commit a5c08a100ac9d713c79533864dde09c98ef3c4df Author: min Date: Fri Dec 27 17:44:03 2024 -0500 initial commit diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..f41a01c --- /dev/null +++ b/.envrc @@ -0,0 +1,4 @@ +if ! has nix_direnv_version || ! nix_direnv_version 3.0.5; then + source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/3.0.5/direnvrc" "sha256-RuwIS+QKFj/T9M2TFXScjBsLR6V3A17YVoEW/Q6AZ1w=" +fi +use flake diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e43eb3b --- /dev/null +++ b/.gitignore @@ -0,0 +1,6 @@ +/.direnv + +# files decrypted by vscode-sops +.decrypted~* + +/tmp diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..19be017 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,10 @@ +keys: + - &min 78795D9EBD425CBB3E850BC45DF91852CB14CEFF + - &mpl age12pxpwrmws2vpeeptcj6m2dejg53qgsqtl2uevls4rty22xqtgpvqhtgtpc +creation_rules: + - path_regex: secrets/mpl\.yaml$ + key_groups: + - pgp: + - *min + age: + - *mpl diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 0000000..13ffdd2 --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,12 @@ +{ + "nix.enableLanguageServer": true, + "nix.serverSettings": { + "nil": { + "formatting": { + "command": [ + "alejandra" + ] + } + } + }, +} \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..15f6bfd --- /dev/null +++ b/README.md @@ -0,0 +1,3 @@ +# nixos-configs + +NixOS configurations for personal devices diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..91b1444 --- /dev/null +++ b/flake.lock @@ -0,0 +1,153 @@ +{ + "nodes": { + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1735048446, + "narHash": "sha256-Tc35Y8H+krA6rZeOIczsaGAtobSSBPqR32AfNTeHDRc=", + "owner": "nix-community", + "repo": "disko", + "rev": "3a4de9fa3a78ba7b7170dda6bd8b4cdab87c0b21", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1733312601, + "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1735053786, + "narHash": "sha256-Gm+0DcbUS338vvkwyYWms5jsWlx8z8MeQBzcnIDuIkw=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "35b98d20ca8f4ca1f6a2c30b8a2c8bb305a36d84", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "impermanence": { + "locked": { + "lastModified": 1734945620, + "narHash": "sha256-olIfsfJK4/GFmPH8mXMmBDAkzVQ1TWJmeGT3wBGfQPY=", + "owner": "nix-community", + "repo": "impermanence", + "rev": "d000479f4f41390ff7cf9204979660ad5dd16176", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "impermanence", + "type": "github" + } + }, + "nixos-hardware": { + "locked": { + "lastModified": 1734954597, + "narHash": "sha256-QIhd8/0x30gEv8XEE1iAnrdMlKuQ0EzthfDR7Hwl+fk=", + "owner": "nixos", + "repo": "nixos-hardware", + "rev": "def1d472c832d77885f174089b0d34854b007198", + "type": "github" + }, + "original": { + "owner": "nixos", + "repo": "nixos-hardware", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1734991663, + "narHash": "sha256-8T660guvdaOD+2/Cj970bWlQwAyZLKrrbkhYOFcY1YE=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "6c90912761c43e22b6fb000025ab96dd31c971ff", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-24.