add dual boot encrypted drive option
This commit is contained in:
parent
f7f91e938d
commit
7e4f414ea6
1
data/dual_drive_data.nix
Normal file
1
data/dual_drive_data.nix
Normal file
|
@ -0,0 +1 @@
|
|||
{}: (import ./normal_drive_data.nix {})
|
35
extras/mk-dual-enc-ssd.nix
Normal file
35
extras/mk-dual-enc-ssd.nix
Normal file
|
@ -0,0 +1,35 @@
|
|||
{
|
||||
stdenv,
|
||||
bash,
|
||||
parted,
|
||||
cryptsetup,
|
||||
e2fsprogs,
|
||||
dosfstools,
|
||||
}: let
|
||||
ssd_data = import ../data/dual_drive_data.nix {};
|
||||
in
|
||||
stdenv.mkDerivation {
|
||||
name = "mk-dual-enc-ssd";
|
||||
src = ./mk-dual-enc-ssd.sh;
|
||||
unpackPhase = ''
|
||||
for srcFile in $src; do
|
||||
cp $srcFile $(stripHash $srcFile)
|
||||
done
|
||||
'';
|
||||
|
||||
inherit bash parted cryptsetup e2fsprogs dosfstools;
|
||||
|
||||
patchPhase = ''
|
||||
substituteAllInPlace mk-dual-enc-ssd.sh
|
||||
substituteInPlace mk-dual-enc-ssd.sh \
|
||||
--replace "@SSD_ENCRYPTED_PARTLABEL@" "${ssd_data.encrypted_root_partlabel}" \
|
||||
--replace "@SSD_UNENCRYPTED_LABEL@" "${ssd_data.unencrypted_root_label}" \
|
||||
--replace "@SSD_BOOT_LABEL@" "${ssd_data.boot_label}"
|
||||
'';
|
||||
|
||||
installPhase = ''
|
||||
mkdir -p $out/bin
|
||||
cp mk-dual-enc-ssd.sh $out/bin/mk-dual-enc-ssd
|
||||
chmod +x $out/bin/mk-dual-enc-ssd
|
||||
'';
|
||||
}
|
63
extras/mk-dual-enc-ssd.sh
Normal file
63
extras/mk-dual-enc-ssd.sh
Normal file
|
@ -0,0 +1,63 @@
|
|||
#! @bash@/bin/sh
|
||||
|
||||
set -e
|
||||
|
||||
# e.g /dev/nvme0n1
|
||||
SSD_PATH=$1
|
||||
KEY_FILE=$2
|
||||
NIXOS_SIZE=$3
|
||||
|
||||
if echo "$SSD_PATH" | grep -q "[0-9]$"; then
|
||||
PARTITION_SEPARATOR="p"
|
||||
else
|
||||
PARTITION_SEPARATOR=""
|
||||
fi
|
||||
|
||||
if [ -z "$SSD_PATH" ]; then
|
||||
echo "Please specify a path to device as first argument"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ -z "$KEY_FILE" ]; then
|
||||
echo "Please specify a key file to use"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ -z "$NIXOS_SIZE" ]; then
|
||||
echo "Please specify how big to make the NixOS partition"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ "$EUID" -ne 0 ]; then
|
||||
echo "Please run as root"
|
||||
exit
|
||||
fi
|
||||
|
||||
# encrypted partition label
|
||||
SSD_ENCRYPTED_PARTLABEL=@SSD_ENCRYPTED_PARTLABEL@
|
||||
# unencrypted filesystem label
|
||||
SSD_UNENCRYPTED_LABEL=@SSD_UNENCRYPTED_LABEL@
|
||||
# ssd boot label
|
||||
SSD_BOOT_LABEL=@SSD_BOOT_LABEL@
|
||||
|
||||
echo "Creating Partitions..."
