add host for microsoft surface / lappy
This commit is contained in:
parent
4c9c0eeed2
commit
f325016c69
|
@ -20,23 +20,22 @@ in
|
||||||
echo "If making a drive for bios then you will need to set BIOS env variable"
|
echo "If making a drive for bios then you will need to set BIOS env variable"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -z "''${PASSWORD_FILE-}" ]; then
|
echo "If the drive is for a encrypted server then set \$2/KEY_FILE as password file with no trailing newline (nano -L)"
|
||||||
echo "If the drive is for a encrypted server then password will need to be set with PASSWORD_FILE"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -z "''${1-}" ]; then
|
if [ -z "''${DRIVE_PATH-}" ] && [ -z "''${1-}" ]; then
|
||||||
echo "Please specify a path to device as first argument"
|
echo "Please specify a path to drive as first argument or set DRIVE_PATH"
|
||||||
exit 1
|
exit 1
|
||||||
|
else
|
||||||
|
if [ -n "''${1-}" ]; then DRIVE_PATH=$1; fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -z "''${2-}" ]; then
|
if [ -z "''${KEY_FILE-}" ] && [ -z "''${2-}" ]; then
|
||||||
echo "Please specify a path to key file as second argument"
|
echo "Please specify a path to key file as second argument or set KEY_FILE"
|
||||||
exit 1
|
exit 1
|
||||||
|
else
|
||||||
|
if [ -n "''${2-}" ]; then KEY_FILE=$2; fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
DRIVE_PATH=$1
|
|
||||||
KEY_FILE=$2
|
|
||||||
|
|
||||||
if echo "$DRIVE_PATH" | grep -q "[0-9]$"; then
|
if echo "$DRIVE_PATH" | grep -q "[0-9]$"; then
|
||||||
PARTITION_SEPARATOR="p"
|
PARTITION_SEPARATOR="p"
|
||||||
else
|
else
|
||||||
|
@ -71,9 +70,6 @@ in
|
||||||
|
|
||||||
echo "Creating Encrypted Partition"
|
echo "Creating Encrypted Partition"
|
||||||
cryptsetup luksFormat "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" --key-file "$KEY_FILE"
|
cryptsetup luksFormat "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" --key-file "$KEY_FILE"
|
||||||
if [ -n "''${PASSWORD_FILE-}" ]; then
|
|
||||||
cryptsetup luksAddKey "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" --key-file "$KEY_FILE" < "$PASSWORD_FILE"
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "Opening Encrypted Partition"
|
echo "Opening Encrypted Partition"
|
||||||
cryptsetup open "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" "mk_encrypted_drive" --key-file "$KEY_FILE"
|
cryptsetup open "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" "mk_encrypted_drive" --key-file "$KEY_FILE"
|
||||||
|
|
19
hosts/lappy-surface/hardware.nix
Normal file
19
hosts/lappy-surface/hardware.nix
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
{tree, ...}: {
|
||||||
|
imports = with tree; [
|
||||||
|
presets.nixos.encryptedDrive
|
||||||
|
];
|
||||||
|
|
||||||
|
boot = {
|
||||||
|
loader = {
|
||||||
|
systemd-boot.enable = true;
|
||||||
|
efi.canTouchEfiVariables = true;
|
||||||
|
};
|
||||||
|
initrd.availableKernelModules = [
|
||||||
|
# defaults from nixos-generate-config
|
||||||
|
"xhci_pci" "nvme" "usb_storage" "usbhid" "sd_mod" "rtsx_pci_sdmmc"
|
||||||
|
];
|
||||||
|
kernelModules = ["kvm-intel"];
|
||||||
|
};
|
||||||
|
|
||||||
|
hardware.cpu.intel.updateMicrocode = true;
|
||||||
|
}
|
48
hosts/lappy-surface/lappy-surface.nix
Normal file
48
hosts/lappy-surface/lappy-surface.nix
Normal file
|
@ -0,0 +1,48 @@
|
||||||
|
{tree, ...}: {
|
||||||
|
imports = with tree; [
|
||||||
|
users.root
|
||||||
|
users.chaos
|
||||||
|
profiles.sshd
|
||||||
|
|
||||||
|
presets.nixos.desktopGnome
|
||||||
|
presets.nixos.laptop
|
||||||
|
presets.nixos.encryptedUSB
|
||||||
|
|
||||||
|
profiles.cross.arm64
|
||||||
|
profiles.remoteBuilders
|
||||||
|
#profiles.chaosInternalWireGuard
|
||||||
|
|
||||||
|
./secrets.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
home-manager.users.root = {
|
||||||
|
imports = with tree; [home.base];
|
||||||
|
home.stateVersion = "23.05";
|
||||||
|
};
|
||||||
|
|
||||||
|
home-manager.users.chaos = {
|
||||||
|
imports = with tree; [
|
||||||
|
home.base
|
||||||
|
home.dev.all
|
||||||
|
home.reversing
|
||||||
|
home.homeFolders
|
||||||
|
#home.musicLibrary
|
||||||
|
|
||||||
|
home.programming.editors.nano
|
||||||
|
home.programming.editors.vscode
|
||||||
|
home.programming.languages.rust
|
||||||
|
home.programming.languages.nix
|
||||||
|
];
|
||||||
|
home.stateVersion = "23.05";
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.firewall.enable = true;