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-lib": { + "locked": { + "lastModified": 1733096140, + "narHash": "sha256-1qRH7uAUsyQI7R1Uwl4T+XvdNv778H0Nb5njNrqvylY=", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz" + } + }, + "root": { + "inputs": { + "disko": "disko", + "flake-parts": "flake-parts", + "home-manager": "home-manager", + "impermanence": "impermanence", + "nixos-hardware": "nixos-hardware", + "nixpkgs": "nixpkgs", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1734546875, + "narHash": "sha256-6OvJbqQ6qPpNw3CA+W8Myo5aaLhIJY/nNFDk3zMXLfM=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "ed091321f4dd88afc28b5b4456e0a15bd8374b4d", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..8f0ef3b --- /dev/null +++ b/flake.nix @@ -0,0 +1,64 @@ +{ + description = "nixos configurations"; + + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; + + flake-parts.url = "github:hercules-ci/flake-parts"; + + sops-nix.url = "github:Mic92/sops-nix"; + sops-nix.inputs.nixpkgs.follows = "nixpkgs"; + + disko.url = "github:nix-community/disko"; + disko.inputs.nixpkgs.follows = "nixpkgs"; + + impermanence.url = "github:nix-community/impermanence"; + + nixos-hardware.url = "github:nixos/nixos-hardware"; + nixos-hardware.inputs.nixpkgs.follows = "nixpkgs"; + + home-manager.url = "github:nix-community/home-manager"; + home-manager.inputs.nixpkgs.follows = "nixpkgs"; + }; + + nixConfig = { + extra-substituters = [ + "https://nix-community.cachix.org" + ]; + extra-trusted-public-keys = [ + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; + }; + + outputs = inputs @ {self, ...}: + inputs.flake-parts.lib.mkFlake {inherit inputs;} { + flake = let + hosts = import ./hosts {inherit inputs;}; + in { + inherit (hosts) nixosConfigurations homeConfigurations; + }; + + systems = ["x86_64-linux"]; + + perSystem = { + system, + pkgs, + ... + }: { + devShells.default = pkgs.mkShell { + packages = with pkgs; [ + sops + ssh-to-age + # not included: age, gpg, pcscd, scdaemon, etc. + + disko + + nil + alejandra + statix + deadnix + ]; + }; + }; + }; +} diff --git a/hosts/default.nix b/hosts/default.nix new file mode 100644 index 0000000..d5d5ac9 --- /dev/null +++ b/hosts/default.nix @@ -0,0 +1,35 @@ +{inputs, ...}: let + systems = ["mpl"]; + + inherit (inputs.nixpkgs) lib; + + makeNixosConfigurations = systems: + lib.listToAttrs (lib.map + (name: let + system = import ./${name} {inherit inputs;}; + in { + inherit name; + value = lib.nixosSystem { + inherit (system) system; + + modules = + system.modules + ++ [ + { + _module.args = { + inherit inputs; + }; + } + + # ../modules + ]; + }; + }) + systems); + + makeHomeConfigurations = systems: + builtins.throw "todo"; +in { + nixosConfigurations = makeNixosConfigurations systems; + homeConfigurations = makeHomeConfigurations systems; +} diff --git a/hosts/mpl/audio.nix b/hosts/mpl/audio.nix new file mode 100644 index 0000000..bc8a406 --- /dev/null +++ b/hosts/mpl/audio.nix @@ -0,0 +1,15 @@ +{...}: { + # Enable sound. + services.pipewire = { + enable = true; + + pulse.enable = true; + + alsa.enable = true; + alsa.support32Bit = true; + }; + + security.rtkit.enable = true; + + hardware.framework.laptop13.audioEnhancement.enable = true; +} diff --git a/hosts/mpl/bootloader.nix b/hosts/mpl/bootloader.nix new file mode 100644 index 0000000..d351659 --- /dev/null +++ b/hosts/mpl/bootloader.nix @@ -0,0 +1,12 @@ +{...