chaos/nixfiles
1
0
Fork 0
Code Issues 2 Releases Activity

Compare commits

base: chaos:2638c40bc5f488b38131b6ed27d8e4f3c8fca5e0
Branches Tags
chaos:vixen
chaos:feature-notes-webdav
...
compare: chaos:19f6da8d84938e54dd52cb70a39399705b20c55b
Branches Tags
chaos:vixen
chaos:feature-notes-webdav

4 commits
2638c40bc5 ... 19f6da8d84

Author SHA1 Message Date
chaos 19f6da8d84
run formatters & linters 2024-04-01 18:20:38 +02:00
chaos d7a52dd711
_: -> {...}: 2024-04-01 18:19:39 +02:00
chaos 0bd415928c
make hardware profiles prettier 2024-04-01 18:18:10 +02:00
chaos aa350ce0a7
move normal encrypted drive support to a module 2024-04-01 18:02:14 +02:00
10 changed files with 194 additions and 118 deletions
Show stats Expand all files Collapse all files

1
hosts/nixos.nix
View file

@ -38,6 +38,7 @@
tree.modules.nixos.secrets tree.modules.nixos.secrets
tree.modules.nixos.postgreSQLRemoteBackup tree.modules.nixos.postgreSQLRemoteBackup
tree.modules.nixos.wslBuildTarballExt tree.modules.nixos.wslBuildTarballExt
tree.modules.nixos.encryptedDrive
]; ];
nixosUnstableSystem = nixpkgs-unstable.lib.nixosSystem; nixosUnstableSystem = nixpkgs-unstable.lib.nixosSystem;

149
modules/nixos/encryptedDrive.nix Normal file
View file

@ -0,0 +1,149 @@
{
self,
config,
pkgs,
lib,
...
}: let
inherit (lib.modules) mkIf mkBefore;
inherit (lib.options) mkOption mkEnableOption;
inherit (lib) types;
encryptedUSB = import "${self}/data/drives/encryptedUSB.nix";
driveData = import "${self}/data/drives/encryptedDrive.nix";
cfg = config.boot.encryptedDrive;
in {
options.boot.encryptedDrive = {
enable = mkEnableOption "encrypted drive support for servers and other devices";
mode = mkOption {
type = types.enum [
"encrypted-usb"
"password"
];
default = "encrypted-usb";
};
allowPasswordDecrypt = mkOption {
description = "allow fallback to decrypting with a password when using USB based auth, pass cryptsetup_password to kernel cmdline to switch to password input mode";
type = types.bool;
default = true;
};
};
config = mkIf cfg.enable {
boot = {
initrd.availableKernelModules = [
# For USB w/ Encryption Key
"usb_storage"
"usbcore"
"uas"
"rtsx_pci_sdmmc"
# For USB Keyboards
"usbhid"
"hid_generic"
# For Cryptography
"aesni_intel"
"cryptd"
"crypto_simd"
];
initrd.postDeviceCommands = mkIf (cfg.mode == "encrypted-usb") (mkBefore ''
mkdir -m 0755 -p /keys
mkdir -m 0755 -p ${encryptedUSB.mountpoint}
${
if cfg.allowPasswordDecrypt
then ''
if grep "cryptsetup_password" /proc/cmdline; then
USE_PASSWORD_FALLBACK=true
else
USE_PASSWORD_FALLBACK=false
fi
''
else ''
USE_PASSWORD_FALLBACK=false
''
}
while !(test -b ${encryptedUSB.encryptedPath}) && [ "$USE_PASSWORD_FALLBACK" == "false" ]
do
${
if config.boot.plymouth.enable
then ''
${pkgs.plymouth}/bin/plymouth display-message --text="Please Plug In USB"
''
else ''
echo "Please Plug In USB"
''
}
sleep 1
done
${
if config.boot.plymouth.enable
then ''
${pkgs.plymouth}/bin/plymouth hide-message --text="Please Plug In USB"
if [ "$USE_PASSWORD_FALLBACK" == "true" ]; then
${pkgs.plymouth}/bin/plymouth ask-for-password \
--prompt="Please Enter Password" \
--command="cryptsetup -T1 open ${driveData.encryptedPath} ${driveData.mapperName}" \
--number-of-tries=3
else
${pkgs.plymouth}/bin/plymouth ask-for-password \
--prompt="Please Decrypt USB" \
--command="cryptsetup -T1 open ${encryptedUSB.encryptedPath} ${encryptedUSB.preBootMapperName}" \
--number-of-tries=3
fi
''
else ''
if [ "$USE_PASSWORD_FALLBACK" == "true" ]; then
echo "Please Decrypt Drive"
cryptsetup open ${driveData.encryptedPath} ${driveData.mapperName}
else
echo "Please Decrypt USB"
cryptsetup open ${encryptedUSB.encryptedPath} ${encryptedUSB.preBootMapperName}
fi
''
}
if [ "$USE_PASSWORD_FALLBACK" == "false" ]; then
mount -n -t ${encryptedUSB.unencryptedFSType} -o ro ${encryptedUSB.preBootMapperPath} ${encryptedUSB.mountpoint}
cp ${encryptedUSB.encryptionKeysPath}/${config.networking.hostName}.key /keys
chmod 0755 /keys/${config.networking.hostName}.key
umount -f ${encryptedUSB.mountpoint}
cryptsetup close ${encryptedUSB.preBootMapperName}
else
touch /keys/${config.networking.hostName}.key
fi
'');
initrd.luks.devices = {
"${driveData.mapperName}" = {
device = "${driveData.encryptedPath}";
keyFile =
if cfg.mode == "encrypted-usb"
then "/keys/${config.networking.hostName}.key"
else null;
preLVM = false;
allowDiscards = true;
# Allows decrypting with a password when key is existant on USB but invalid
fallbackToPassword = cfg.allowPasswordDecrypt;
};
};
};
fileSystems = {
"/" = {
device = "${driveData.decryptedPath}";
fsType = "${driveData.unencryptedFSType}";
};
"/boot" = {
device = "${driveData.bootPath}";
fsType = "${driveData.bootFSType}";
};
};
};
}