|
||||||
|
networking.firewall.allowPing = true;
|
||||||
|
|
||||||
|
networking.firewall.allowedTCPPorts = [8088];
|
||||||
|
|
||||||
|
networking.hostName = "lappy-surface";
|
||||||
|
time.timeZone = "Europe/Vienna";
|
||||||
|
|
||||||
|
system.stateVersion = "23.05";
|
||||||
|
}
|
46
hosts/lappy-surface/secrets.nix
Normal file
46
hosts/lappy-surface/secrets.nix
Normal file
|
@ -0,0 +1,46 @@
|
||||||
|
{...}: {
|
||||||
|
services.secrets = {
|
||||||
|
enable = true;
|
||||||
|
secrets = {
|
||||||
|
usb_encryption_passphrase = {
|
||||||
|
manual = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
music_stream_password = {
|
||||||
|
user = "chaos";
|
||||||
|
group = "users";
|
||||||
|
fetchScript = ''
|
||||||
|
simple_get "/api-keys/music-stream" .password > "$secretFile"
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
# Required for home.apps.manualBackupApps
|
||||||
|
restic_music_env = {
|
||||||
|
user = "chaos";
|
||||||
|
fetchScript = ''
|
||||||
|
api_username=restic
|
||||||
|
api_password=$(simple_get "/api-keys/storage/restic/Music" ".$api_username")
|
||||||
|
restic_password=$(simple_get "/private-public-keys/restic/Music" .password)
|
||||||
|
|
||||||
|
echo > "$secretFile"
|
||||||
|
echo "RESTIC_REPOSITORY=rest:https://$api_username:$api_password@storage-restic.owo.monster/Music" >> "$secretFile"
|
||||||
|
echo "RESTIC_PASSWORD=''${restic_password}" >> "$secretFile"
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
#restic_backups_password = {
|
||||||
|
# fetchScript = ''
|
||||||
|
# simple_get "/private-public-keys/restic/Lappy-Surface" .password > "$secretFile"
|
||||||
|
# '';
|
||||||
|
#};
|
||||||
|
|
||||||
|
#restic_backups_repository_file = {
|
||||||
|
# fetchScript = ''
|
||||||
|
# api_username=restic
|
||||||
|
# api_password=$(simple_get "/api-keys/storage/restic/Lappy-Surface" ".$api_username")
|
||||||
|
# echo "rest:https://$api_username:$api_password@storage-restic.owo.monster/Lappy-Surface" > "$secretFile"
|
||||||
|
# '';
|
||||||
|
#};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -72,6 +72,17 @@ in {
|
||||||
modules = defaultModules ++ [./lappy-t495/lappy-t495.nix ./lappy-t495/hardware.nix];
|
modules = defaultModules ++ [./lappy-t495/lappy-t495.nix ./lappy-t495/hardware.nix];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
lappy-surface = nixosUnstableSystem {
|
||||||
|
specialArgs =
|
||||||
|
defaultSpecialArgs
|
||||||
|
// {
|
||||||
|
hostPath = ./lappy-surfacr;
|
||||||
|
};
|
||||||
|
system = "x86_64-linux";
|
||||||
|
modules = defaultModules ++ [./lappy-surface/lappy-surface.nix ./lappy-surface/hardware.nix];
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
wsl = nixosUnstableSystem {
|
wsl = nixosUnstableSystem {
|
||||||
specialArgs =
|
specialArgs =
|
||||||
defaultSpecialArgs
|
defaultSpecialArgs
|
||||||
|
|
|
@ -158,6 +158,7 @@ in
|
||||||
sshAddress = "vault.servers.genderfucked.monster";
|
sshAddress = "vault.servers.genderfucked.monster";
|
||||||
};
|
};
|
||||||
"lappy-t495" = configForMachine "lappy-t495";
|
"lappy-t495" = configForMachine "lappy-t495";
|
||||||
|
"lappy-surface" = configForMachine "lappy-surface";
|
||||||
};
|
};
|
||||||
|
|
||||||
machinesWithHostSecrets = filter (
|
machinesWithHostSecrets = filter (
|
||||||
|
|
|
@ -31,7 +31,7 @@
|
||||||
|
|
||||||
home.apps.strawberry
|
home.apps.strawberry
|
||||||
home.apps.nicotine-plus
|
home.apps.nicotine-plus
|
||||||
home.apps.musicutil
|
#home.apps.musicutil
|
||||||
|
|
||||||
home.apps.mullvad
|
home.apps.mullvad
|
||||||
home.apps.aria2
|
home.apps.aria2
|
||||||
|
|
|
@ -27,7 +27,7 @@ in {
|
||||||
mkdir -m 0755 -p /keys
|
mkdir -m 0755 -p /keys
|
||||||
mkdir -m 0755 -p ${encryptedUSB.mountpoint}
|
mkdir -m 0755 -p ${encryptedUSB.mountpoint}
|
||||||
|
|
||||||
if grep --quiet "cryptsetup_password" /proc/cmdline; then
|
if grep "cryptsetup_password" /proc/cmdline; then
|
||||||
USE_PASSWORD=true
|
USE_PASSWORD=true
|
||||||
else
|
else
|
||||||
USE_PASSWORD=false
|
USE_PASSWORD=false
|
||||||
|
|
|
@ -14,6 +14,7 @@
|
||||||
if
|
if
|
||||||
builtins.elem currentHostname [
|
builtins.elem currentHostname [
|
||||||
"lappy-t495"
|
"lappy-t495"
|
||||||
|
"lappy-surface"
|
||||||
]
|
]
|
||||||
then usbSSHKeyFile
|
then usbSSHKeyFile
|
||||||
else if builtins.elem currentHostname ["wsl"]
|
else if builtins.elem currentHostname ["wsl"]
|
||||||
|
|
Loading…
Reference in a new issue