}: { + # TODO: lanzaboote + boot.loader = { + efi.canTouchEfiVariables = true; + + timeout = 2; + systemd-boot = { + enable = true; + configurationLimit = 3; + }; + }; +} diff --git a/hosts/mpl/configuration.nix b/hosts/mpl/configuration.nix new file mode 100644 index 0000000..0b6b47d --- /dev/null +++ b/hosts/mpl/configuration.nix @@ -0,0 +1,46 @@ +{...}: { + imports = [ + ./audio.nix + ./bootloader.nix + ./disk-config.nix + ./hardware.nix + ./mounts.nix + ./secrets.nix + ]; + + networking.hostName = "mpl"; # Define your hostname. + networking.networkmanager.enable = true; + + # Allow unfree packages (firmware) + nixpkgs.config.allowUnfree = true; + + # Set your time zone. + time.timeZone = "America/New_York"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + console = { + font = "Lat2-Terminus16"; + keyMap = "us"; + }; + + # Enable touchpad support (enabled default in most desktopManager). + services.libinput.enable = true; + + # Define a user account. Don't forget to set a password with ‘passwd’. + users.users.min = { + isNormalUser = true; + extraGroups = ["wheel"]; # Enable ‘sudo’ for the user. + }; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + # TODO: pinentryPackage - rofi/bemenu maybe + }; + services.pcscd.enable = true; + + system.stateVersion = "24.11"; +} diff --git a/hosts/mpl/default.nix b/hosts/mpl/default.nix new file mode 100644 index 0000000..9c5f250 --- /dev/null +++ b/hosts/mpl/default.nix @@ -0,0 +1,13 @@ +{inputs, ...}: { + system = "x86_64-linux"; + modules = [ + inputs.nixos-hardware.nixosModules.framework-13-7040-amd + inputs.sops-nix.nixosModules.sops + inputs.disko.nixosModules.disko + inputs.impermanence.nixosModules.impermanence + ./configuration.nix + ]; + homes = [ + "min" + ]; +} diff --git a/hosts/mpl/disk-config.nix b/hosts/mpl/disk-config.nix new file mode 100644 index 0000000..345520f --- /dev/null +++ b/hosts/mpl/disk-config.nix @@ -0,0 +1,70 @@ +{ + disko.devices = { + disk = { + main = { + type = "disk"; + device = "/dev/disk/by-id/nvme-WD_BLACK_SN850X_2000GB_23234H800567"; + content = { + type = "gpt"; + + partitions = { + esp = { + name = "ESP"; + type = "EF00"; + size = "1G"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = ["defaults" "umask=0077"]; + }; + }; + + luks = { + size = "100%"; + content = { + type = "luks"; + name = "encrypted"; + extraOpenArgs = []; + settings = { + allowDiscards = true; + bypassWorkqueues = true; + }; + passwordFile = "/tmp/luks-pw"; + content = { + type = "btrfs"; + extraArgs = ["-f"]; + subvolumes = { + "/nix" = { + mountpoint = "/nix"; + mountOptions = ["noatime"]; + }; + "/persist" = { + mountpoint = "/persist"; + mountOptions = ["compress=zstd" "noatime"]; + }; + "/swap" = { + mountpoint = "/.swapvol"; + swap.swap1.size = "16G"; + }; + }; + }; + }; + }; + }; + }; + }; + }; + + nodev = { + "/" = { + fsType = "tmpfs"; + mountOptions = [ + "defaults" + "size=16G" + "mode=755" + ]; + }; + }; + }; +} diff --git a/hosts/mpl/hardware.nix b/hosts/mpl/hardware.nix new file mode 100644 index 0000000..5510ba4 --- /dev/null +++ b/hosts/mpl/hardware.nix @@ -0,0 +1,27 @@ +{ + config, + lib, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot = { + initrd = { + availableKernelModules = ["nvme" "xhci_pci" "thunderbolt" "usb_storage" "sd_mod"]; + kernelModules = []; + }; + kernelModules = ["kvm-amd"]; + extraModulePackages = []; + }; + + hardware.enableAllFirmware = true; + + # let networkmanager handle it + networking.useDHCP = lib.mkDefault false; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/mpl/mounts.nix b/hosts/mpl/mounts.nix new file mode 100644 index 0000000..e6daccd --- /dev/null +++ b/hosts/mpl/mounts.nix @@ -0,0 +1,54 @@ +{pkgs, ...