112
presets/nixos/encryptedDrive.nix
View file

@ -1,109 +1,9 @@
{ {lib, ...}: let
self, inherit (lib.modules) mkDefault;
config,
pkgs,
lib,
...
}: let
inherit (lib.modules) mkBefore;
encryptedUSB = import "${self}/data/drives/encryptedUSB.nix";
driveData = import "${self}/data/drives/encryptedDrive.nix";
in { in {
boot = { boot.encryptedDrive = {
initrd.availableKernelModules = [ enable = true;
# For USB w/ Encryption Key mode = mkDefault "encrypted-usb";
"usb_storage" allowPasswordDecrypt = mkDefault true;
"usbcore"
"uas"
"sd_mod"
# For USB Keyboards
"usbhid"
# For Cryptography
"aesni_intel"
"cryptd"
];
initrd.postDeviceCommands = mkBefore ''
mkdir -m 0755 -p /keys
mkdir -m 0755 -p ${encryptedUSB.mountpoint}
if grep "cryptsetup_password" /proc/cmdline; then
USE_PASSWORD=true
else
USE_PASSWORD=false
fi
while !(test -b ${encryptedUSB.encryptedPath}) && [ "$USE_PASSWORD" == "false" ]
do
${
if config.boot.plymouth.enable
then ''
${pkgs.plymouth}/bin/plymouth display-message --text="Please Plug In USB"
''
else ''
echo "Please Plug In USB"
''
}
sleep 1
done
${
if config.boot.plymouth.enable
then ''
${pkgs.plymouth}/bin/plymouth hide-message --text="Please Plug In USB"
if [ "$USE_PASSWORD" == "true" ]; then
${pkgs.plymouth}/bin/plymouth ask-for-password \
--prompt="Please Enter Password" \
--command="cryptsetup -T1 open ${driveData.encryptedPath} ${driveData.mapperName}" \
--number-of-tries=3
else
${pkgs.plymouth}/bin/plymouth ask-for-password \
--prompt="Please Decrypt USB" \
--command="cryptsetup -T1 open ${encryptedUSB.encryptedPath} ${encryptedUSB.preBootMapperName}" \
--number-of-tries=3
fi
''
else ''
if [ "$USE_PASSWORD" == "true" ]; then
echo "Please Decrypt Drive"
cryptsetup open ${driveData.encryptedPath} ${driveData.mapperName}
else
echo "Please Decrypt USB"
cryptsetup open ${encryptedUSB.encryptedPath} ${encryptedUSB.preBootMapperName}
fi
''
}
if [ "$USE_PASSWORD" == "false" ]; then
mount -n -t ${encryptedUSB.unencryptedFSType} -o ro ${encryptedUSB.preBootMapperPath} ${encryptedUSB.mountpoint}
cp ${encryptedUSB.encryptionKeysPath}/${config.networking.hostName}.key /keys
chmod 0755 /keys/${config.networking.hostName}.key
umount -f ${encryptedUSB.mountpoint}
cryptsetup close ${encryptedUSB.preBootMapperName}
fi
'';
initrd.luks.devices = {
"${driveData.mapperName}" = {
device = "${driveData.encryptedPath}";
keyFile = "/keys/${config.networking.hostName}.key";
preLVM = false;
allowDiscards = true;
fallbackToPassword = true;
};
};
};
fileSystems = {
"/" = {
device = "${driveData.decryptedPath}";
fsType = "${driveData.unencryptedFSType}";
};
"/boot" = {
device = "${driveData.bootPath}";
fsType = "${driveData.bootFSType}";
};
}; };
} }

