Remove git crypt

Start move to /boot kernel mount
x-os: prepare booting from unencrypted /boot partition
Move to systemd-boot
Remove all unencrypted secrets
This commit is contained in:
Benjamin Bädorf 2021-10-23 18:28:28 +02:00
parent 132042220e
commit 067ce16246
No known key found for this signature in database
GPG key ID: 4406E80E13CD656C
23 changed files with 59 additions and 101 deletions

View file

@ -1 +0,0 @@
secrets/** filter=git-crypt-4406E80E13CD656C diff=git-crypt-4406E80E13CD656C

View file

@ -1,28 +0,0 @@
{ config, pkgs, lib, ... }:
with lib;
let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in
{
imports = [
./configuration.nix
];
config = {
pub-solar.x-os.keyfile = "/etc/nixos/hosts/biolimo/secrets/keyfile.bin";
hardware.cpu.intel.updateMicrocode = true;
networking.firewall.allowedTCPPorts = [
5000
];
home-manager.users."${psCfg.user.name}".xdg.configFile = mkIf psCfg.sway.enable {
"sway/config.d/10-screens.conf".source = ./.config/sway/config.d/screens.conf;
"sway/config.d/10-autostart.conf".source = ./.config/sway/config.d/autostart.conf;
"sway/config.d/10-input-defaults.conf".source = ./.config/sway/config.d/input-defaults.conf;
"sway/config.d/10-custom-keybindings.conf".source = ./.config/sway/config.d/custom-keybindings.conf;
};
};
}

View file

@ -10,8 +10,6 @@ in
]; ];
config = { config = {
pub-solar.x-os.keyfile = "/etc/nixos/hosts/biolimo/secrets/keyfile.bin";
hardware.cpu.intel.updateMicrocode = true; hardware.cpu.intel.updateMicrocode = true;
networking.firewall.allowedTCPPorts = [ 5000 ]; networking.firewall.allowedTCPPorts = [ 5000 ];

Binary file not shown.

View file

@ -1 +0,0 @@
secrets/** filter=git-crypt-4406E80E13CD656C diff=git-crypt-4406E80E13CD656C

View file

@ -1,31 +0,0 @@
{ config, pkgs, lib, ... }:
with lib;
let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in
{
imports = [
./configuration.nix
./virtualisation
];
config = {
pub-solar.x-os.keyfile = "keyfile-chocolatebar.bin";
pub-solar.virtualisation.isolateGPU = "rx550x";
hardware.cpu.amd.updateMicrocode = true;
hardware.opengl.extraPackages = with pkgs; [
rocm-opencl-icd
rocm-opencl-runtime
];
home-manager.users."${psCfg.user.name}".xdg.configFile = mkIf psCfg.sway.enable {
"sway/config.d/10-autostart.conf".source = ./.config/sway/config.d/autostart.conf;
"sway/config.d/10-input-defaults.conf".source = ./.config/sway/config.d/input-defaults.conf;
"sway/config.d/10-screens.conf".source = ./.config/sway/config.d/screens.conf;
};
};
}

View file

@ -11,8 +11,6 @@ in
]; ];
config = { config = {
pub-solar.x-os.keyfile = "/etc/nixos/hosts/chocolatebar/secrets/keyfile.bin";
pub-solar.virtualisation.isolateGPU = "rx550x"; pub-solar.virtualisation.isolateGPU = "rx550x";
hardware.cpu.amd.updateMicrocode = true; hardware.cpu.amd.updateMicrocode = true;

View file

@ -22,7 +22,7 @@
boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/afcde41f-9811-4ac8-bb7b-a683844acc5c"; boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/afcde41f-9811-4ac8-bb7b-a683844acc5c";
fileSystems."/boot/efi" = fileSystems."/boot" =
{ {
device = "/dev/disk/by-uuid/12FD-62A8"; device = "/dev/disk/by-uuid/12FD-62A8";
fsType = "vfat"; fsType = "vfat";

Binary file not shown.

