add dual boot encrypted drive option

2023-08-28 18:50:25 +01:00 · 2023-08-28 18:50:25 +01:00 · 7e4f414ea6
parent f7f91e938d
commit 7e4f414ea6
11 changed files with 878 additions and 705 deletions
--- a/data/dual_drive_data.nix
+++ b/data/dual_drive_data.nix
@ -0,0 +1 @@
 {}: (import ./normal_drive_data.nix {})
--- a/extras/mk-dual-enc-ssd.nix
+++ b/extras/mk-dual-enc-ssd.nix
@ -0,0 +1,35 @@
 {
  stdenv,
  bash,
  parted,
  cryptsetup,
  e2fsprogs,
  dosfstools,
 }: let
  ssd_data = import ../data/dual_drive_data.nix {};
 in
  stdenv.mkDerivation {
    name = "mk-dual-enc-ssd";
    src = ./mk-dual-enc-ssd.sh;
    unpackPhase = ''
      for srcFile in $src; do
        cp $srcFile $(stripHash $srcFile)
      done
    '';
    inherit bash parted cryptsetup e2fsprogs dosfstools;
    patchPhase = ''
      substituteAllInPlace mk-dual-enc-ssd.sh
      substituteInPlace mk-dual-enc-ssd.sh \
        --replace "@SSD_ENCRYPTED_PARTLABEL@" "${ssd_data.encrypted_root_partlabel}" \
        --replace "@SSD_UNENCRYPTED_LABEL@" "${ssd_data.unencrypted_root_label}" \
        --replace "@SSD_BOOT_LABEL@" "${ssd_data.boot_label}"
    '';
    installPhase = ''
      mkdir -p $out/bin
      cp mk-dual-enc-ssd.sh $out/bin/mk-dual-enc-ssd
      chmod +x $out/bin/mk-dual-enc-ssd
    '';
  }
--- a/extras/mk-dual-enc-ssd.sh
+++ b/extras/mk-dual-enc-ssd.sh
@ -0,0 +1,63 @@
 #! @bash@/bin/sh
 set -e
 # e.g /dev/nvme0n1
 SSD_PATH=$1
 KEY_FILE=$2
 NIXOS_SIZE=$3
 if echo "$SSD_PATH" | grep -q "[0-9]$"; then
    PARTITION_SEPARATOR="p"
 else
    PARTITION_SEPARATOR=""
 fi
 if [ -z "$SSD_PATH" ]; then
  echo "Please specify a path to device as first argument"
  exit 1
 fi
 if [ -z "$KEY_FILE" ]; then
  echo "Please specify a key file to use"
  exit 1
 fi
 if [ -z "$NIXOS_SIZE" ]; then
  echo "Please specify how big to make the NixOS partition"
  exit 1
 fi
 if [ "$EUID" -ne 0 ]; then
  echo "Please run as root"
  exit
 fi
 # encrypted partition label
 SSD_ENCRYPTED_PARTLABEL=@SSD_ENCRYPTED_PARTLABEL@
 # unencrypted filesystem label
 SSD_UNENCRYPTED_LABEL=@SSD_UNENCRYPTED_LABEL@
 # ssd boot label
 SSD_BOOT_LABEL=@SSD_BOOT_LABEL@
 echo "Creating Partitions..."