23
profiles/base/hardware.nix
View file

@ -4,12 +4,21 @@
... ...
}: let }: let
inherit (lib.modules) mkIf; inherit (lib.modules) mkIf;
is_x86 = "${pkgs.system}" == "x86_64-linux";
in { in {
hardware.enableRedistributableFirmware = true; hardware = {
hardware.enableAllFirmware = true; enableAllFirmware = true;
hardware.cpu.intel.updateMicrocode = enableRedistributableFirmware = true;
mkIf ("${pkgs.system}" == "x86_64-linux") true; wirelessRegulatoryDatabase = true;
hardware.cpu.amd.updateMicrocode =
mkIf ("${pkgs.system}" == "x86_64-linux") true; ksm.enable = true;
hardware.wirelessRegulatoryDatabase = true;
i2c.enable = true;
cpu = {
intel.updateMicrocode = mkIf is_x86 true;
amd.updateMicrocode = mkIf is_x86 true;
};
};
} }

2
profiles/connectivity/bluetooth/bluetooth.nix
View file

@ -1,4 +1,4 @@
_: { {...}: {
hardware.bluetooth.enable = true; hardware.bluetooth.enable = true;
services.blueman.enable = true; services.blueman.enable = true;
} }

1
profiles/connectivity/iOS/default.nix
View file

@ -1,5 +1,6 @@
{pkgs, ...}: { {pkgs, ...}: {
services.usbmuxd.enable = true; services.usbmuxd.enable = true;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
libimobiledevice libimobiledevice
ifuse # optional, to mount using 'ifuse' ifuse # optional, to mount using 'ifuse'

17
profiles/printing/printing.nix
View file

@ -1,4 +1,17 @@
{pkgs, ...}: { {pkgs, ...}: {
services.printing.enable = true; services.avahi = {
services.printing.drivers = with pkgs; [gutenprint hplip]; enable = true;
nssmdns = true;
openFirewall = true;
};
services.printing = {
enable = true;
drivers = with pkgs; [gutenprint hplip];
};
hardware.sane = {
enable = true;
openFirewall = true;
};
} }

2
profiles/sound/pipewire/default.nix
View file

@ -1,4 +1,4 @@
_: { {...}: {
sound.enable = true; sound.enable = true;
security.rtkit.enable = true; security.rtkit.enable = true;
services.pipewire = { services.pipewire = {

2
profiles/tor/tor.nix
View file

@ -1,4 +1,4 @@
_: { {...}: {
services.tor = { services.tor = {
enable = true; enable = true;
client.enable = true; client.enable = true;

3
users/chaos.nix
View file

@ -13,6 +13,9 @@
"uinput" "uinput"
"audio" "audio"
"rtkit" "rtkit"
"i2c"
"kvm"
"usbmux"
]; ];
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEZpvkllLt7HinNpisOx7hWT2br68UoCg0sXKTxHEeUB chaos@chaos" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEZpvkllLt7HinNpisOx7hWT2br68UoCg0sXKTxHEeUB chaos@chaos"