From f325016c69fa7e4fb03f5b7081ca0c78ea59d050 Mon Sep 17 00:00:00 2001 From: chaos Date: Sat, 30 Mar 2024 10:28:16 +0100 Subject: [PATCH] add host for microsoft surface / lappy --- extras/mk-encrypted-drive.nix | 22 +++++------- hosts/lappy-surface/hardware.nix | 19 +++++++++++ hosts/lappy-surface/lappy-surface.nix | 48 +++++++++++++++++++++++++++ hosts/lappy-surface/secrets.nix | 46 +++++++++++++++++++++++++ hosts/nixos.nix | 11 ++++++ outputs.nix | 1 + presets/nixos/desktopBase.nix | 2 +- presets/nixos/encryptedDrive.nix | 2 +- profiles/remoteBuilders.nix | 1 + 9 files changed, 137 insertions(+), 15 deletions(-) create mode 100644 hosts/lappy-surface/hardware.nix create mode 100644 hosts/lappy-surface/lappy-surface.nix create mode 100644 hosts/lappy-surface/secrets.nix diff --git a/extras/mk-encrypted-drive.nix b/extras/mk-encrypted-drive.nix index 7235a93..302f128 100644 --- a/extras/mk-encrypted-drive.nix +++ b/extras/mk-encrypted-drive.nix @@ -20,23 +20,22 @@ in echo "If making a drive for bios then you will need to set BIOS env variable" fi - if [ -z "''${PASSWORD_FILE-}" ]; then - echo "If the drive is for a encrypted server then password will need to be set with PASSWORD_FILE" - fi + echo "If the drive is for a encrypted server then set \$2/KEY_FILE as password file with no trailing newline (nano -L)" - if [ -z "''${1-}" ]; then - echo "Please specify a path to device as first argument" + if [ -z "''${DRIVE_PATH-}" ] && [ -z "''${1-}" ]; then + echo "Please specify a path to drive as first argument or set DRIVE_PATH" exit 1 + else + if [ -n "''${1-}" ]; then DRIVE_PATH=$1; fi fi - if [ -z "''${2-}" ]; then - echo "Please specify a path to key file as second argument" + if [ -z "''${KEY_FILE-}" ] && [ -z "''${2-}" ]; then + echo "Please specify a path to key file as second argument or set KEY_FILE" exit 1 + else + if [ -n "''${2-}" ]; then KEY_FILE=$2; fi fi - DRIVE_PATH=$1 - KEY_FILE=$2 - if echo "$DRIVE_PATH" | grep -q "[0-9]$"; then PARTITION_SEPARATOR="p" else @@ -71,9 +70,6 @@ in echo "Creating Encrypted Partition" cryptsetup luksFormat "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" --key-file "$KEY_FILE" - if [ -n "''${PASSWORD_FILE-}" ]; then - cryptsetup luksAddKey "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" --key-file "$KEY_FILE" < "$PASSWORD_FILE" - fi echo "Opening Encrypted Partition" cryptsetup open "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" "mk_encrypted_drive" --key-file "$KEY_FILE" diff --git a/hosts/lappy-surface/hardware.nix b/hosts/lappy-surface/hardware.nix new file mode 100644 index 0000000..04a1618 --- /dev/null +++ b/hosts/lappy-surface/hardware.nix @@ -0,0 +1,19 @@ +{tree, ...}: { + imports = with tree; [ + presets.nixos.encryptedDrive + ]; + + boot = { + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + initrd.availableKernelModules = [ + # defaults from nixos-generate-config + "xhci_pci" "nvme" "usb_storage" "usbhid" "sd_mod" "rtsx_pci_sdmmc" + ]; + kernelModules = ["kvm-intel"]; + }; + + hardware.cpu.intel.updateMicrocode = true; +} diff --git a/hosts/lappy-surface/lappy-surface.nix b/hosts/lappy-surface/lappy-surface.nix new file mode 100644 index 0000000..cb4efd9 --- /dev/null +++ b/hosts/lappy-surface/lappy-surface.nix @@ -0,0 +1,48 @@ +{tree, ...