|
||||
@parted@/bin/parted ${SSD_PATH} -- mklabel gpt
|
||||
@parted@/bin/parted ${SSD_PATH} -- mkpart ESP fat32 1MiB 1024MiB
|
||||
@parted@/bin/parted ${SSD_PATH} -- mkpart primary 1072MiB "${NIXOS_SIZE}"
|
||||
@parted@/bin/parted ${SSD_PATH} -- set 1 esp on
|
||||
@parted@/bin/parted ${SSD_PATH} -- name 1 "${SSD_BOOT_LABEL}"
|
||||
@parted@/bin/parted ${SSD_PATH} -- name 2 "${SSD_ENCRYPTED_PARTLABEL}"
|
||||
|
||||
echo "Formatting boot partition"
|
||||
@dosfstools@/bin/mkfs.fat -n "${SSD_BOOT_LABEL}" "${SSD_PATH}${PARTITION_SEPARATOR}1"
|
||||
|
||||
echo "Creating Encrypted Partition"
|
||||
@cryptsetup@/bin/cryptsetup luksFormat "${SSD_PATH}${PARTITION_SEPARATOR}2" --key-file "${KEY_FILE}"
|
||||
|
||||
echo "Opening Encrypted Partition"
|
||||
@cryptsetup@/bin/cryptsetup open "${SSD_PATH}${PARTITION_SEPARATOR}2" "mk_dual_enc_ssd" --key-file "${KEY_FILE}"
|
||||
|
||||
echo "Formatting Encrypted Root Filesystem"
|
||||
@e2fsprogs@/bin/mkfs.ext4 -L "${SSD_UNENCRYPTED_LABEL}" /dev/mapper/mk_dual_enc_ssd
|
||||
|
||||
echo "mount /dev/mapper/mk_dual_enc_ssd to install"
|
|
@ -11,5 +11,6 @@
|
|||
|
||||
mk-enc-usb
|
||||
mk-normal-enc-ssd
|
||||
mk-dual-enc-ssd
|
||||
];
|
||||
}
|
||||
|
|
|
@ -155,36 +155,6 @@
|
|||
rm -rf "$TMP_DIR"
|
||||
'';
|
||||
};
|
||||
|
||||
wg_privkey = {
|
||||
fetchScript = ''
|
||||
simple_get "/private-public-keys/wireguard/chaos-internal/storage" .private > $secretFile
|
||||
'';
|
||||
};
|
||||
wg_preshared_hetzner-vm = {
|
||||
path = "/secrets/wg_preshared_hetzner-vm";
|
||||
fetchScript = ''
|
||||
simple_get "/private-public-keys/wireguard/chaos-internal/storage" .preshared_keys.hetzner_vm > $secretFile
|
||||
'';
|
||||
};
|
||||
wg_preshared_tablet = {
|
||||
path = "/secrets/wg_preshared_tablet";
|
||||
fetchScript = ''
|
||||
simple_get "/private-public-keys/wireguard/chaos-internal/storage" .preshared_keys.tablet > $secretFile
|
||||
'';
|
||||
};
|
||||
wg_preshared_vault = {
|
||||
path = "/secrets/wg_preshared_vault";
|
||||
fetchScript = ''
|
||||
simple_get "/private-public-keys/wireguard/chaos-internal/storage" .preshared_keys.vault > $secretFile
|
||||
'';
|
||||
};
|
||||
wg_preshared_iphone8 = {
|
||||
path = "/secrets/wg_preshared_iphone8";
|
||||
fetchScript = ''
|
||||
simple_get "/private-public-keys/wireguard/chaos-internal/storage" .preshared_keys.iphone8 > $secretFile
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -22,5 +22,5 @@
|
|||
RUNTIME_PM_BLACKLIST = "05:00.3 05:00.4";
|
||||
};
|
||||
|
||||
imports = with tree; [presets.nixos.normal-encrypted-drive];
|
||||
imports = with tree; [presets.nixos.dual-encrypted-drive];
|
||||
}
|
||||
|
|
|
@ -2,24 +2,50 @@
|
|||
config,
|
||||
tree,
|
||||
modulesPath,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}: {
|
||||
imports = [
|
||||
# (modulesPath + "/profiles/qemu-guest.nix")
|
||||
|
||||
(modulesPath + "/installer/cd-dvd/installation-cd-minimal.nix")
|
||||
imports = with tree; [
|
||||
(modulesPath + "/installer/cd-dvd/installation-cd-graphical-gnome.nix")
|
||||
(modulesPath + "/installer/cd-dvd/channel.nix")
|
||||
|
||||
tree.users.root
|
||||
tree.profiles.base
|
||||
tree.profiles.sshd
|
||||
users.root
|
||||
profiles.base
|
||||
profiles.sshd
|
||||
profiles.kernels.latest
|
||||
profiles.connectivity.ios
|
||||
profiles.connectivity.network_manager
|
||||
];
|
||||
config.isoImage = {
|
||||
|
||||
# disable zfs
|
||||
nixpkgs.overlays = [
|
||||
(final: super: {
|
||||
zfs = super.zfs.overrideAttrs (_: {
|
||||
meta.platforms = [];
|
||||
});
|
||||
})
|
||||
];
|
||||
|
||||
networking.wireless.enable = lib.mkForce false;
|
||||
|
||||
nixpkgs.config.allowBroken = true;
|
||||
|
||||