View file

@ -3,41 +3,19 @@
let let
cfg = config.pub-solar.x-os; cfg = config.pub-solar.x-os;
in in
with lib; { {
options = {
pub-solar.x-os.keyfile = mkOption {
type = types.str;
description = "Keyfile location";
};
};
config = { config = {
# Enable plymouth for better experience of booting # Enable plymouth for better experience of booting
boot.plymouth.enable = true; boot.plymouth.enable = true;
# Use Keyfile to unlock the root partition to avoid keying in twice. # Mount / luks device in initrd
# Allow fstrim to work on it. # Allow fstrim to work on it.
age.secrets.luksKeyFile.file = "${self}/secrets/${cfg.keyfile}";
boot.initrd = { boot.initrd = {
secrets = { "/keyfile.bin" = "/run/secrets/${cfg.keyfile}"; };
luks.devices."cryptroot" = { luks.devices."cryptroot" = {
keyFile = "/keyfile.bin";
allowDiscards = true; allowDiscards = true;
fallbackToPassword = true;
}; };
}; };
# Use GRUB with encrypted /boot under EFI env. boot.loader.systemd-boot.enable = true;
boot.loader = {
efi.efiSysMountPoint = "/boot/efi";
grub = {
enable = true;
version = 2;
device = "nodev";
efiSupport = true;
enableCryptodisk = true;
};
};
}; };
} }

View file

@ -1,4 +0,0 @@
* filter=git-crypt diff=git-crypt
.gitattributes !filter !diff
secrets.nix !filter !diff
README.md !filter !diff