}: { + environment.persistence."/persist" = { + hideMounts = true; + directories = [ + "/etc/secureboot" + "/etc/ssh" + "/etc/secrets" + "/etc/NetworkManager/system-connections" + + "/var/log" + "/var/lib" + "/var/db/sudo" + ]; + files = [ + "/etc/machine-id" + ]; + + users.min = { + directories = [ + # cli tools + { + directory = ".gnupg"; + mode = "0700"; + } + { + directory = ".ssh"; + mode = "0700"; + } + ".local/share/direnv" + + # languages + ".cargo" + + # generic folders + "Documents" + "Downloads" + "Videos" + "Pictures" + # TODO: "Music" should probably be mounted via NFS + "p" + ]; + }; + }; + environment.systemPackages = [pkgs.ncdu]; + + fileSystems = { + "/".neededForBoot = true; + "/etc/ssh" = { + depends = ["/persist"]; + neededForBoot = true; + }; + "/persist".neededForBoot = true; # no further config is needed, disko handles the rest + }; +} diff --git a/hosts/mpl/nebula.nix b/hosts/mpl/nebula.nix new file mode 100644 index 0000000..97b2cb2 --- /dev/null +++ b/hosts/mpl/nebula.nix @@ -0,0 +1,29 @@ +{config, ...}: let + inherit (import ../../modules/nebula/shared.nix) userGroup; +in { + sops.secrets."nebula-key" = { + mode = "0440"; + owner = userGroup; + group = userGroup; + }; + + # TODO: why? + networking.firewall.allowedUDPPorts = [4242]; + + gen.nebula = { + enable = true; + enableLighthouse = false; + + cert = ../../keys/n-usr-min-fwl.crt; + key = config.sops.secrets."nebula-key".path; + + extraInbound = [ + # Allow iperf3 from anyone + { + port = 5201; + proto = "any"; + host = "any"; + } + ]; + }; +} diff --git a/hosts/mpl/secrets.nix b/hosts/mpl/secrets.nix new file mode 100644 index 0000000..3588997 --- /dev/null +++ b/hosts/mpl/secrets.nix @@ -0,0 +1,9 @@ +{...}: { + sops = { + defaultSopsFile = ../../secrets/mpl.yaml; + age.sshKeyPaths = ["/persist/etc/ssh/ssh_host_ed25519_key"]; + + secrets."root-pw" = {neededForUsers = true;}; + secrets."user-pw" = {neededForUsers = true;}; + }; +} diff --git a/keys/ca.crt b/keys/ca.crt new file mode 100644 index 0000000..283441f --- /dev/null +++ b/keys/ca.crt @@ -0,0 +1,5 @@ +-----BEGIN NEBULA CERTIFICATE----- +CjkKB20uaW5mcmEorIy3uAYwrPO7xwY6ILUb5mS0HBCYrAhWPXwqvtnBmmqz1lKc +NOG84dEk3/biQAESQAEi7CVxFVDlG7ihV3nuosvEpodNZqS/RJ8GGKUBuLMz1BfE +XdnMkMj44YQ2owDKYKgvZFc3nQGsrq5/4cWAdgs= +-----END NEBULA CERTIFICATE----- diff --git a/keys/n-usr-min-fwl.crt b/keys/n-usr-min-fwl.crt new file mode 100644 index 0000000..6f42e2b --- /dev/null +++ b/keys/n-usr-min-fwl.crt @@ -0,0 +1,6 @@ +-----BEGIN NEBULA CERTIFICATE----- +CmoKDW4tdXNyLW1pbi1md2wSCYGQt1CAgPz/Dyj2vJy5BjCr87vHBjogCTA+pJbo +LAzdHXEVYrcoedDTJQkV99zAx4gVOOaqK3NKIC9yiWnXjCJT2HfiClMu+en3Out6 +l4ReySH/GXaXDNbjEkBxU7tvkXbINQ0TIHRiF+CJEtbQcwBfTuVpM0HkzhasF4KF +Ilr7wBLRNEbrGybtNIW8XeLo9gkuSkhUhJns400J +-----END NEBULA CERTIFICATE----- diff --git a/modules/default.nix