From 41b9eaf6eb8a3ddbd4df757f197c8ab77e3d37d7 Mon Sep 17 00:00:00 2001 From: Ben Sima Date: Sat, 29 Jan 2022 22:38:58 -0500 Subject: finish oxygen --- machines/oxygen.nix | 108 ++++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 79 insertions(+), 29 deletions(-) (limited to 'machines') diff --git a/machines/oxygen.nix b/machines/oxygen.nix index d9c89b1..83c4cf1 100644 --- a/machines/oxygen.nix +++ b/machines/oxygen.nix @@ -1,29 +1,85 @@ { config, lib, pkgs, ... }: -# airgapped machine +# airgapped machine, for setting up gpg keys + +# github.com/dhess/nixos-yubikey let nixpkgs = builtins.fetchTarball (import ../nixpkgs.nix); in { - imports = [ ./users.nix ]; + isoImage.isoBaseName = "oxygen"; + isoImage.edition = "o2"; + isoImage.makeEfiBootable = true; + isoImage.makeUsbBootable = true; + + users.users.root.initialHashedPassword = ""; + services.getty.autologinUser = "root"; + documentation.enable = true; + documentation.nixos.enable = true; - security.sudo.enable = false; - #security.pam.services."user".yubicoAuth = true; - #security.pam.yubico.enable = true; - #security.pam.yubico.control = "sufficient"; # pam.conf(5) - #security.pam.yubico.mode = "challenge-response"; # ykpamcfg(1) - #file."~/.yubico/authorized_yubikeys" = ; + # prevent accidentally writing to persistent storage + boot.kernelParams = [ "copytoram" ]; + boot.cleanTmpDir = true; + boot.kernel.sysctl = { "kernel.unprivileged_bpf_disabled" = 1; }; - # networking is disabled, but we still need a hostname - networking.hostName = "oxygen"; + boot.plymouth.enable = true; + boot.plymouth.logo = pkgs.fetchurl { + url = "https://www.themoviethemesong.com/wp-content/uploads/2014/04/The-Matrix-Theme-Song-5.jpg"; + sha256 = "0smb717ji82pqqzn6rjg10mz4kjr2nfylm60a9q9divj918l2gqf"; + }; + boot.plymouth.theme = "breeze"; + + # disable networking + networking.hostName = "oxygen"; # but we still need a hostname + boot.initrd.network.enable = false; + networking.dhcpcd.enable = false; + networking.dhcpcd.allowInterfaces = []; + networking.firewall.enable = true; + networking.useDHCP = false; + networking.useNetworkd = false; + networking.wireless.enable = false; systemd.network.enable = false; time.timeZone = "America/New_York"; - environment.systemPackages = [ - pkgs.brightnessctl + # ref: https://rzetterberg.github.io/yubikey-gpg-nixos.html + environment.systemPackages = with pkgs; [ + bitcoin + ccrypt + cryptsetup + diceware # generate passphrases + ent # entropy + gnupg + (haskell.lib.justStaticExecutables haskellPackages.hopenpgp-tools) + mkpasswd + paperkey # store pgp keys on paper + parted + pcsclite # smartcard middleware + pcsctools + pgpdump + pinentry-curses + pwgen + qrencode + w3m-nographics # for documentation/manual + yubikey-manager + yubikey-personalization + ]; + services.udev.packages = [ + pkgs.yubikey-personalization ]; + environment.interactiveShellInit = let + gpg-agent-conf = pkgs.writeText "gpg-agent.conf" '' + pinentry-program ${pkgs.pinentry-curses}/bin/pinentry-curses + ''; + in '' + unset HISTFILE + export GNUPGHOME=/run/user/$(id -u)/gnupg + [ -d $GNUPGHOME ] || install -m 0700 -d $GNUPGHOME + cp ${gpg-agent-conf} $GNUPGHOME/gpg-agent.conf + echo "\$GNUPGHOME is $GNUPGHOME" + ''; + nixpkgs.config.allowUnfree = false; nixpkgs.config.allowBroken = false; @@ -36,36 +92,30 @@ in { services.pcscd.enable = true; services.printing.enable = true; - services.xserver.enable = true; - services.xserver.autorun = true; - services.xserver.layout = "us"; - services.xserver.libinput.enable = true; - services.xserver.xkbOptions = "caps:ctrl_modifier"; - services.xserver.displayManager.lightdm.enable = true; - services.xserver.windowManager.xmonad.enable = true; - services.xserver.desktopManager.xterm.enable = true; + #services.xserver.enable = true; + #services.xserver.autorun = true; + #services.xserver.layout = "us"; + #services.xserver.libinput.enable = true; + #services.xserver.xkbOptions = "caps:ctrl_modifier"; + #services.xserver.displayManager.lightdm.enable = true; + #services.xserver.windowManager.xmonad.enable = true; + #services.xserver.desktopManager.xterm.enable = true; # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; - boot.kernelParams = [ - # this probably breaks xserver, see https://superuser.com/a/1255015 - # "CONFIG_NET=n" - ]; powerManagement.enable = false; + nix.useSandbox = true; nix.nixPath = [ "nixpkgs=${nixpkgs}" "nixos-config=/etc/nixos/configuration.nix" "/nix/var/nix/profiles/per-user/root/channels" ]; nix.binaryCaches = [ ]; - nix.extraOptions = '' - keep-outputs = true - keep-derivations = true - builders-use-substitutes = true - ''; + system.extraSystemBuilderCmds = "ln -sv ${pkgs.path} $out/nixpkgs"; + environment.etc.host-nix-channel.source = pkgs.path; # This value determines the NixOS release with which your system is to be # compatible, in order to avoid breaking some software such as database -- cgit v1.2.3