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

44
secrets/mopidy.conf Normal file
View file

@ -0,0 +1,44 @@
age-encryption.org/v1
-> ssh-rsa kFDS0A
pgJUXnYT0UgB7h8dWOBCIO6OuXwpjmBuQpJBXnI2Zh5X2fiGQVyrrcrm8VSWLHOd
za9SME+PxcGXDGgwaGpCl8tOh93WRUC0RtNTBmoiyzrfkbQtm9gfnt51JpHscuTc
wzZ9cxMvtKSNGsCuK5oeX9ZxVgXH5QFomwvADXoy14HacgEOzLTPU6vrPrOonGAG
kDqYDzf87V2BfPttzONoScsVsFV26EQntxDx5/8Hja4ceOvgBwm2GczUzpgfIRCA
To+az2B1Y0h/BWMqzRAhobuN/UIQcZAKro4uf8SbpKqPQrON+k1tAE+lrMUFLx1A
2ZayulT/Partcm6L8Yb0JAn24eXFla52XQ6JyukSbtoqZxEQIcjbM34+KFKMftIA
M8taZIG2JWyFdHBPO4RAMyGbNpQN5hsDvJWGIJePj4bAxW7GX9JJiT7gg1iCKce3
SINdaBt4O3RJ49wTGqJtMSJSlfzLf7s4zHx5oaozAEt84h97A2Yt/8Lg1Wmc2Aji
Q4XG6w8OQ/Fk8E/EeSZ27udMHF94TfQ9mzbKdMJRclLDlKKlxeYA6gea4QYb6GLi
8tY6qnDpF9jwV7ehehM9KYhJcCLw7MYNwGI6oPmTagZCRhXDYULbmK5gfkspcrZ1
zZn5yOCwt+MA3U2NfpxNOMs0LvaGU7HOruzyD9DLp+4
-> ssh-ed25519 TnSWKQ SWZZJeUCYeSkYwIKmrsMa/MUkNK7xIn+213hy6X51Uk
FDzM+HzDh+5+9RI+gjTPKNT74DPSvxA+CKJpHXSMX5c
-> ssh-rsa 8daibg
XthUstyN7tDd/vAw3y6knQWNI1M2GEKGDzvmOXFMgwxUcBUNPZmPnZvTfmUXY81Z
iF13Lruwid0/4Pb9dcYyyifzoqnNb6SvnzczoUSpqQc6m+6BLX4kSTIN1Pulwt8A
kWrOekvKy9J7Z2QsW6QKfxB4xaAc+BA9kHOgWWpLTyx2GOm0ksLjUnsd3Zo/xXsc
JpjuSNcsUM9mCP00RjamX1SwrAc/tRnoOSOD6jmED5M0Xfb7bE2AORUQ3Em8B4iG
CgaTEXFppZN96+BHOumOP1wAbH7uI0EdQP/SvR+qelCH35C0pSWZ4AuyvT5kvoYL
CyK6GQ8rVnDrBaWQIj4TPhpB1xVxKd01AZX9ITdhPdTATJFwCcVxoWgCTtjNGaIc
4GldFh0+nXUUV9spzxFbAhiJwy+PHfNfuJ1gyYMrgLY4mQPhA6ntPeWqZOb20cYZ
ABl7eHN9AAQnibw6EufkgH/U9v81HlWjbLWedAHNPGAldDF5uNrY+FRiqXWT2Ivb
