add dual boot encrypted drive option

This commit is contained in:
chaos 2023-08-28 18:50:25 +01:00
parent f7f91e938d
commit 7e4f414ea6
No known key found for this signature in database
11 changed files with 878 additions and 705 deletions

1
data/dual_drive_data.nix Normal file
View file

@ -0,0 +1 @@
{}: (import ./normal_drive_data.nix {})

View file

@ -0,0 +1,35 @@
{
stdenv,
bash,
parted,
cryptsetup,
e2fsprogs,
dosfstools,
}: let
ssd_data = import ../data/dual_drive_data.nix {};
in
stdenv.mkDerivation {
name = "mk-dual-enc-ssd";
src = ./mk-dual-enc-ssd.sh;
unpackPhase = ''
for srcFile in $src; do
cp $srcFile $(stripHash $srcFile)
done
'';
inherit bash parted cryptsetup e2fsprogs dosfstools;
patchPhase = ''
substituteAllInPlace mk-dual-enc-ssd.sh
substituteInPlace mk-dual-enc-ssd.sh \
--replace "@SSD_ENCRYPTED_PARTLABEL@" "${ssd_data.encrypted_root_partlabel}" \
--replace "@SSD_UNENCRYPTED_LABEL@" "${ssd_data.unencrypted_root_label}" \
--replace "@SSD_BOOT_LABEL@" "${ssd_data.boot_label}"
'';
installPhase = ''
mkdir -p $out/bin
cp mk-dual-enc-ssd.sh $out/bin/mk-dual-enc-ssd
chmod +x $out/bin/mk-dual-enc-ssd
'';
}

63
extras/mk-dual-enc-ssd.sh Normal file
View file

@ -0,0 +1,63 @@
#! @bash@/bin/sh
set -e
# e.g /dev/nvme0n1
SSD_PATH=$1
KEY_FILE=$2
NIXOS_SIZE=$3
if echo "$SSD_PATH" | grep -q "[0-9]$"; then
PARTITION_SEPARATOR="p"
else
PARTITION_SEPARATOR=""
fi
if [ -z "$SSD_PATH" ]; then
echo "Please specify a path to device as first argument"
exit 1
fi
if [ -z "$KEY_FILE" ]; then
echo "Please specify a key file to use"
exit 1
fi
if [ -z "$NIXOS_SIZE" ]; then
echo "Please specify how big to make the NixOS partition"
exit 1
fi
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit
fi
# encrypted partition label
SSD_ENCRYPTED_PARTLABEL=@SSD_ENCRYPTED_PARTLABEL@
# unencrypted filesystem label
SSD_UNENCRYPTED_LABEL=@SSD_UNENCRYPTED_LABEL@
# ssd boot label
SSD_BOOT_LABEL=@SSD_BOOT_LABEL@
echo "Creating Partitions..."
@parted@/bin/parted ${SSD_PATH} -- mklabel gpt
@parted@/bin/parted ${SSD_PATH} -- mkpart ESP fat32 1MiB 1024MiB
@parted@/bin/parted ${SSD_PATH} -- mkpart primary 1072MiB "${NIXOS_SIZE}"
@parted@/bin/parted ${SSD_PATH} -- set 1 esp on
@parted@/bin/parted ${SSD_PATH} -- name 1 "${SSD_BOOT_LABEL}"
@parted@/bin/parted ${SSD_PATH} -- name 2 "${SSD_ENCRYPTED_PARTLABEL}"
echo "Formatting boot partition"
@dosfstools@/bin/mkfs.fat -n "${SSD_BOOT_LABEL}" "${SSD_PATH}${PARTITION_SEPARATOR}1"
echo "Creating Encrypted Partition"
@cryptsetup@/bin/cryptsetup luksFormat "${SSD_PATH}${PARTITION_SEPARATOR}2" --key-file "${KEY_FILE}"
echo "Opening Encrypted Partition"
@cryptsetup@/bin/cryptsetup open "${SSD_PATH}${PARTITION_SEPARATOR}2" "mk_dual_enc_ssd" --key-file "${KEY_FILE}"
echo "Formatting Encrypted Root Filesystem"
@e2fsprogs@/bin/mkfs.ext4 -L "${SSD_UNENCRYPTED_LABEL}" /dev/mapper/mk_dual_enc_ssd
echo "mount /dev/mapper/mk_dual_enc_ssd to install"

View file

@ -11,5 +11,6 @@
mk-enc-usb
mk-normal-enc-ssd
mk-dual-enc-ssd
];
}

View file

@ -155,36 +155,6 @@
rm -rf "$TMP_DIR"
'';
};
wg_privkey = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/storage" .private > $secretFile
'';
};
wg_preshared_hetzner-vm = {
path = "/secrets/wg_preshared_hetzner-vm";
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/storage" .preshared_keys.hetzner_vm > $secretFile
'';
};
wg_preshared_tablet = {
path = "/secrets/wg_preshared_tablet";
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/storage" .preshared_keys.tablet > $secretFile
'';
};
wg_preshared_vault = {
path = "/secrets/wg_preshared_vault";
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/storage" .preshared_keys.vault > $secretFile
'';
};
wg_preshared_iphone8 = {
path = "/secrets/wg_preshared_iphone8";
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/storage" .preshared_keys.iphone8 > $secretFile
'';
};
};
};
}

