chaos/nixfiles
1
0
Fork 0
Code Issues 2 Releases Activity

add dual boot encrypted drive option

Browse source
This commit is contained in:
chaos 2023-08-28 18:50:25 +01:00
parent f7f91e938d
commit 7e4f414ea6
No known key found for this signature in database
11 changed files with 878 additions and 705 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
data/dual_drive_data.nix Normal file
View file

@ -0,0 +1 @@
{}: (import ./normal_drive_data.nix {})

35
extras/mk-dual-enc-ssd.nix Normal file
View file

@ -0,0 +1,35 @@
{
stdenv,
bash,
parted,
cryptsetup,
e2fsprogs,
dosfstools,
}: let
ssd_data = import ../data/dual_drive_data.nix {};
in
stdenv.mkDerivation {
name = "mk-dual-enc-ssd";
src = ./mk-dual-enc-ssd.sh;
unpackPhase = ''
for srcFile in $src; do
cp $srcFile $(stripHash $srcFile)
done
'';
inherit bash parted cryptsetup e2fsprogs dosfstools;
patchPhase = ''
substituteAllInPlace mk-dual-enc-ssd.sh
substituteInPlace mk-dual-enc-ssd.sh \
--replace "@SSD_ENCRYPTED_PARTLABEL@" "${ssd_data.encrypted_root_partlabel}" \
--replace "@SSD_UNENCRYPTED_LABEL@" "${ssd_data.unencrypted_root_label}" \
--replace "@SSD_BOOT_LABEL@" "${ssd_data.boot_label}"
'';
installPhase = ''
mkdir -p $out/bin
cp mk-dual-enc-ssd.sh $out/bin/mk-dual-enc-ssd
chmod +x $out/bin/mk-dual-enc-ssd
'';
}

63
extras/mk-dual-enc-ssd.sh Normal file
View file

@ -0,0 +1,63 @@
#! @bash@/bin/sh
set -e
# e.g /dev/nvme0n1
SSD_PATH=$1
KEY_FILE=$2
NIXOS_SIZE=$3
if echo "$SSD_PATH" | grep -q "[0-9]$"; then
PARTITION_SEPARATOR="p"
else
PARTITION_SEPARATOR=""
fi
if [ -z "$SSD_PATH" ]; then
echo "Please specify a path to device as first argument"
exit 1
fi
if [ -z "$KEY_FILE" ]; then
echo "Please specify a key file to use"
exit 1
fi
if [ -z "$NIXOS_SIZE" ]; then
echo "Please specify how big to make the NixOS partition"
exit 1
fi
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit
fi
# encrypted partition label
SSD_ENCRYPTED_PARTLABEL=@SSD_ENCRYPTED_PARTLABEL@
# unencrypted filesystem label
SSD_UNENCRYPTED_LABEL=@SSD_UNENCRYPTED_LABEL@
# ssd boot label
SSD_BOOT_LABEL=@SSD_BOOT_LABEL@
echo "Creating Partitions..."
@parted@/bin/parted ${SSD_PATH} -- mklabel gpt
@parted@/bin/parted ${SSD_PATH} -- mkpart ESP fat32 1MiB 1024MiB
@parted@/bin/parted ${SSD_PATH} -- mkpart primary 1072MiB "${NIXOS_SIZE}"
@parted@/bin/parted ${SSD_PATH} -- set 1 esp on
@parted@/bin/parted ${SSD_PATH} -- name 1 "${SSD_BOOT_LABEL}"
@parted@/bin/parted ${SSD_PATH} -- name 2 "${SSD_ENCRYPTED_PARTLABEL}"
echo "Formatting boot partition"
@dosfstools@/bin/mkfs.fat -n "${SSD_BOOT_LABEL}" "${SSD_PATH}${PARTITION_SEPARATOR}1"
echo "Creating Encrypted Partition"
@cryptsetup@/bin/cryptsetup luksFormat "${SSD_PATH}${PARTITION_SEPARATOR}2" --key-file "${KEY_FILE}"
echo "Opening Encrypted Partition"
@cryptsetup@/bin/cryptsetup open "${SSD_PATH}${PARTITION_SEPARATOR}2" "mk_dual_enc_ssd" --key-file "${KEY_FILE}"
echo "Formatting Encrypted Root Filesystem"
@e2fsprogs@/bin/mkfs.ext4 -L "${SSD_UNENCRYPTED_LABEL}" /dev/mapper/mk_dual_enc_ssd
echo "mount /dev/mapper/mk_dual_enc_ssd to install"

1
home/dev/all/extra.nix
View file

@ -11,5 +11,6 @@
mk-enc-usb
mk-normal-enc-ssd
mk-dual-enc-ssd
];
}

30
hosts/hetzner-vm/containers/storage/profiles/secrets.nix
View file

@ -155,36 +155,6 @@
rm -rf "$TMP_DIR"
'';
};
wg_privkey = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/storage" .private > $secretFile
'';
};
wg_preshared_hetzner-vm = {
path = "/secrets/wg_preshared_hetzner-vm";
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/storage" .preshared_keys.hetzner_vm > $secretFile
'';
};
wg_preshared_tablet = {
path = "/secrets/wg_preshared_tablet";
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/storage" .preshared_keys.tablet > $secretFile
'';
};
wg_preshared_vault = {
path = "/secrets/wg_preshared_vault";
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/storage" .preshared_keys.vault > $secretFile
'';
};
wg_preshared_iphone8 = {
path = "/secrets/wg_preshared_iphone8";
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/storage" .preshared_keys.iphone8 > $secretFile
'';
};
};
};
}