9CkU/pUFAAcZs7GwEHTVz2dWsuxthS/P/DhN1YshDmY17gTBEf+40SUATsD1wBV0
tdmbU3i79djbfXXvazR+hi7qDtKo+zJKCDORSq66J70njl0pwN/QIKGQnKt5sYCm
3kPTZHrR6ys82MhTFk/C1G4aJjQScTz4buA5UH+0hsE
-> ssh-ed25519 2Ca8Kg eqyr8Yr3rrWlhCd+TmKsnywFdp1mwt3jZwuJzO0TwzM
mcfYZGTAebrZY9Ool8sPn25wPiwe6StBUzdVAyEErAE
-> ssh-rsa 2ggJWw
h00c7evck2bHux9EhMjLQa1f3O3tReLd65LDJB28jH7SbpT6t8Gxfk9tamGFHg4Z
lGxkzZjK9xnroBpZv5ikuP+tD7A6A2saDXDnnAw+wHUGv0UO5yzr0HPIvwE1bVR5
GOW1iqPMHKB2v6NeTaBG1g5TohSYEDDINkQv+Q4NyPhdpX9bGd3biWiBAa1gy3Xp
XmDwtUfBg9IN+EeQTpC/tc4C1pLd3k7E+5pZDQebfTlvXZ83SH05BpBnpakPWNty
Pf3s/iMwWBiJ+8GiwQ7c6FjTrr9ImJe8nD6mknWGpsMEQ9wB4Bd9l5RTjpTW9wCo
DNtN8Mo0SGgFXjj/5XO0kMDhDike/GLr6wfD0HVgRP9MtcatvEaezp4RY6NIknjy
F49KFsZWhzqwU2c4VX3ayFGJHcn/TT6o2QL3qZoI6x23ZFHQlXtQjXfhTkXk2qJt
565cgrWzLYV7y+DB5fwaG/+Twlnr8rMQOPwyEnrWylh+AY3H/2/M1qQz2b2UQapl
-> }L0d&,o-grease QVMP gPkF4&,`
YaavYxfymQIl4xRnz1AZxLAY7+r2R9Mftt9AIk11bEymVtCWhsWtSbnhsq9q+fjm
yYwVUyIh4eeH4oOdz3ssnmB3gg
--- 5VOiRneXGtTtik3m0OJY8zV8Sboh18DIB4eM07M+1Lo
ö™:üŠØþI{ˆ)ƒô½-tÈ«½©jT»0rE™ÚYæg4wFA³SÖ÷9RÐ…çëQ¡5<C2A1>c{ºÈzj…lÁRAØãàÛH”L y£ø²W•6¢¢l>¸–ߪ}­m¤Ý¿óÆbѱ“ô6*ÎËg"ßãÈè}Xˆí>W¬œÛÇ<C39B>ÕTÉÞ­™é¼Ì# mÍi@êiö:°zõ愲jbc(ƦŸýìùô{ô™¨ª¯©âwã(ÖθÈäyÔ§`iÌó_ïC-`ŽPô³²e«¶ç<C2B6>CÈ»tSÆ5Ž·e÷Zp%þQ´B¿Êh4yžC°dY¿«<C2BF>—Lˆ<Nw½µýÆ<>„ÊVñ4ù/ð:•+Ÿãx5ÚÞÁ8_V F6ð½)a>…. }É‘^h¿óÖ®îÍ<C3AE>ø.Ÿ<C5B8>»ËË¿GÑà”ÿ~ÝŒd¢EoZ=|×C•O ö”x7,Nƒ•ïú¹PÖä¥ ˆ%*I%®kÎ[<5B>ØÐ|-<2D>ÈžT¦úe~3¥6ËÞ!C"Öai/kDmì]<5D>íJ÷Û>ü¬n^»OýÚ—MãÌíüSÁ°7„¼»<C2BC>1P €ú?x\;B¸#u”BŽ$hѵ:¶Ë