View file

@ -22,5 +22,5 @@
RUNTIME_PM_BLACKLIST = "05:00.3 05:00.4";
};
imports = with tree; [presets.nixos.normal-encrypted-drive];
imports = with tree; [presets.nixos.dual-encrypted-drive];
}

View file

@ -2,24 +2,50 @@
config,
tree,
modulesPath,
pkgs,
lib,
...
}: {
imports = [
# (modulesPath + "/profiles/qemu-guest.nix")
(modulesPath + "/installer/cd-dvd/installation-cd-minimal.nix")
imports = with tree; [
(modulesPath + "/installer/cd-dvd/installation-cd-graphical-gnome.nix")
(modulesPath + "/installer/cd-dvd/channel.nix")
tree.users.root
tree.profiles.base
tree.profiles.sshd
users.root
profiles.base
profiles.sshd
profiles.kernels.latest
profiles.connectivity.ios
profiles.connectivity.network_manager
];
config.isoImage = {
# disable zfs
nixpkgs.overlays = [
(final: super: {
zfs = super.zfs.overrideAttrs (_: {
meta.platforms = [];
});
})
];
networking.wireless.enable = lib.mkForce false;
nixpkgs.config.allowBroken = true;
home-manager.users.root = {
imports = with tree; [home.base home.dev];
home.stateVersion = "23.05";
};
home-manager.users.nixos = {
imports = with tree; [home.base home.dev];
home.stateVersion = "23.05";
};
isoImage = {
isoBaseName = "nixos-chaos";
compressImage = false;
squashfsCompression = "zstd -Xcompression-level 1";
};
config.services.openssh.permitRootLogin = lib.mkForce "yes";
services.openssh.settings.PermitRootLogin = lib.mkForce "yes";
}

View file

@ -48,12 +48,16 @@ in
type = "app";
program = "${packages.mk-normal-enc-ssd}/bin/mk-normal-enc-ssd";
};
mk-dual-enc-ssd = {
type = "app";
program = "${packages.mk-dual-enc-ssd}/bin/mk-dual-enc-ssd";
};
};
packages = {
inherit (pkgs) comic-code comic-sans;
inherit (pkgs) piped-frontend piped-backend piped-proxy;
inherit (pkgs) mk-enc-usb mk-normal-enc-ssd;
inherit (pkgs) mk-enc-usb mk-normal-enc-ssd mk-dual-enc-ssd;
inherit (pkgs) gotosocial;
};
}))

View file

@ -9,8 +9,11 @@ final: prev: {
};
piped-frontend = final.callPackage ./piped/frontend {};
piped-proxy = final.callPackage ./piped/proxy {};
mk-enc-usb = final.callPackage ../extras/mk-enc-usb.nix {};
mk-normal-enc-ssd = final.callPackage ../extras/mk-normal-enc-ssd.nix {};
mk-dual-enc-ssd = final.callPackage ../extras/mk-dual-enc-ssd.nix {};
gotosocial = prev.gotosocial.overrideAttrs (old: let
owner = "superseriousbusiness";
repo = "gotosocial";

View file

@ -1,4 +1,10 @@
{ fetchurl, fetchgit, linkFarm, runCommand, gnutar }: rec {
{
fetchurl,
fetchgit,
linkFarm,
runCommand,
gnutar,
}: rec {
offline_cache = linkFarm "offline" packages;
packages = [
{

View file

@ -0,0 +1,64 @@
{
config,
pkgs,
...
}: let
usb_data = import ../../data/usb_data.nix {};
drive_data = import ../../data/dual_drive_data.nix {};
in {
config.boot = {
initrd.availableKernelModules = [
# For USB w/ Encryption Key
"usb_storage"
"usbcore"
"uas"
"sd_mod"
# For USB Keyboards
"usbhid"
# For Cryptography
"aesni_intel"
"cryptd"
];
initrd.postDeviceCommands = pkgs.lib.mkBefore ''
mkdir -m 0755 -p /keys
mkdir -m 0755 -p ${usb_data.mountpoint}
while !(test -b ${usb_data.encrypted_path})
do
echo "Please Plug In USB"
sleep 1
done
echo "Please Decrypt USB"
cryptsetup luksOpen ${usb_data.encrypted_path} ${usb_data.mapper_name}
mount -n -t ${usb_data.unencrypted_fs_type} -o ro ${usb_data.mapper_path} ${usb_data.mountpoint}
cp ${usb_data.encryption_keys_path}/${config.networking.hostName}.key /keys
umount -f ${usb_data.mountpoint}
cryptsetup close ${usb_data.mapper_name}
'';
initrd.luks.devices = {
"${drive_data.root_mapper_name}" = {
device = "${drive_data.encrypted_root_path}";
keyFile = "/keys/${config.networking.hostName}.key";
preLVM = false;
allowDiscards = true;
};
};
};
config.fileSystems = {
"/" = {
device = "${drive_data.decrypted_root_path}";
fsType = "${drive_data.unencrypted_root_fs_type}";
};
"/boot" = {
device = "${drive_data.boot_path}";
fsType = "${drive_data.boot_fs_type}";
};
};
}