add host for microsoft surface / lappy

2024-03-30 10:28:16 +01:00 · 2024-03-30 10:28:16 +01:00 · f325016c69
parent 4c9c0eeed2
commit f325016c69
9 changed files with 137 additions and 15 deletions
--- a/extras/mk-encrypted-drive.nix
+++ b/extras/mk-encrypted-drive.nix
@ -20,23 +20,22 @@ in
        echo "If making a drive for bios then you will need to set BIOS env variable"
      fi
-      if [ -z "''${PASSWORD_FILE-}" ]; then
+      echo "If the drive is for a encrypted server then set \$2/KEY_FILE as password file with no trailing newline (nano -L)"
        echo "If the drive is for a encrypted server then password will need to be set with PASSWORD_FILE"
      fi
-      if [ -z "''${1-}" ]; then
+      if [ -z "''${DRIVE_PATH-}" ] && [ -z "''${1-}" ]; then
-        echo "Please specify a path to device as first argument"
+        echo "Please specify a path to drive as first argument or set DRIVE_PATH"
        exit 1
      else
        if [ -n "''${1-}" ]; then DRIVE_PATH=$1; fi
      fi
-      if [ -z "''${2-}" ]; then
+      if [ -z "''${KEY_FILE-}" ] && [ -z "''${2-}" ]; then
-        echo "Please specify a path to key file as second argument"
+        echo "Please specify a path to key file as second argument or set KEY_FILE"
        exit 1
      else
        if [ -n "''${2-}" ]; then KEY_FILE=$2; fi
      fi
      DRIVE_PATH=$1
      KEY_FILE=$2
      if echo "$DRIVE_PATH" | grep -q "[0-9]$"; then
          PARTITION_SEPARATOR="p"
      else
@ -71,9 +70,6 @@ in
      echo "Creating Encrypted Partition"
      cryptsetup luksFormat "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" --key-file "$KEY_FILE"
      if [ -n "''${PASSWORD_FILE-}" ]; then
        cryptsetup luksAddKey "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" --key-file "$KEY_FILE" < "$PASSWORD_FILE"
      fi
      echo "Opening Encrypted Partition"
      cryptsetup open "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" "mk_encrypted_drive" --key-file "$KEY_FILE"
--- a/hosts/lappy-surface/hardware.nix
+++ b/hosts/lappy-surface/hardware.nix
@ -0,0 +1,19 @@
 {tree, ...}: {
  imports = with tree; [
    presets.nixos.encryptedDrive
  ];
  boot = {
    loader = {
      systemd-boot.enable = true;
      efi.canTouchEfiVariables = true;
    };
    initrd.availableKernelModules = [
      # defaults from nixos-generate-config
      "xhci_pci" "nvme" "usb_storage" "usbhid" "sd_mod" "rtsx_pci_sdmmc"
    ];
    kernelModules = ["kvm-intel"];
  };
  hardware.cpu.intel.updateMicrocode = true;
 }
--- a/hosts/lappy-surface/lappy-surface.nix
+++ b/hosts/lappy-surface/lappy-surface.nix
@ -0,0 +1,48 @@
 {tree, ...}: {
  imports = with tree; [
    users.root
    users.chaos
    profiles.sshd
    presets.nixos.desktopGnome
    presets.nixos.laptop
    presets.nixos.encryptedUSB
    profiles.cross.arm64
    profiles.remoteBuilders
    #profiles.chaosInternalWireGuard
    ./secrets.nix
  ];
  home-manager.users.root = {
    imports = with tree; [home.base];
    home.stateVersion = "23.05";
  };
  home-manager.users.chaos = {
    imports = with tree; [
      home.base
      home.dev.all
      home.reversing
      home.homeFolders
      #home.musicLibrary
      home.programming.editors.nano
      home.programming.editors.vscode
      home.programming.languages.rust
      home.programming.languages.nix
    ];
    home.stateVersion = "23.05";
  };
  networking.firewall.enable = true;