View file

@ -5,8 +5,8 @@ let
biolimo-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZzg8pfVtFonx/IvO2MKG5uVF/sMJAOt1Ifm9Vds2eA root@biolimo"; biolimo-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZzg8pfVtFonx/IvO2MKG5uVF/sMJAOt1Ifm9Vds2eA root@biolimo";
biolimo-user = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDDoYNvXWunQYFORRjcYH1F98+zr20U79ROh+gmaC7AY/x3yf4y8uyMayF56VgQLVNwgEchT5t4dNb9qo2+1oUnjiKrKAVfQMN6WMMMEr4F4WT784uvBx5Uo6vmhgAa+xoo62c4TV2Uf49ZiPd+zAApBHW1F/whPtunPF28Wfr9g+ozSidhnAr+3nkfJh331tz9s+wgQ39AFzFWftQ60Guulpfj8SaVyxyv/yZZAuFpXNzN0Cz4fWBIWFOsib6Z8y+SlUCzSzOguZ7FygHjwlvOxoISsASAuf0OfUKHxVshiL5F5AX1ddmUgXbUKUTp/3Iunr74pfOQC8TXzZHqhrlFzYDmK5J9E6eADSpgx++bCCaHycl73BWeertCBZSHBXeb3Db9HX+mxwpfP3alVAt4ZqQb3YD/VB7XGDvHbmLn+wSfecO2qA9PxiA0yX7e2BZLN9r3G3bRNSk0GpnYM0i84FE9IipiKKnWVjj7J0UPQmz7rzAn2Lki1CnX9PDdxZneqTxgpBomHJt4H+vXMw13scA4xxEDBvfS5KkjbEJqWLbfklCoER6nV3NPLZ6CBl0Xe/VQBSkqEuUEIXih/oa8emDOGUODNF75ck5NJmKiGg6AFZoeiDa7PZMIxhhOq4vsR2Ty43rztUJ0CMX7iSIk3Eql7kqNdvrJaJ7z0GBsiw== ben@biolimo"; biolimo-user = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDDoYNvXWunQYFORRjcYH1F98+zr20U79ROh+gmaC7AY/x3yf4y8uyMayF56VgQLVNwgEchT5t4dNb9qo2+1oUnjiKrKAVfQMN6WMMMEr4F4WT784uvBx5Uo6vmhgAa+xoo62c4TV2Uf49ZiPd+zAApBHW1F/whPtunPF28Wfr9g+ozSidhnAr+3nkfJh331tz9s+wgQ39AFzFWftQ60Guulpfj8SaVyxyv/yZZAuFpXNzN0Cz4fWBIWFOsib6Z8y+SlUCzSzOguZ7FygHjwlvOxoISsASAuf0OfUKHxVshiL5F5AX1ddmUgXbUKUTp/3Iunr74pfOQC8TXzZHqhrlFzYDmK5J9E6eADSpgx++bCCaHycl73BWeertCBZSHBXeb3Db9HX+mxwpfP3alVAt4ZqQb3YD/VB7XGDvHbmLn+wSfecO2qA9PxiA0yX7e2BZLN9r3G3bRNSk0GpnYM0i84FE9IipiKKnWVjj7J0UPQmz7rzAn2Lki1CnX9PDdxZneqTxgpBomHJt4H+vXMw13scA4xxEDBvfS5KkjbEJqWLbfklCoER6nV3NPLZ6CBl0Xe/VQBSkqEuUEIXih/oa8emDOGUODNF75ck5NJmKiGg6AFZoeiDa7PZMIxhhOq4vsR2Ty43rztUJ0CMX7iSIk3Eql7kqNdvrJaJ7z0GBsiw== ben@biolimo";
chocolatebar-host = ""; chocolatebar-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINZT3QrKugNTWNOwYziQnxrT5zFqWQDafWjScDuIpMhN root@chocolatebar";
chocolatebar-user = ""; chocolatebar-user = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDwyNsGCMuyI9x2IxYEbYIL6oYsEfe1wqhHaRxSnK9oc10ge1LJni5o7g6XgryoQpCD9YenImcCxwkKblmlLQ2327uoVC2PUo07li1uT0eIPk0TQoxwp6besFs7/LEzZlgWQsc3gkEXmjk/E0mu0U6z2fkqciJ/ZxWYt9fLP6jBG47U9878rSaZ7k7Ilv6oRA3suArH189k1nerk/tonS4EWXeHZxHh/Eu0tqwmxN/6+g2GicYn6b+MbFQVdQAkctqT5Yz9USm9UKzbaAuZ799u0dJzagHm9JJZOr8r11ENtAkY9kAzRzm3u/ACiSdVzyLdjAK6m0dIPhp3OhedzuHiI6/wRll60tYtQTH1XwUpVbtir3+DT+jwZgO1zH3yL4iNh79kuUo+UEg1ZmGkSZRzSS2vb5qr0J5aSJmCd5sNB7a01PTtSlQPOqSF9PB+UmcLDF7JoKFub0KT/gRZ5neZkXTYQ/Y05qtaaFVlOVISijnm+sLUvKBv6OW8oYXIHBk= ben@chocolatebar";
allKeys = [ allKeys = [
bbcom bbcom
@ -34,5 +34,10 @@ let
in in
{ {
"keyfile-biolimo.bin".publicKeys = biolimoKeys; "keyfile-biolimo.bin".publicKeys = biolimoKeys;
"keyfile-chocolatebar.bin".publicKeys = biolimoKeys;
"keyfile-chocolatebar.bin".publicKeys = chocolatebarKeys;
"crypto_keyfile-chocolatebar.bin".publicKeys = chocolatebarKeys;
"hdd_keyfile-chocolatebar.bin".publicKeys = chocolatebarKeys;
"mopidy.conf".publicKeys = allKeys;
} }

View file

@ -1 +0,0 @@
secrets/** filter=git-crypt-4406E80E13CD656C diff=git-crypt-4406E80E13CD656C

View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, self, ... }:
with lib; with lib;
let let
psCfg = config.pub-solar; psCfg = config.pub-solar;
@ -50,5 +50,6 @@ in
# xdg.configFile."wallpaper.jpg".source = ./assets/wallpaper.jpg; # xdg.configFile."wallpaper.jpg".source = ./assets/wallpaper.jpg;
}; };
services.mopidy.configuration = mkIf config.pub-solar.audio.enable (builtins.readFile ./secrets/mopidy.conf); age.secrets.mopidyConf.file = "${self}/secrets/mopidy.conf";
services.mopidy.extraConfigFiles = [ "/run/secrets/mopidy.conf" ];
} }

Binary file not shown.