From db9c488f17dfb2d248a1e277703676bfa2f146a2 Mon Sep 17 00:00:00 2001
From: ChaotiCryptidz <chaoticryptidz@owo.monster>
Date: Sat, 29 Jan 2022 19:55:58 +0000
Subject: [PATCH] start work on encryption

---
 LAPPY_SETUP_GUIDE.md     | 25 ++++++++++++++--
 hosts/lappy/hardware.nix | 63 ++++++++++++++++++++++++++++++++++++++++
 hosts/lappy/lappy.nix    | 23 ++-------------
 hosts/rescue/rescue.nix  |  6 ++--
 shell.nix                |  0
 users/chaoticryptidz.nix |  1 +
 6 files changed, 92 insertions(+), 26 deletions(-)
 create mode 100644 hosts/lappy/hardware.nix
 create mode 100644 shell.nix

diff --git a/LAPPY_SETUP_GUIDE.md b/LAPPY_SETUP_GUIDE.md
index 379e763..6ce1a67 100644
--- a/LAPPY_SETUP_GUIDE.md
+++ b/LAPPY_SETUP_GUIDE.md
@@ -1,7 +1,27 @@
 # Lappy Setup Guide
 ## Filesystems
-- Ext4 with label nixos
-- Fat32 EFI with label nixboot
+```
+export DEVICE_ROOT=/dev/nvme0n1
+export DEVICE_BOOT_PART=${DEVICE_ROOT}p1
+export DEVICE_ENCRYPTED_ROOT_PART=${DEVICE_ROOT}p2
+export DEVICE_UNENCRYPTED_ROOT_NAME=cryptroot
+export DEVICE_UNENCRYPTED_ROOT=/dev/mapper/${DEVICE_UNENCRYPTED_ROOT_NAME}
+export ENCRYPTION_KEY_PATH=mount/encryption-keys/lappy.key
+
+parted /dev/${DEVICE_ROOT} -- mklabel gpt
+parted /dev/${DEVICE_ROOT} -- mkpart primary 512MiB -8GiB
+parted /dev/${DEVICE_ROOT} -- mkpart ESP fat32 1MiB 500MiB
+parted /dev/${DEVICE_ROOT} -- set 3 esp on
+
+mkfs.fat -n nixboot ${DEVICE_BOOT_PART}
+
+cryptsetup luksFormat ${DEVICE_ENCRYPTED_ROOT_PART}
+cryptsetup luksAddKey ${DEVICE_ENCRYPTED_ROOT_PART} ${ENCRYPTION_KEY_PATH}
+cryptsetup luksOpen ${DEVICE_ENCRYPTED_ROOT_PART} ${DEVICE_UNENCRYPTED_ROOT_NAME}
+mkfs.ext4 -L nixos ${DEVICE_UNENCRYPTED_ROOT}
+```
+## NetworkManager
+Grab passwords from Vault
 ## Browser (vivaldi)
 Open up browser and install the following extensions:
 - - Stylus
@@ -43,4 +63,3 @@ Other: #00dda6
 - Amount: 500
 - Method: Fixed
 - Initial: 2000
-
diff --git a/hosts/lappy/hardware.nix b/hosts/lappy/hardware.nix
new file mode 100644
index 0000000..b04aaec
--- /dev/null
+++ b/hosts/lappy/hardware.nix
@@ -0,0 +1,63 @@
+{ ... }:
+let
+  usb_label = "my_usb";
+  encrypted_root_uuid = "";
+  unencrypted_root_uuid = "";
+in {
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+    initrd.availableKernelModules = [
+      "xhci_pci"
+      "ahci"
+      "nvme"
+      "usb_storage"
+      "sd_mod"
+      "rtsx_pci_sdmmc"
+      "uas"
+      "usbcore"
+      "usb_storage"
+      "vfat"
+      "nls_cp437"
+      "nls_iso8859_1"
+      "aesni_intel"
+      "cryptd"
+    ];
+    kernelModules = [ "kvm-intel" ];
+  };
+
+  # TODO: encrypted storage
+  #initrd.postDeviceCommands = pkgs.lib.mkBefore ''
+  #  mkdir -m 0755 -p /key
+  #  sleep 3
+  #  mount -n -t vfat -o ro `findfs LABEL=${usb_label}` /key
+  #'';
+
+  #boot.initrd.luks.devices."cryptroot".device =
+  #  "/dev/disk/by-uuid/${encrypted_root_uuid}";
+
+  #initrd.luks.devices."cryptroot" = {
+  #  keyFile = "/key/encryption-keys/lappy.key";
+  #  preLVM = false;
+  #  allowDiscards = true;
+  #};
+
+  
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-label/nixos";
+      fsType = "ext4";
+    };
+    #"/" = {
+    #  device = "/dev/mapper/cryptroot";
+    #  fsType = "ext4";
+    #};
+    "/boot" = {
+      device = "/dev/disk/by-label/nixboot";
+      fsType = "vfat";
+    };
+  };
+
+}
diff --git a/hosts/lappy/lappy.nix b/hosts/lappy/lappy.nix
index 4a5c47a..86c0df6 100644
--- a/hosts/lappy/lappy.nix
+++ b/hosts/lappy/lappy.nix
@@ -2,6 +2,8 @@
 
 {
   imports = with tree; [
+    ./hardware.nix
+
     users.root
     users.chaoticryptidz
     profiles.tailscale
@@ -80,27 +82,6 @@
 
   services.fstrim.enable = true;
 
-  boot = {
-    loader = {
-      systemd-boot.enable = true;
-      efi.canTouchEfiVariables = true;
-    };
-    initrd.availableKernelModules =
-      [ "xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
-    kernelModules = [ "kvm-intel" ];
-  };
-
-  fileSystems = {
-    "/" = {
-      device = "/dev/disk/by-label/nixos";
-      fsType = "ext4";
-    };
-    "/boot" = {
-      device = "/dev/disk/by-label/nixboot";
-      fsType = "vfat";
-    };
-  };
-
   system.stateVersion = "21.11";
 }
 
diff --git a/hosts/rescue/rescue.nix b/hosts/rescue/rescue.nix
index bf07e09..958c9a6 100644
--- a/hosts/rescue/rescue.nix
+++ b/hosts/rescue/rescue.nix
@@ -29,8 +29,10 @@
     ];
   };
 
-  users.users.root.initialPassword = "";
-  users.users.chaoticryptidz.initialPassword = "";
+  isoImage.squashfsCompression = "zstd -Xcompression-level 1";
+
+  users.users.root.initialPassword = "password";
+  users.users.chaoticryptidz.initialPassword = "password";
 
   # let vscode, vivaldi, etc work.
   security.unprivilegedUsernsClone = true;
diff --git a/shell.nix b/shell.nix
new file mode 100644
index 0000000..e69de29
diff --git a/users/chaoticryptidz.nix b/users/chaoticryptidz.nix
index 3332977..6f91ac8 100644
--- a/users/chaoticryptidz.nix
+++ b/users/chaoticryptidz.nix
@@ -1,5 +1,6 @@
 { config, ... }: {
   users.users.chaoticryptidz = {
+    uid = 1000;
     isNormalUser = true;
     extraGroups = [
       "wheel"