home-manager.users.root = {
|
||||
imports = with tree; [home.base home.dev];
|
||||
home.stateVersion = "23.05";
|
||||
};
|
||||
|
||||
home-manager.users.nixos = {
|
||||
imports = with tree; [home.base home.dev];
|
||||
home.stateVersion = "23.05";
|
||||
};
|
||||
|
||||
isoImage = {
|
||||
isoBaseName = "nixos-chaos";
|
||||
compressImage = false;
|
||||
squashfsCompression = "zstd -Xcompression-level 1";
|
||||
};
|
||||
|
||||
config.services.openssh.permitRootLogin = lib.mkForce "yes";
|
||||
services.openssh.settings.PermitRootLogin = lib.mkForce "yes";
|
||||
}
|
||||
|
|
|
@ -48,12 +48,16 @@ in
|
|||
type = "app";
|
||||
program = "${packages.mk-normal-enc-ssd}/bin/mk-normal-enc-ssd";
|
||||
};
|
||||
mk-dual-enc-ssd = {
|
||||
type = "app";
|
||||
program = "${packages.mk-dual-enc-ssd}/bin/mk-dual-enc-ssd";
|
||||
};
|
||||
};
|
||||
|
||||
packages = {
|
||||
inherit (pkgs) comic-code comic-sans;
|
||||
inherit (pkgs) piped-frontend piped-backend piped-proxy;
|
||||
inherit (pkgs) mk-enc-usb mk-normal-enc-ssd;
|
||||
inherit (pkgs) mk-enc-usb mk-normal-enc-ssd mk-dual-enc-ssd;
|
||||
inherit (pkgs) gotosocial;
|
||||
};
|
||||
}))
|
||||
|
|
|
@ -9,8 +9,11 @@ final: prev: {
|
|||
};
|
||||
piped-frontend = final.callPackage ./piped/frontend {};
|
||||
piped-proxy = final.callPackage ./piped/proxy {};
|
||||
|
||||
mk-enc-usb = final.callPackage ../extras/mk-enc-usb.nix {};
|
||||
mk-normal-enc-ssd = final.callPackage ../extras/mk-normal-enc-ssd.nix {};
|
||||
mk-dual-enc-ssd = final.callPackage ../extras/mk-dual-enc-ssd.nix {};
|
||||
|
||||
gotosocial = prev.gotosocial.overrideAttrs (old: let
|
||||
owner = "superseriousbusiness";
|
||||
repo = "gotosocial";
|
||||
|
|
File diff suppressed because it is too large
Load diff
64
presets/nixos/dual-encrypted-drive.nix
Normal file
64
presets/nixos/dual-encrypted-drive.nix
Normal file
|
@ -0,0 +1,64 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
...
|
||||
}: let
|
||||
usb_data = import ../../data/usb_data.nix {};
|
||||
drive_data = import ../../data/dual_drive_data.nix {};
|
||||
in {
|
||||
config.boot = {
|
||||
initrd.availableKernelModules = [
|
||||
# For USB w/ Encryption Key
|
||||
"usb_storage"
|
||||
"usbcore"
|
||||
"uas"
|
||||
"sd_mod"
|
||||
# For USB Keyboards
|
||||
"usbhid"
|
||||
# For Cryptography
|
||||
"aesni_intel"
|
||||
"cryptd"
|
||||
];
|
||||
initrd.postDeviceCommands = pkgs.lib.mkBefore ''
|
||||
mkdir -m 0755 -p /keys
|
||||
mkdir -m 0755 -p ${usb_data.mountpoint}
|
||||
|
||||
while !(test -b ${usb_data.encrypted_path})
|
||||
do
|
||||
echo "Please Plug In USB"
|
||||
sleep 1
|
||||
done
|
||||
|
||||
echo "Please Decrypt USB"
|
||||
|
||||
cryptsetup luksOpen ${usb_data.encrypted_path} ${usb_data.mapper_name}
|
||||
|
||||
mount -n -t ${usb_data.unencrypted_fs_type} -o ro ${usb_data.mapper_path} ${usb_data.mountpoint}
|
||||
|
||||
cp ${usb_data.encryption_keys_path}/${config.networking.hostName}.key /keys
|
||||
|
||||
umount -f ${usb_data.mountpoint}
|
||||
|
||||
cryptsetup close ${usb_data.mapper_name}
|
||||
'';
|
||||
|
||||
initrd.luks.devices = {
|
||||
"${drive_data.root_mapper_name}" = {
|
||||
device = "${drive_data.encrypted_root_path}";
|
||||
keyFile = "/keys/${config.networking.hostName}.key";
|
||||
preLVM = false;
|
||||
allowDiscards = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
config.fileSystems = {
|
||||
"/" = {
|
||||
device = "${drive_data.decrypted_root_path}";
|
||||
fsType = "${drive_data.unencrypted_root_fs_type}";
|
||||
};
|
||||
"/boot" = {
|
||||
device = "${drive_data.boot_path}";
|
||||
fsType = "${drive_data.boot_fs_type}";
|
||||
};
|
||||
};
|
||||
}
|
Loading…
Reference in a new issue