summaryrefslogtreecommitdiff
path: root/machines
diff options
context:
space:
mode:
authorBen Sima <ben@bsima.me>2022-01-29 22:38:58 -0500
committerBen Sima <ben@bsima.me>2022-01-29 22:38:58 -0500
commit41b9eaf6eb8a3ddbd4df757f197c8ab77e3d37d7 (patch)
tree8963e5b5d7f0d88bcba555ba221eff9cb42d47c6 /machines
parent4e02037a244219dc3ce1b338265513a7bfbb61e0 (diff)
finish oxygen
Diffstat (limited to 'machines')
-rw-r--r--machines/oxygen.nix108
1 files changed, 79 insertions, 29 deletions
diff --git a/machines/oxygen.nix b/machines/oxygen.nix
index d9c89b1..83c4cf1 100644
--- a/machines/oxygen.nix
+++ b/machines/oxygen.nix
@@ -1,29 +1,85 @@
{ config, lib, pkgs, ... }:
-# airgapped machine
+# airgapped machine, for setting up gpg keys
+
+# github.com/dhess/nixos-yubikey
let
nixpkgs = builtins.fetchTarball (import ../nixpkgs.nix);
in {
- imports = [ ./users.nix ];
+ isoImage.isoBaseName = "oxygen";
+ isoImage.edition = "o2";
+ isoImage.makeEfiBootable = true;
+ isoImage.makeUsbBootable = true;
+
+ users.users.root.initialHashedPassword = "";
+ services.getty.autologinUser = "root";
+ documentation.enable = true;
+ documentation.nixos.enable = true;
- security.sudo.enable = false;
- #security.pam.services."user".yubicoAuth = true;
- #security.pam.yubico.enable = true;
- #security.pam.yubico.control = "sufficient"; # pam.conf(5)
- #security.pam.yubico.mode = "challenge-response"; # ykpamcfg(1)
- #file."~/.yubico/authorized_yubikeys" = <list of keys>;
+ # prevent accidentally writing to persistent storage
+ boot.kernelParams = [ "copytoram" ];
+ boot.cleanTmpDir = true;
+ boot.kernel.sysctl = { "kernel.unprivileged_bpf_disabled" = 1; };
- # networking is disabled, but we still need a hostname
- networking.hostName = "oxygen";
+ boot.plymouth.enable = true;
+ boot.plymouth.logo = pkgs.fetchurl {
+ url = "https://www.themoviethemesong.com/wp-content/uploads/2014/04/The-Matrix-Theme-Song-5.jpg";
+ sha256 = "0smb717ji82pqqzn6rjg10mz4kjr2nfylm60a9q9divj918l2gqf";
+ };
+ boot.plymouth.theme = "breeze";
+
+ # disable networking
+ networking.hostName = "oxygen"; # but we still need a hostname
+ boot.initrd.network.enable = false;
+ networking.dhcpcd.enable = false;
+ networking.dhcpcd.allowInterfaces = [];
+ networking.firewall.enable = true;
+ networking.useDHCP = false;
+ networking.useNetworkd = false;
+ networking.wireless.enable = false;
systemd.network.enable = false;
time.timeZone = "America/New_York";
- environment.systemPackages = [
- pkgs.brightnessctl
+ # ref: https://rzetterberg.github.io/yubikey-gpg-nixos.html
+ environment.systemPackages = with pkgs; [
+ bitcoin
+ ccrypt
+ cryptsetup
+ diceware # generate passphrases
+ ent # entropy
+ gnupg
+ (haskell.lib.justStaticExecutables haskellPackages.hopenpgp-tools)
+ mkpasswd
+ paperkey # store pgp keys on paper
+ parted
+ pcsclite # smartcard middleware
+ pcsctools
+ pgpdump
+ pinentry-curses
+ pwgen
+ qrencode
+ w3m-nographics # for documentation/manual
+ yubikey-manager
+ yubikey-personalization
+ ];
+ services.udev.packages = [
+ pkgs.yubikey-personalization
];
+ environment.interactiveShellInit = let
+ gpg-agent-conf = pkgs.writeText "gpg-agent.conf" ''
+ pinentry-program ${pkgs.pinentry-curses}/bin/pinentry-curses
+ '';
+ in ''
+ unset HISTFILE
+ export GNUPGHOME=/run/user/$(id -u)/gnupg
+ [ -d $GNUPGHOME ] || install -m 0700 -d $GNUPGHOME
+ cp ${gpg-agent-conf} $GNUPGHOME/gpg-agent.conf
+ echo "\$GNUPGHOME is $GNUPGHOME"
+ '';
+
nixpkgs.config.allowUnfree = false;
nixpkgs.config.allowBroken = false;
@@ -36,36 +92,30 @@ in {
services.pcscd.enable = true;
services.printing.enable = true;
- services.xserver.enable = true;
- services.xserver.autorun = true;
- services.xserver.layout = "us";
- services.xserver.libinput.enable = true;
- services.xserver.xkbOptions = "caps:ctrl_modifier";
- services.xserver.displayManager.lightdm.enable = true;
- services.xserver.windowManager.xmonad.enable = true;
- services.xserver.desktopManager.xterm.enable = true;
+ #services.xserver.enable = true;
+ #services.xserver.autorun = true;
+ #services.xserver.layout = "us";
+ #services.xserver.libinput.enable = true;
+ #services.xserver.xkbOptions = "caps:ctrl_modifier";
+ #services.xserver.displayManager.lightdm.enable = true;
+ #services.xserver.windowManager.xmonad.enable = true;
+ #services.xserver.desktopManager.xterm.enable = true;
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
- boot.kernelParams = [
- # this probably breaks xserver, see https://superuser.com/a/1255015
- # "CONFIG_NET=n"
- ];
powerManagement.enable = false;
+ nix.useSandbox = true;
nix.nixPath = [
"nixpkgs=${nixpkgs}"
"nixos-config=/etc/nixos/configuration.nix"
"/nix/var/nix/profiles/per-user/root/channels"
];
nix.binaryCaches = [ ];
- nix.extraOptions = ''
- keep-outputs = true
- keep-derivations = true
- builders-use-substitutes = true
- '';
+ system.extraSystemBuilderCmds = "ln -sv ${pkgs.path} $out/nixpkgs";
+ environment.etc.host-nix-channel.source = pkgs.path;
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database