}: { + imports = with tree; [ + users.root + users.chaos + profiles.sshd + + presets.nixos.desktopGnome + presets.nixos.laptop + presets.nixos.encryptedUSB + + profiles.cross.arm64 + profiles.remoteBuilders + #profiles.chaosInternalWireGuard + + ./secrets.nix + ]; + + home-manager.users.root = { + imports = with tree; [home.base]; + home.stateVersion = "23.05"; + }; + + home-manager.users.chaos = { + imports = with tree; [ + home.base + home.dev.all + home.reversing + home.homeFolders + #home.musicLibrary + + home.programming.editors.nano + home.programming.editors.vscode + home.programming.languages.rust + home.programming.languages.nix + ]; + home.stateVersion = "23.05"; + }; + + networking.firewall.enable = true; + networking.firewall.allowPing = true; + + networking.firewall.allowedTCPPorts = [8088]; + + networking.hostName = "lappy-surface"; + time.timeZone = "Europe/Vienna"; + + system.stateVersion = "23.05"; +} diff --git a/hosts/lappy-surface/secrets.nix b/hosts/lappy-surface/secrets.nix new file mode 100644 index 0000000..8a2e788 --- /dev/null +++ b/hosts/lappy-surface/secrets.nix @@ -0,0 +1,46 @@ +{...}: { + services.secrets = { + enable = true; + secrets = { + usb_encryption_passphrase = { + manual = true; + }; + + music_stream_password = { + user = "chaos"; + group = "users"; + fetchScript = '' + simple_get "/api-keys/music-stream" .password > "$secretFile" + ''; + }; + + # Required for home.apps.manualBackupApps + restic_music_env = { + user = "chaos"; + fetchScript = '' + api_username=restic + api_password=$(simple_get "/api-keys/storage/restic/Music" ".$api_username") + restic_password=$(simple_get "/private-public-keys/restic/Music" .password) + + echo > "$secretFile" + echo "RESTIC_REPOSITORY=rest:https://$api_username:$api_password@storage-restic.owo.monster/Music" >> "$secretFile" + echo "RESTIC_PASSWORD=''${restic_password}" >> "$secretFile" + ''; + }; + + #restic_backups_password = { + # fetchScript = '' + # simple_get "/private-public-keys/restic/Lappy-Surface" .password > "$secretFile" + # ''; + #}; + + #restic_backups_repository_file = { + # fetchScript = '' + # api_username=restic + # api_password=$(simple_get "/api-keys/storage/restic/Lappy-Surface" ".$api_username") + # echo "rest:https://$api_username:$api_password@storage-restic.owo.monster/Lappy-Surface" > "$secretFile" + # ''; + #}; + }; + }; +} diff --git a/hosts/nixos.nix b/hosts/nixos.nix index 9824e0f..784642b 100644 --- a/hosts/nixos.nix +++ b/hosts/nixos.nix @@ -72,6 +72,17 @@ in { modules = defaultModules ++ [./lappy-t495/lappy-t495.nix ./lappy-t495/hardware.nix]; }; + lappy-surface = nixosUnstableSystem { + specialArgs = + defaultSpecialArgs + // { + hostPath = ./lappy-surfacr; + }; + system = "x86_64-linux"; + modules = defaultModules ++ [./lappy-surface/lappy-surface.nix ./lappy-surface/hardware.nix]; + }; + + wsl = nixosUnstableSystem { specialArgs = defaultSpecialArgs diff --git a/outputs.nix b/outputs.nix index 9870e03..0fe5219 100644 --- a/outputs.nix +++ b/outputs.nix @@ -158,6 +158,7 @@ in sshAddress = "vault.servers.genderfucked.monster"; }; "lappy-t495" = configForMachine "lappy-t495"; + "lappy-surface" = configForMachine "lappy-surface"; }; machinesWithHostSecrets = filter ( diff --git a/presets/nixos/desktopBase.nix b/presets/nixos/desktopBase.nix index 638a475..cda5f4e 100644 --- a/presets/nixos/desktopBase.nix +++ b/presets/nixos/desktopBase.nix @@ -31,7 +31,7 @@ home.apps.strawberry home.apps.nicotine-plus - home.apps.musicutil + #home.apps.musicutil home.apps.mullvad home.apps.aria2 diff --git a/presets/nixos/encryptedDrive.nix b/presets/nixos/encryptedDrive.nix index 8a1da19..27254cc 100644 --- a/presets/nixos/encryptedDrive.nix +++ b/presets/nixos/encryptedDrive.nix @@ -27,7 +27,7 @@ in { mkdir -m 0755 -p /keys mkdir -m 0755 -p ${encryptedUSB.mountpoint} - if grep --quiet "cryptsetup_password" /proc/cmdline; then + if grep "cryptsetup_password" /proc/cmdline; then USE_PASSWORD=true else USE_PASSWORD=false diff --git a/profiles/remoteBuilders.nix b/profiles/remoteBuilders.nix index b3939f1..076dd83 100644 --- a/profiles/remoteBuilders.nix +++ b/profiles/remoteBuilders.nix @@ -14,6 +14,7 @@ if builtins.elem currentHostname [ "lappy-t495" + "lappy-surface" ] then usbSSHKeyFile else if builtins.elem currentHostname ["wsl"]