  networking.firewall.allowPing = true;
  networking.firewall.allowedTCPPorts = [8088];
  networking.hostName = "lappy-surface";
  time.timeZone = "Europe/Vienna";
  system.stateVersion = "23.05";
 }
--- a/hosts/lappy-surface/secrets.nix
+++ b/hosts/lappy-surface/secrets.nix
@ -0,0 +1,46 @@
 {...}: {
  services.secrets = {
    enable = true;
    secrets = {
      usb_encryption_passphrase = {
        manual = true;
      };
      music_stream_password = {
        user = "chaos";
        group = "users";
        fetchScript = ''
          simple_get "/api-keys/music-stream" .password > "$secretFile"
        '';
      };
      # Required for home.apps.manualBackupApps
      restic_music_env = {
        user = "chaos";
        fetchScript = ''
          api_username=restic
          api_password=$(simple_get "/api-keys/storage/restic/Music" ".$api_username")
          restic_password=$(simple_get "/private-public-keys/restic/Music" .password)
          echo > "$secretFile"
          echo "RESTIC_REPOSITORY=rest:https://$api_username:$api_password@storage-restic.owo.monster/Music" >> "$secretFile"
          echo "RESTIC_PASSWORD=''${restic_password}" >> "$secretFile"
        '';
      };
      #restic_backups_password = {
      #  fetchScript = ''
      #    simple_get "/private-public-keys/restic/Lappy-Surface" .password > "$secretFile"
      #  '';
      #};
      #restic_backups_repository_file = {
      #  fetchScript = ''
      #    api_username=restic
      #    api_password=$(simple_get "/api-keys/storage/restic/Lappy-Surface" ".$api_username")
      #    echo "rest:https://$api_username:$api_password@storage-restic.owo.monster/Lappy-Surface" > "$secretFile"
      #  '';
      #};
    };
  };
 }
--- a/hosts/nixos.nix
+++ b/hosts/nixos.nix
@ -72,6 +72,17 @@ in {
    modules = defaultModules ++ [./lappy-t495/lappy-t495.nix ./lappy-t495/hardware.nix];
  };
  lappy-surface = nixosUnstableSystem {
    specialArgs =
      defaultSpecialArgs
      // {
        hostPath = ./lappy-surfacr;
      };
    system = "x86_64-linux";
    modules = defaultModules ++ [./lappy-surface/lappy-surface.nix ./lappy-surface/hardware.nix];
  };
  wsl = nixosUnstableSystem {
    specialArgs =
      defaultSpecialArgs
--- a/outputs.nix
+++ b/outputs.nix
@ -158,6 +158,7 @@ in
                sshAddress = "vault.servers.genderfucked.monster";
              };
            "lappy-t495" = configForMachine "lappy-t495";
            "lappy-surface" = configForMachine "lappy-surface";
          };
          machinesWithHostSecrets = filter (
--- a/presets/nixos/desktopBase.nix
+++ b/presets/nixos/desktopBase.nix
@ -31,7 +31,7 @@
      home.apps.strawberry
      home.apps.nicotine-plus
-      home.apps.musicutil
+      #home.apps.musicutil
      home.apps.mullvad
      home.apps.aria2
--- a/presets/nixos/encryptedDrive.nix
+++ b/presets/nixos/encryptedDrive.nix
@ -27,7 +27,7 @@ in {
        mkdir -m 0755 -p /keys
        mkdir -m 0755 -p ${encryptedUSB.mountpoint}
-        if grep --quiet "cryptsetup_password" /proc/cmdline; then
+        if grep "cryptsetup_password" /proc/cmdline; then
          USE_PASSWORD=true
        else
          USE_PASSWORD=false
--- a/profiles/remoteBuilders.nix
+++ b/profiles/remoteBuilders.nix
@ -14,6 +14,7 @@
    if
      builtins.elem currentHostname [
        "lappy-t495"
        "lappy-surface"
      ]
    then usbSSHKeyFile
    else if builtins.elem currentHostname ["wsl"]