@parted@/bin/parted ${SSD_PATH} -- mklabel gpt
@parted@/bin/parted ${SSD_PATH} -- mkpart ESP fat32 1MiB 1024MiB
@parted@/bin/parted ${SSD_PATH} -- mkpart primary 1072MiB "${NIXOS_SIZE}"
@parted@/bin/parted ${SSD_PATH} -- set 1 esp on
@parted@/bin/parted ${SSD_PATH} -- name 1 "${SSD_BOOT_LABEL}"
@parted@/bin/parted ${SSD_PATH} -- name 2 "${SSD_ENCRYPTED_PARTLABEL}"
 echo "Formatting boot partition"
@dosfstools@/bin/mkfs.fat -n "${SSD_BOOT_LABEL}" "${SSD_PATH}${PARTITION_SEPARATOR}1"
 echo "Creating Encrypted Partition"
@cryptsetup@/bin/cryptsetup luksFormat "${SSD_PATH}${PARTITION_SEPARATOR}2" --key-file "${KEY_FILE}"
 echo "Opening Encrypted Partition"
@cryptsetup@/bin/cryptsetup open "${SSD_PATH}${PARTITION_SEPARATOR}2" "mk_dual_enc_ssd" --key-file "${KEY_FILE}"
 echo "Formatting Encrypted Root Filesystem"
@e2fsprogs@/bin/mkfs.ext4 -L "${SSD_UNENCRYPTED_LABEL}" /dev/mapper/mk_dual_enc_ssd
 echo "mount /dev/mapper/mk_dual_enc_ssd to install"
--- a/home/dev/all/extra.nix
+++ b/home/dev/all/extra.nix
@ -11,5 +11,6 @@
    mk-enc-usb
    mk-normal-enc-ssd
    mk-dual-enc-ssd
  ];
 }
--- a/hosts/hetzner-vm/containers/storage/profiles/secrets.nix
+++ b/hosts/hetzner-vm/containers/storage/profiles/secrets.nix
@ -155,36 +155,6 @@
          rm -rf "$TMP_DIR"
        '';
      };
      wg_privkey = {
        fetchScript = ''
          simple_get "/private-public-keys/wireguard/chaos-internal/storage" .private > $secretFile
        '';
      };
      wg_preshared_hetzner-vm = {
        path = "/secrets/wg_preshared_hetzner-vm";
        fetchScript = ''
          simple_get "/private-public-keys/wireguard/chaos-internal/storage" .preshared_keys.hetzner_vm > $secretFile
        '';
      };
      wg_preshared_tablet = {
        path = "/secrets/wg_preshared_tablet";
        fetchScript = ''
          simple_get "/private-public-keys/wireguard/chaos-internal/storage" .preshared_keys.tablet > $secretFile
        '';
      };
      wg_preshared_vault = {
        path = "/secrets/wg_preshared_vault";
        fetchScript = ''
          simple_get "/private-public-keys/wireguard/chaos-internal/storage" .preshared_keys.vault > $secretFile
        '';
      };
      wg_preshared_iphone8 = {
        path = "/secrets/wg_preshared_iphone8";
        fetchScript = ''
          simple_get "/private-public-keys/wireguard/chaos-internal/storage" .preshared_keys.iphone8 > $secretFile
        '';
      };
    };
  };
 }
--- a/hosts/lappy-t495/hardware.nix
+++ b/hosts/lappy-t495/hardware.nix
@ -22,5 +22,5 @@
    RUNTIME_PM_BLACKLIST = "05:00.3 05:00.4";
  };
-  imports = with tree; [presets.nixos.normal-encrypted-drive];
+  imports = with tree; [presets.nixos.dual-encrypted-drive];
 }
--- a/hosts/nixos-live/nixos-live.nix
+++ b/hosts/nixos-live/nixos-live.nix
@ -2,24 +2,50 @@
  config,
  tree,
  modulesPath,
  pkgs,
  lib,
  ...
