patrick/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Wiki Activity

feat: remote unlock

Browse source
This commit is contained in:
Patrick 2023-09-20 21:49:49 +02:00
parent 285185b336
commit 16e3fd9647
Signed by: patrick
GPG key ID: 451F95EFB8BECD0F
8 changed files with 63 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
hosts/testienix/default.nix
View file

@ -5,6 +5,7 @@
# TODO: sollte entfernt werden für server # TODO: sollte entfernt werden für server
../../modules/config ../../modules/config
../../modules/optional/initrd-ssh.nix
../../modules/hardware/intel.nix ../../modules/hardware/intel.nix
../../modules/hardware/physical.nix ../../modules/hardware/physical.nix

4
hosts/testienix/net.nix
View file

@ -14,4 +14,8 @@
}; };
}; };
}; };
boot.initrd.systemd.network = {
enable = true;
networks = {inherit (config.systemd.network.networks) "01-lan1";};
};
} }

BIN
hosts/testienix/secrets/generated/initrd_host_ed25519_key.age Normal file
View file

Binary file not shown.

6
modules/config/boot.nix
View file

@ -1,20 +1,24 @@
{ {
config, config,
lib, lib,
pkgs,
... ...
}: { }: {
boot = { boot = {
initrd.systemd = { initrd.systemd = {
enable = true; enable = true;
emergencyAccess = config.secrets.secrets.global.users.root.passwordHash; emergencyAccess = config.secrets.secrets.global.users.root.passwordHash;
extraBin.ip = "${pkgs.iproute}/bin/ip";
}; };
initrd.availableKernelModules = ["xhci_pci" "nvme" "usb_storage" "usbhid" "sd_mod" "rtsx_pci_sdmmc" "ahci" "uas"]; initrd.availableKernelModules = ["xhci_pci" "nvme" "r8169" "usb_storage" "usbhid" "sd_mod" "rtsx_pci_sdmmc" "ahci" "uas"];
supportedFilesystems = ["ntfs"]; supportedFilesystems = ["ntfs"];
kernelModules = ["kvm-intel"]; kernelModules = ["kvm-intel"];
kernelParams = [ kernelParams = [
"rd.luks.options=timeout=0" "rd.luks.options=timeout=0"
"rootflags=x-systemd.device-timeout=0" "rootflags=x-systemd.device-timeout=0"
# NOTE: Add "rd.systemd.unit=rescue.target" to debug initrd
#"rd.systemd.unit=rescue.target"
]; ];
tmp.useTmpfs = true; tmp.useTmpfs = true;

7
modules/config/system.nix
View file

@ -18,8 +18,15 @@
in in
lib.mkIf (lib.pathExists pubkeyPath || lib.trace "Missing pubkey for ${config.node.name}: ${toString pubkeyPath} not found, using dummy replacement key for now." false) lib.mkIf (lib.pathExists pubkeyPath || lib.trace "Missing pubkey for ${config.node.name}: ${toString pubkeyPath} not found, using dummy replacement key for now." false)
pubkeyPath; pubkeyPath;
generatedSecretsDir = config.node.secretsDir + "/generated/";
}; };
security.sudo.enable = false; security.sudo.enable = false;
security.tpm2 = {
enable = true;
abrmd.enable = true;
pkcs11.enable = true;
tctiEnvironment.enable = true;
};
time.timeZone = lib.mkDefault "Europe/Berlin"; time.timeZone = lib.mkDefault "Europe/Berlin";
i18n.defaultLocale = "C.UTF-8"; i18n.defaultLocale = "C.UTF-8";

34
modules/optional/initrd-ssh.nix Normal file
View file

@ -0,0 +1,34 @@
{
config,
pkgs,
...
}: {
age.secrets.initrd_host_ed25519_key.generator.script = "ssh-ed25519";
boot.initrd.network.enable = true;
boot.initrd.network.ssh = {
enable = true;
port = 4;
# I think this is impure as the new initrd gets generated before
# agenix decrypts your secrets, meaning your initrd hostkey
# need two activations to change as well as that to enable this
# module you need to set hostKeys to a dummy value and generate
# and invalid initrd once
hostKeys = [config.age.secrets.initrd_host_ed25519_key.path];
};
# Make sure that there is always a valid initrd hostkey available that can be installed into
# the initrd. When bootstrapping a system (or re-installing), agenix cannot succeed in decrypting
# whatever is given, since the correct hostkey doesn't even exist yet. We still require
# a valid hostkey to be available so that the initrd can be generated successfully.
# The correct initrd host-key will be installed with the next update after the host is booted
# for the first time, and the secrets were rekeyed for the the new host identity.
system.activationScripts.agenixEnsureInitrdHostkey = {
text = ''
[[ -e ${config.age.secrets.initrd_host_ed25519_key.path} ]] \
|| ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f ${config.age.secrets.initrd_host_ed25519_key.path}
'';
deps = ["agenixInstall"];
};
system.activationScripts.agenixChown.deps = ["agenixEnsureInitrdHostkey"];
}

8
users/common/shells/pager.nix
View file

@ -13,10 +13,10 @@
vim.opt.termguicolors = false vim.opt.termguicolors = false
vim.keymap.set('n', '<CR>', '<C-]>', {silent = true, desc = "Jump to tag under cursor}) vim.keymap.set('n', '<CR>', '<C-]>', {silent = true, desc = "Jump to tag under cursor"})
vim.keymap.set('n', '<Bs>', ':pop<CR>', {silent = true, desc = "Jump to tag under cursor}) vim.keymap.set('n', '<Bs>', ':pop<CR>', {silent = true, desc = "Jump to tag under cursor"})
vim.keymap.set('n', '<C-Left>', ':pop<CR>', {silent = true, desc = "Jump to tag under cursor}) vim.keymap.set('n', '<C-Left>', ':pop<CR>', {silent = true, desc = "Jump to tag under cursor"})
vim.keymap.set('n', '<C-Right>', ':tag<CR>', {silent = true, desc = "Jump to tag under cursor}) vim.keymap.set('n', '<C-Right>', ':tag<CR>', {silent = true, desc = "Jump to tag under cursor"})
''; '';
nvimPager = pkgs.wrapNeovimUnstable pkgs.neovim-unwrapped neovimConfig; nvimPager = pkgs.wrapNeovimUnstable pkgs.neovim-unwrapped neovimConfig;
neovimConfig = neovimConfig =

9
users/patrick/default.nix
View file

@ -15,7 +15,14 @@
isNormalUser = true; isNormalUser = true;
uid = 1000; uid = 1000;
createHome = true; createHome = true;
extraGroups = ["wheel" "audio" "video" "input"]; extraGroups = [
"wheel"
"audio"
"video"
"input"
# TPM settings
"tss"
];
group = "patrick"; group = "patrick";
hashedPassword = config.secrets.secrets.global.users.patrick.passwordHash; hashedPassword = config.secrets.secrets.global.users.patrick.passwordHash;
}; };