start work on encryption

LAPPY_SETUP_GUIDE.md

@@ -1,7 +1,27 @@
 # Lappy Setup Guide
 ## Filesystems
-- Ext4 with label nixos
+```
-- Fat32 EFI with label nixboot
+export DEVICE_ROOT=/dev/nvme0n1
+export DEVICE_BOOT_PART=${DEVICE_ROOT}p1
+export DEVICE_ENCRYPTED_ROOT_PART=${DEVICE_ROOT}p2
+export DEVICE_UNENCRYPTED_ROOT_NAME=cryptroot
+export DEVICE_UNENCRYPTED_ROOT=/dev/mapper/${DEVICE_UNENCRYPTED_ROOT_NAME}
+export ENCRYPTION_KEY_PATH=mount/encryption-keys/lappy.key
+
+parted /dev/${DEVICE_ROOT} -- mklabel gpt
+parted /dev/${DEVICE_ROOT} -- mkpart primary 512MiB -8GiB
+parted /dev/${DEVICE_ROOT} -- mkpart ESP fat32 1MiB 500MiB
+parted /dev/${DEVICE_ROOT} -- set 3 esp on
+
+mkfs.fat -n nixboot ${DEVICE_BOOT_PART}
+
+cryptsetup luksFormat ${DEVICE_ENCRYPTED_ROOT_PART}
+cryptsetup luksAddKey ${DEVICE_ENCRYPTED_ROOT_PART} ${ENCRYPTION_KEY_PATH}
+cryptsetup luksOpen ${DEVICE_ENCRYPTED_ROOT_PART} ${DEVICE_UNENCRYPTED_ROOT_NAME}
+mkfs.ext4 -L nixos ${DEVICE_UNENCRYPTED_ROOT}
+```
+## NetworkManager
+Grab passwords from Vault
 ## Browser (vivaldi)
 Open up browser and install the following extensions:
 - - Stylus
@@ -43,4 +63,3 @@ Other: #00dda6
 - Amount: 500
 - Method: Fixed
 - Initial: 2000
-

hosts/lappy/hardware.nix

@@ -0,0 +1,63 @@
+{ ... }:
+let
+  usb_label = "my_usb";
+  encrypted_root_uuid = "";
+  unencrypted_root_uuid = "";
+in {
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+    initrd.availableKernelModules = [
+      "xhci_pci"
+      "ahci"
+      "nvme"
+      "usb_storage"
+      "sd_mod"
+      "rtsx_pci_sdmmc"
+      "uas"
+      "usbcore"
+      "usb_storage"
+      "vfat"
+      "nls_cp437"
+      "nls_iso8859_1"
+      "aesni_intel"
+      "cryptd"
+    ];
+    kernelModules = [ "kvm-intel" ];
+  };
+
+  # TODO: encrypted storage
+  #initrd.postDeviceCommands = pkgs.lib.mkBefore ''
+  #  mkdir -m 0755 -p /key
+  #  sleep 3
+  #  mount -n -t vfat -o ro `findfs LABEL=${usb_label}` /key
+  #'';
+
+  #boot.initrd.luks.devices."cryptroot".device =
+  #  "/dev/disk/by-uuid/${encrypted_root_uuid}";
+
+  #initrd.luks.devices."cryptroot" = {
+  #  keyFile = "/key/encryption-keys/lappy.key";
+  #  preLVM = false;
+  #  allowDiscards = true;
+  #};
+
+  
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-label/nixos";
+      fsType = "ext4";
+    };
+    #"/" = {
+    #  device = "/dev/mapper/cryptroot";
+    #  fsType = "ext4";
+    #};
+    "/boot" = {
+      device = "/dev/disk/by-label/nixboot";
+      fsType = "vfat";
+    };
+  };
+
+}

hosts/lappy/lappy.nix

@@ -2,6 +2,8 @@
 
 {
   imports = with tree; [
+    ./hardware.nix
+
     users.root
     users.chaoticryptidz
     profiles.tailscale
@@ -80,27 +82,6 @@
 
   services.fstrim.enable = true;
 
-  boot = {
-    loader = {
-      systemd-boot.enable = true;
-      efi.canTouchEfiVariables = true;
-    };
-    initrd.availableKernelModules =
-      [ "xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
-    kernelModules = [ "kvm-intel" ];
-  };
-
-  fileSystems = {
-    "/" = {
-      device = "/dev/disk/by-label/nixos";
-      fsType = "ext4";
-    };
-    "/boot" = {
-      device = "/dev/disk/by-label/nixboot";
-      fsType = "vfat";
-    };
-  };
-
   system.stateVersion = "21.11";
 }
 

hosts/rescue/rescue.nix

@@ -29,8 +29,10 @@
     ];
   };
 
-  users.users.root.initialPassword = "";
+  isoImage.squashfsCompression = "zstd -Xcompression-level 1";
-  users.users.chaoticryptidz.initialPassword = "";
+
+  users.users.root.initialPassword = "password";
+  users.users.chaoticryptidz.initialPassword = "password";
 
   # let vscode, vivaldi, etc work.
   security.unprivilegedUsernsClone = true;

users/chaoticryptidz.nix

@@ -1,5 +1,6 @@
 { config, ... }: {
   users.users.chaoticryptidz = {
+    uid = 1000;
     isNormalUser = true;
     extraGroups = [
       "wheel"