b/modules/default.nix new file mode 100644 index 0000000..bc968ef --- /dev/null +++ b/modules/default.nix @@ -0,0 +1,46 @@ +{ + inputs, + config, + pkgs, + ... +}: { + imports = [ + ./nebula + + ./networking.nix + ./programs.nix + ]; + + # Immutable users + users.mutableUsers = false; + + ### Nix settings ### + nix = { + # Periodically optimise & collect garbage + gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 30d"; + }; + optimise = { + automatic = true; + dates = ["weekly"]; + }; + + # Make sure flakes are enabled + settings = { + experimental-features = ["nix-command" "flakes"]; + flake-registry = ""; + nix-path = config.nix.nixPath; + }; + extraOptions = '' + keep-outputs = true + keep-derivations = true + ''; + nixPath = ["nixpkgs=${pkgs.path}"]; + registry = { + self.flake = inputs.self; + nixpkgs.flake = inputs.nixpkgs; + }; + }; +} diff --git a/modules/nebula/default.nix b/modules/nebula/default.nix new file mode 100644 index 0000000..cdc2456 --- /dev/null +++ b/modules/nebula/default.nix @@ -0,0 +1,96 @@ +{ + config, + lib, + ... +}: +with lib; let + inherit (import ./shared.nix) netName interface service; + + ca = ../../keys/ca.crt; + + baseFirewall = { + outbound = [ + # Allow all outbound traffic + { + port = "any"; + proto = "any"; + host = "any"; + } + ]; + inbound = [ + # Allow pings from anyone + { + port = "any"; + proto = "icmp"; + host = "any"; + } + ]; + }; + + baseServer = { + isLighthouse = true; + + listen = { + host = "0.0.0.0"; + port = 4242; + }; + }; + baseClient = let + lhs = {"10.13.0.1" = ["min.rip:4242"];}; + lhsInternal = attrNames lhs; + in { + lighthouses = lhsInternal; + staticHostMap = lhs; + + settings.punchy = { + punch = true; + respond = true; + }; + }; + + cfg = config.gen.nebula; +in { + options.gen.nebula = { + enable = mkEnableOption "nebula mesh vpn"; + enableLighthouse = mkEnableOption "lighthouse functionality"; + + cert = mkOption { + type = types.path; + description = "nebula node cert path"; + }; + key = mkOption { + type = types.path; + description = "nebula node key path"; + }; + + extraInbound = mkOption { + type = types.listOf types.attrs; + description = "extra inbound firewall rules"; + }; + }; + + config = mkMerge [ + (mkIf cfg.enable { + networking.firewall.trustedInterfaces = [interface]; + + services.nebula.networks.${netName} = mkMerge [ + { + inherit ca; + inherit (cfg) cert key; + + firewall = { + inherit (baseFirewall) outbound; + inbound = baseFirewall.inbound ++ cfg.extraInbound; + }; + } + (mkIf cfg.enableLighthouse baseServer) + (mkIf (!cfg.enableLighthouse) baseClient) + ]; + }) + (mkIf config.services.openssh.enable { + # Make sure sshd starts after nebula + # TODO: is this necessary? + systemd.services.sshd.after = [service]; + }) + ]; +} diff --git a/modules/nebula/shared.nix b/modules/nebula/shared.nix new file mode 100644 index 0000000..34d0b55 --- /dev/null +++ b/modules/nebula/shared.nix @@ -0,0 +1,8 @@ +rec { + netName = "m-infra"; + + # https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/networking/nebula.nix + interface = "nebula.${netName}"; + userGroup = "nebula-${netName}"; + service = "nebula@${netName}.service"; +} diff --git a/modules/networking.nix b/modules/networking.nix new file mode 100644 index 0000000..4eb31e4 --- /dev/null +++ b/modules/networking.nix @@ -0,0 +1,3 @@ +{...