2
hosts/lappy-t495/hardware.nix
View file

@ -22,5 +22,5 @@
RUNTIME_PM_BLACKLIST = "05:00.3 05:00.4";
};
imports = with tree; [presets.nixos.normal-encrypted-drive];
imports = with tree; [presets.nixos.dual-encrypted-drive];
}

44
hosts/nixos-live/nixos-live.nix
View file

@ -2,24 +2,50 @@
config,
tree,
modulesPath,
pkgs,
lib,
...
}: {
imports = [
# (modulesPath + "/profiles/qemu-guest.nix")
(modulesPath + "/installer/cd-dvd/installation-cd-minimal.nix")
imports = with tree; [
(modulesPath + "/installer/cd-dvd/installation-cd-graphical-gnome.nix")
(modulesPath + "/installer/cd-dvd/channel.nix")
tree.users.root
tree.profiles.base
tree.profiles.sshd
users.root
profiles.base
profiles.sshd
profiles.kernels.latest
profiles.connectivity.ios
profiles.connectivity.network_manager
];
config.isoImage = {
# disable zfs
nixpkgs.overlays = [
(final: super: {
zfs = super.zfs.overrideAttrs (_: {
meta.platforms = [];
});
})
];
networking.wireless.enable = lib.mkForce false;
nixpkgs.config.allowBroken = true;
home-manager.users.root = {
imports = with tree; [home.base home.dev];
home.stateVersion = "23.05";
};
home-manager.users.nixos = {
imports = with tree; [home.base home.dev];
home.stateVersion = "23.05";
};
isoImage = {
isoBaseName = "nixos-chaos";
compressImage = false;
squashfsCompression = "zstd -Xcompression-level 1";
};
config.services.openssh.permitRootLogin = lib.mkForce "yes";
services.openssh.settings.PermitRootLogin = lib.mkForce "yes";
}

6
outputs.nix
View file

@ -48,12 +48,16 @@ in
type = "app";
program = "${packages.mk-normal-enc-ssd}/bin/mk-normal-enc-ssd";
};
mk-dual-enc-ssd = {
type = "app";
program = "${packages.mk-dual-enc-ssd}/bin/mk-dual-enc-ssd";
};
};
packages = {
inherit (pkgs) comic-code comic-sans;
inherit (pkgs) piped-frontend piped-backend piped-proxy;
inherit (pkgs) mk-enc-usb mk-normal-enc-ssd;
inherit (pkgs) mk-enc-usb mk-normal-enc-ssd mk-dual-enc-ssd;
inherit (pkgs) gotosocial;
};
}))

3
overlay/default.nix
View file

@ -9,8 +9,11 @@ final: prev: {
};
piped-frontend = final.callPackage ./piped/frontend {};
piped-proxy = final.callPackage ./piped/proxy {};
mk-enc-usb = final.callPackage ../extras/mk-enc-usb.nix {};
mk-normal-enc-ssd = final.callPackage ../extras/mk-normal-enc-ssd.nix {};
mk-dual-enc-ssd = final.callPackage ../extras/mk-dual-enc-ssd.nix {};
gotosocial = prev.gotosocial.overrideAttrs (old: let
owner = "superseriousbusiness";
repo = "gotosocial";

1334
overlay/piped/frontend/yarn.nix
View file

File diff suppressed because it is too large Load diff

64
presets/nixos/dual-encrypted-drive.nix Normal file
View file

@ -0,0 +1,64 @@
{
config,
pkgs,
...
}: let
usb_data = import ../../data/usb_data.nix {};
drive_data = import ../../data/dual_drive_data.nix {};
in {
config.boot = {
initrd.availableKernelModules = [
# For USB w/ Encryption Key
"usb_storage"
"usbcore"
"uas"
"sd_mod"
# For USB Keyboards
"usbhid"
# For Cryptography
"aesni_intel"
"cryptd"
];
initrd.postDeviceCommands = pkgs.lib.mkBefore ''
mkdir -m 0755 -p /keys
mkdir -m 0755 -p ${usb_data.mountpoint}
while !(test -b ${usb_data.encrypted_path})
do
echo "Please Plug In USB"
sleep 1
done
echo "Please Decrypt USB"
cryptsetup luksOpen ${usb_data.encrypted_path} ${usb_data.mapper_name}
mount -n -t ${usb_data.unencrypted_fs_type} -o ro ${usb_data.mapper_path} ${usb_data.mountpoint}
cp ${usb_data.encryption_keys_path}/${config.networking.hostName}.key /keys
umount -f ${usb_data.mountpoint}
cryptsetup close ${usb_data.mapper_name}
'';
initrd.luks.devices = {
"${drive_data.root_mapper_name}" = {
device = "${drive_data.encrypted_root_path}";
keyFile = "/keys/${config.networking.hostName}.key";
preLVM = false;
allowDiscards = true;
};
};
};
config.fileSystems = {
"/" = {
device = "${drive_data.decrypted_root_path}";
fsType = "${drive_data.unencrypted_root_fs_type}";
};
"/boot" = {
device = "${drive_data.boot_path}";
fsType = "${drive_data.boot_fs_type}";
};
};
}