 }: {
-  imports = [
+  imports = with tree; [
-    # (modulesPath + "/profiles/qemu-guest.nix")
+    (modulesPath + "/installer/cd-dvd/installation-cd-graphical-gnome.nix")
    (modulesPath + "/installer/cd-dvd/installation-cd-minimal.nix")
    (modulesPath + "/installer/cd-dvd/channel.nix")
-    tree.users.root
+    users.root
-    tree.profiles.base
+    profiles.base
-    tree.profiles.sshd
+    profiles.sshd
    profiles.kernels.latest
    profiles.connectivity.ios
    profiles.connectivity.network_manager
  ];
-  config.isoImage = {
+
  # disable zfs
  nixpkgs.overlays = [
    (final: super: {
      zfs = super.zfs.overrideAttrs (_: {
        meta.platforms = [];
      });
    })
  ];
  networking.wireless.enable = lib.mkForce false;
  nixpkgs.config.allowBroken = true;
  home-manager.users.root = {
    imports = with tree; [home.base home.dev];
    home.stateVersion = "23.05";
  };
  home-manager.users.nixos = {
    imports = with tree; [home.base home.dev];
    home.stateVersion = "23.05";
  };
  isoImage = {
    isoBaseName = "nixos-chaos";
    compressImage = false;
    squashfsCompression = "zstd -Xcompression-level 1";
  };
-  config.services.openssh.permitRootLogin = lib.mkForce "yes";
+  services.openssh.settings.PermitRootLogin = lib.mkForce "yes";
 }
--- a/outputs.nix
+++ b/outputs.nix
@ -48,12 +48,16 @@ in
        type = "app";
        program = "${packages.mk-normal-enc-ssd}/bin/mk-normal-enc-ssd";
      };
      mk-dual-enc-ssd = {
        type = "app";
        program = "${packages.mk-dual-enc-ssd}/bin/mk-dual-enc-ssd";
      };
    };
    packages = {
      inherit (pkgs) comic-code comic-sans;
      inherit (pkgs) piped-frontend piped-backend piped-proxy;
-      inherit (pkgs) mk-enc-usb mk-normal-enc-ssd;
+      inherit (pkgs) mk-enc-usb mk-normal-enc-ssd mk-dual-enc-ssd;
      inherit (pkgs) gotosocial;
    };
  }))
--- a/overlay/default.nix
+++ b/overlay/default.nix
@ -9,8 +9,11 @@ final: prev: {
  };
  piped-frontend = final.callPackage ./piped/frontend {};
  piped-proxy = final.callPackage ./piped/proxy {};
  mk-enc-usb = final.callPackage ../extras/mk-enc-usb.nix {};
  mk-normal-enc-ssd = final.callPackage ../extras/mk-normal-enc-ssd.nix {};
  mk-dual-enc-ssd = final.callPackage ../extras/mk-dual-enc-ssd.nix {};
  gotosocial = prev.gotosocial.overrideAttrs (old: let
    owner = "superseriousbusiness";
    repo = "gotosocial";
--- a/overlay/piped/frontend/yarn.nix
+++ b/overlay/piped/frontend/yarn.nix
--- a/presets/nixos/dual-encrypted-drive.nix
+++ b/presets/nixos/dual-encrypted-drive.nix
@ -0,0 +1,64 @@
 {
  config,
  pkgs,
  ...
 }: let
  usb_data = import ../../data/usb_data.nix {};
  drive_data = import ../../data/dual_drive_data.nix {};
 in {
  config.boot = {
    initrd.availableKernelModules = [
      # For USB w/ Encryption Key
      "usb_storage"
      "usbcore"
      "uas"
      "sd_mod"
      # For USB Keyboards
      "usbhid"
      # For Cryptography
      "aesni_intel"
      "cryptd"
    ];
    initrd.postDeviceCommands = pkgs.lib.mkBefore ''
      mkdir -m 0755 -p /keys
      mkdir -m 0755 -p ${usb_data.mountpoint}
      while !(test -b ${usb_data.encrypted_path})
      do
        echo "Please Plug In USB"
        sleep 1
      done
      echo "Please Decrypt USB"
      cryptsetup luksOpen ${usb_data.encrypted_path} ${usb_data.mapper_name}
      mount -n -t ${usb_data.unencrypted_fs_type} -o ro ${usb_data.mapper_path} ${usb_data.mountpoint}
      cp ${usb_data.encryption_keys_path}/${config.networking.hostName}.key /keys
      umount -f ${usb_data.mountpoint}
      cryptsetup close ${usb_data.mapper_name}
    '';
    initrd.luks.devices = {
      "${drive_data.root_mapper_name}" = {
        device = "${drive_data.encrypted_root_path}";
        keyFile = "/keys/${config.networking.hostName}.key";
        preLVM = false;
        allowDiscards = true;
      };
    };
  };
  config.fileSystems = {
    "/" = {
      device = "${drive_data.decrypted_root_path}";
      fsType = "${drive_data.unencrypted_root_fs_type}";
    };
    "/boot" = {
      device = "${drive_data.boot_path}";
      fsType = "${drive_data.boot_fs_type}";
    };
  };
 }