}: { + networking.nameservers = ["1.1.1.1" "1.0.0.1"]; +} diff --git a/modules/programs.nix b/modules/programs.nix new file mode 100644 index 0000000..196e732 --- /dev/null +++ b/modules/programs.nix @@ -0,0 +1,7 @@ +{pkgs, ...}: { + environment.systemPackages = with pkgs; [ + git + tmux + helix + ]; +} \ No newline at end of file diff --git a/scripts/install.sh b/scripts/install.sh new file mode 100755 index 0000000..7d904d4 --- /dev/null +++ b/scripts/install.sh @@ -0,0 +1,73 @@ +#!/usr/bin/env bash + +# fail on errors +set -e + +die() { + echo >&2 "$@" + exit 1 +} + +# ensure root +[[ $EUID -ne 0 ]] && die "root is required to install on a system" + +# parse args +POSITIONAL_ARGS=() +while [[ $# -gt 0 ]]; do + case $1 in + -c|--nixos-config) + NAME="$2" + shift # past argument + shift # past value + ;; + -k|--key-dir) + KEYDIR="$2" + shift # past argument + shift # past value + ;; + *) + POSITIONAL_ARGS+=("$1") # save positional arg + shift # past argument + ;; + esac +done + +# check args +[ ! -f "$KEYDIR/host.pub" ] && die "host pubkey missing!" +[ ! -f "$KEYDIR/host" ] && die "host privkey missing!" +[ ! -f "$KEYDIR/host_initrd.pub" ] && die "host pubkey (initrd) missing!" +[ ! -f "$KEYDIR/host_initrd" ] && die "host privkey (initrd) missing!" +[ ! -f "$KEYDIR/luks-pw" ] && die "luks pw missing!" + +# temp work dir +temp=$(mktemp -d) +cleanup() { + rm -rf "$temp" +} +trap cleanup EXIT + +# prepare host keys +echo "Preparing host keys.." +dir="$temp/persist/etc/ssh" +install -d -m755 "$dir" +cp "$KEYDIR/host" "$dir/ssh_host_ed25519_key" +cp "$KEYDIR/host.pub" "$dir/ssh_host_ed25519_key.pub" +chmod 600 "$dir/ssh_host_ed25519_key" + +# prepare host keys (initrd) +echo "Preparing host keys.. (initrd)" +dir="$temp/persist/etc/secrets/initrd" +install -d -m755 "$dir" +cp "$KEYDIR/host" "$dir/ssh_host_ed25519_key" +cp "$KEYDIR/host.pub" "$dir/ssh_host_ed25519_key.pub" +chmod 600 "$dir/ssh_host_ed25519_key" + +# run disko-install +cp "$KEYDIR/luks-pw" "/tmp/luks-pw" +disko-install \ + --extra-files "$temp" "/" \ + --flake .#$NAME \ + --write-efi-boot-entries + +echo -e "Finished install.\n" \ + "Make sure to delete the SSH host keys from here if you are done with them." diff --git a/scripts/make_base_keys.sh b/scripts/make_base_keys.sh new file mode 100755 index 0000000..679f8da --- /dev/null +++ b/scripts/make_base_keys.sh @@ -0,0 +1,36 @@ +#!/usr/bin/env bash + +# fail on errors +set -e + +die() { + echo >&2 "$@" + exit 1 +} + +# set up target folder +P="$1" +[[ -z "$P" || -d "$P" ]] && die "specify a non-existent path as a first argument" + +mkdir "$P" +pushd "$P" >/dev/null + +# host keys +echo "Generating SSH host keys.." +ssh-keygen -t ed25519 -f ./host -q -N "" -C "" + +# host pubkey -> age key +echo "AGE key is: $(cat ./host.pub | ssh-to-age)" + +# host keys (initrd) +echo "Generating SSH host keys.. (initrd)" +ssh-keygen -t ed25519 -f ./host_initrd -q -N "" -C "" + +# luks pw +echo "Generating LUKS password file.." +echo -n "$(openssl rand -base64 24)" > ./luks-pw + +# we are done +popd >/dev/null +echo "Finished generating keys." \ + "Delete them or put them somewhere else once you're done with them." diff --git a/scripts/rekey.sh b/scripts/rekey.sh new file mode 100755 index 0000000..aa86732 --- /dev/null +++ b/scripts/rekey.sh @@ -0,0 +1,14 @@ +#!