = {
enable = true;
package = pkgs.vivaldi;
extensions = [
{ id = "cjpalhdlnbpafiamejdnhcphjbkeiagm"; }
{ id = "clngdbkpkpeebahjckkjfobafhncgmne"; }
{ id = "adicoenigffoolephelklheejpcpoolk"; }
];
};
}

View file

@ -3,7 +3,7 @@
{
imports = with tree; [
users.root
users.chaoticryptidz
users.chaos
profiles.base
profiles.tailscale
@ -24,7 +24,7 @@
home-manager.users.root = {
imports = with tree; [ home.base home.dev.small ];
};
home-manager.users.chaoticryptidz = {
home-manager.users.chaos = {
imports = with tree; [ home.base home.dev.small ];
};

View file

@ -1,7 +1,7 @@
{ ... }:
{ pkgs, ... }:
let
usb_label = "my_usb";
encrypted_root_uuid = "";
encrypted_root_partlabel = "nixos_encrypted";
unencrypted_root_uuid = "";
in {
boot = {
@ -26,33 +26,29 @@ in {
"cryptd"
];
kernelModules = [ "kvm-intel" ];
initrd.postDeviceCommands = pkgs.lib.mkBefore ''
mkdir -m 0755 -p /key
sleep 3
mount -n -t vfat -o ro `findfs LABEL=${usb_label}` /key
'';
initrd.luks.devices."cryptroot".device =
"/dev/disk/by-partlabel/${encrypted_root_partlabel}";
initrd.luks.devices."cryptroot" = {
keyFile = "/key/encryption-keys/lappy.key";
preLVM = false;
allowDiscards = true;
};
};
# TODO: encrypted storage
#initrd.postDeviceCommands = pkgs.lib.mkBefore ''
# mkdir -m 0755 -p /key
# sleep 3
# mount -n -t vfat -o ro `findfs LABEL=${usb_label}` /key
#'';
#boot.initrd.luks.devices."cryptroot".device =
# "/dev/disk/by-uuid/${encrypted_root_uuid}";
#initrd.luks.devices."cryptroot" = {
# keyFile = "/key/encryption-keys/lappy.key";
# preLVM = false;
# allowDiscards = true;
#};
fileSystems = {
"/" = {
device = "/dev/disk/by-label/nixos";
device = "/dev/mapper/cryptroot";
fsType = "ext4";
};
#"/" = {
# device = "/dev/mapper/cryptroot";
# fsType = "ext4";
#};
"/boot" = {
device = "/dev/disk/by-label/nixboot";
fsType = "vfat";

View file

@ -5,7 +5,7 @@
./hardware.nix
users.root
users.chaoticryptidz
users.chaos
profiles.tailscale
profiles.dnscrypt
profiles.printing
@ -41,7 +41,7 @@
];
home-manager.users.root = { imports = with tree; [ home.base ]; };
home-manager.users.chaoticryptidz = {
home-manager.users.chaos = {
imports = with tree; [
home.base
home.dev.all
@ -61,7 +61,6 @@
home.apps.vivaldi
home.apps.telegram
home.apps.quassel
home.apps.chromium
home.programming
#home.programming.languages.go
@ -70,7 +69,7 @@
};
services.getty.extraArgs =
[ "--skip-login" "--login-options" "chaoticryptidz" ];
[ "--skip-login" "--login-options" "chaos" ];
networking.firewall.enable = true;
# let vscode, vivaldi, etc work.

View file

@ -3,7 +3,7 @@
{
imports = with tree; [
users.root
users.chaoticryptidz
users.chaos
profiles.base
profiles.tailscale
@ -21,7 +21,7 @@
home-manager.users.root = {
imports = with tree; [ home.base home.dev.small ];
};
home-manager.users.chaoticryptidz = {
home-manager.users.chaos = {
imports = with tree; [ home.base home.dev.small ];
};

View file

@ -3,7 +3,7 @@
{
imports = with tree; [
users.root
users.chaoticryptidz
users.chaos
profiles.base
profiles.gui
profiles.gui.environments.sway
@ -16,7 +16,7 @@
home-manager.users.root = {
imports = with tree; [ home.base home.dev.all ];
};
home-manager.users.chaoticryptidz = {
home-manager.users.chaos = {
imports = with tree; [
home.base
home.gui

View file

@ -1,5 +1,5 @@
{ config, ... }: {
users.users.chaoticryptidz = {
users.users.chaos = {
uid = 1000;
isNormalUser = true;
extraGroups = [
@ -13,7 +13,7 @@
"uinput"
];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL4L1eBZzYXZNGBucTn/eOFp48el9JPiYt9iXQDpBSg/ chaoticryptidz@owo.monster"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAeN3T1aZkTm5xS0b66cRDyKUbdEQCFyzVWXeW+eIbsa chaos@chaos"
];
};
}

View file

@ -1,7 +1,7 @@
{ config, ... }: {
users.users.root = {
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL4L1eBZzYXZNGBucTn/eOFp48el9JPiYt9iXQDpBSg/ chaoticryptidz@owo.monster"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAeN3T1aZkTm5xS0b66cRDyKUbdEQCFyzVWXeW+eIbsa chaos@chaos"
];
};
}