/usr/bin/env bash + +shopt -s globstar + +SCRIPT_DIR="$(dirname "$0")" +ROOT_DIR="$(realpath "$SCRIPT_DIR/..")" + +pushd "$ROOT_DIR" > /dev/null + +rekey_dir() { + find $1 | xargs -i sops updatekeys -y {} +} + +rekey_dir "secrets/*" diff --git a/secrets/mpl.yaml b/secrets/mpl.yaml new file mode 100644 index 0000000..9959404 --- /dev/null +++ b/secrets/mpl.yaml @@ -0,0 +1,43 @@ +root-pw: ENC[AES256_GCM,data:IpF1o3x6Q9doRdAtQ/zpm5JGlzB6FCwLV/g+Dxz3McrQYTkrzjFu6z/JN9bNdwJTmabtzGZ18TkXjtcY0w+DDgBZ3+eDUpx2x5UMwUkSg6wZqYlPt2rht34u+s1LmLgX6awlbYh9aNxLEQ==,iv:tp3476TTwXztrEhiv55GQ+6dhHYNoESOUmp3EdISavo=,tag:0jqFI/AVjToFHZutPEnz1w==,type:str] +user-pw: ENC[AES256_GCM,data:6LwQhadCK7eEhyLGx8lDygeUXvzeujxJBl+Xn17UCBwD87G+OB4cy6DTtJ/5qo9jY1otIGUGFVu55UfLZ04w0zpOAJpgiEV4t4z2izcpWiCqaOJigpiEDuWMIEmmh+xJP+YoynNnmDY6Eg==,iv:Umce4ho0BTOsLIseuzyOflmKadN7MOOfCdooFfzN3sI=,tag:NJfYW66h7y/TVixCOxPEXQ==,type:str] +nebula-key: ENC[AES256_GCM,data:b3c4Ikz6RbtAGpVrCKqM53AIjXRDSWLY31Xx6XmoQsi8DNX6bnY0FO/LMaEVVQEzmHRiIU/uA8iSfaWDPD0Ee33vNsveA5s7I/+8qok9GGOPiP41UFPshmeO94nWV/P6RPosplGukioGatWh1at9v97oVzafSTotRaC8pcJB,iv:F9nXtktDEdGLU4FG736X3U0kxndDPXAqMr+Mz1WPskI=,tag:w5sseLEEBiNhlbD9TZXBqw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age12pxpwrmws2vpeeptcj6m2dejg53qgsqtl2uevls4rty22xqtgpvqhtgtpc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2VllHS0hIQW9aeERqcDVk + SjZucTJYenpSaXp6U1VXdWZZK09QeVVPNHpjCitnMDZrblZidlhlaFMzZ3RFR3E5 + S3RRV2ZWQ09rV29vKy9DdEljZGR1WVEKLS0tIGhpdDh2YXpZY1VMLzExU3MvV3Ar + elFiNmZiTzc0QWxjSEJ1UlUvZGhBTWMKQ7Uu6eq8KsIDCb/P6C2YVmHkChxyG2xs + qStNkNib8AkGyng94RPxaY/eRY6gxKdYmwDHx2dnR8SJ9vFJ+bmf/g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-12-27T22:17:52Z" + mac: ENC[AES256_GCM,data:entpJyyWL5imwqwNCInpy0U0vHbwyjkVSfMWeetGQU6cSTUGv8CjSPmBYE6bFVtF9aj+S5X10huhrWWQPqs4boIsZusNqIffYo6uFEABh9iA5wgKbCB6MEJh1SkOB0i2sJGW4rIiAhBU2/Lv9Vi1OyPnNR+qKjaoVY6uOzR7SBE=,iv:06fjdO+yUdcbLAWv+t+zFBNZPi4exMpGJIRI8KeA8SI=,tag:CV0kcL845LSdu2/Nov5XQg==,type:str] + pgp: + - created_at: "2024-12-26T21:14:27Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwAAAAAAAAAAAQ/9H5n/uWiw5CloBFI7OpPO+/8sc20bdJ9cGUEId2F6AJjJ + mDS3GY41mO7FdnZlkdDEPCWP2kBpggYhovcQ92CJee0BXnRKlCUExnwB0L7+GPCa + F7RteklME69ZwF/x1+dWQ/+agr6hZy1fFQBJeE0D7zsLoHQjmdnZSkShb4yjsmQo + QnvbIR1Y9fv4SpGUIQz8cRqZNckhYGg/bDwouKibgu2L94FjZrBNLUO7IrEM5LlY + ZArHdc/mo0eRuKl3UO+MNm8r2/0aetm/vs0/bePYyokNgAmfQv3WP5hGuuFEP9II + +r/isrsNsQniOlxNI3yesbZEGzRzDEEfSnRQMoaYwfTJUM/J4Ampo1pCpQnA+sfF + 77RAokEHA1SeMNTqaTjCbO8fQBJDj/34AIT8uDbIMoQ1bfeOa4UQREJ8R754hQ5L + F96oDloVVwJraqypKtpR9YdelrOIWPm3tRxxHyE85YeQAiAA0PruPazeD1/+7r6a + /tEHtfFKCAGqDBzCBmXmMAsEzuK5kT+NcJB+Vrnfqh6hMNYbiGaY0ytmRHs1QwFe + fHDyoX9eF2GBp2R00H5IhcK13IwrvYlMrstPXnGgFPDdb6hw1ydE5gPZFtDWtpFi + dCKuySzaGn1xsZhm5X4ks9nEVfwICXL2Vc8pVqYEH/jInIUTZUW9t9VpSt9j/fzS + XgEOy6uKJwV5MQKNOLpBIsB2VS6hOL0sDe34gOiVl/tpON9dToLcyil4mFJC4Hgm + UMrtAHCF8lqVtoD/9ldg3+m//tekAih9+YzK6/caw57C33ZFWKM0IHAJJuclWOA= + =TLCY + -----END PGP MESSAGE----- + fp: 78795D9EBD425CBB3E850BC45DF91852CB14CEFF + unencrypted_suffix: _unencrypted + version: 3.9.2