Remove git crypt
Start move to /boot kernel mount x-os: prepare booting from unencrypted /boot partition Move to systemd-boot Remove all unencrypted secrets
This commit is contained in:
parent
132042220e
commit
067ce16246
1
hosts/biolimo/.gitattributes
vendored
1
hosts/biolimo/.gitattributes
vendored
|
@ -1 +0,0 @@
|
||||||
secrets/** filter=git-crypt-4406E80E13CD656C diff=git-crypt-4406E80E13CD656C
|
|
|
@ -1,28 +0,0 @@
|
||||||
{ config, pkgs, lib, ... }:
|
|
||||||
with lib;
|
|
||||||
let
|
|
||||||
psCfg = config.pub-solar;
|
|
||||||
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
|
|
||||||
in
|
|
||||||
{
|
|
||||||
imports = [
|
|
||||||
./configuration.nix
|
|
||||||
];
|
|
||||||
|
|
||||||
config = {
|
|
||||||
pub-solar.x-os.keyfile = "/etc/nixos/hosts/biolimo/secrets/keyfile.bin";
|
|
||||||
|
|
||||||
hardware.cpu.intel.updateMicrocode = true;
|
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [
|
|
||||||
5000
|
|
||||||
];
|
|
||||||
|
|
||||||
home-manager.users."${psCfg.user.name}".xdg.configFile = mkIf psCfg.sway.enable {
|
|
||||||
"sway/config.d/10-screens.conf".source = ./.config/sway/config.d/screens.conf;
|
|
||||||
"sway/config.d/10-autostart.conf".source = ./.config/sway/config.d/autostart.conf;
|
|
||||||
"sway/config.d/10-input-defaults.conf".source = ./.config/sway/config.d/input-defaults.conf;
|
|
||||||
"sway/config.d/10-custom-keybindings.conf".source = ./.config/sway/config.d/custom-keybindings.conf;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -10,8 +10,6 @@ in
|
||||||
];
|
];
|
||||||
|
|
||||||
config = {
|
config = {
|
||||||
pub-solar.x-os.keyfile = "/etc/nixos/hosts/biolimo/secrets/keyfile.bin";
|
|
||||||
|
|
||||||
hardware.cpu.intel.updateMicrocode = true;
|
hardware.cpu.intel.updateMicrocode = true;
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 5000 ];
|
networking.firewall.allowedTCPPorts = [ 5000 ];
|
||||||
|
|
Binary file not shown.
1
hosts/chocolatebar/.gitattributes
vendored
1
hosts/chocolatebar/.gitattributes
vendored
|
@ -1 +0,0 @@
|
||||||
secrets/** filter=git-crypt-4406E80E13CD656C diff=git-crypt-4406E80E13CD656C
|
|
|
@ -1,31 +0,0 @@
|
||||||
{ config, pkgs, lib, ... }:
|
|
||||||
with lib;
|
|
||||||
let
|
|
||||||
psCfg = config.pub-solar;
|
|
||||||
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
|
|
||||||
in
|
|
||||||
{
|
|
||||||
imports = [
|
|
||||||
./configuration.nix
|
|
||||||
./virtualisation
|
|
||||||
];
|
|
||||||
|
|
||||||
config = {
|
|
||||||
pub-solar.x-os.keyfile = "keyfile-chocolatebar.bin";
|
|
||||||
|
|
||||||
pub-solar.virtualisation.isolateGPU = "rx550x";
|
|
||||||
|
|
||||||
hardware.cpu.amd.updateMicrocode = true;
|
|
||||||
|
|
||||||
hardware.opengl.extraPackages = with pkgs; [
|
|
||||||
rocm-opencl-icd
|
|
||||||
rocm-opencl-runtime
|
|
||||||
];
|
|
||||||
|
|
||||||
home-manager.users."${psCfg.user.name}".xdg.configFile = mkIf psCfg.sway.enable {
|
|
||||||
"sway/config.d/10-autostart.conf".source = ./.config/sway/config.d/autostart.conf;
|
|
||||||
"sway/config.d/10-input-defaults.conf".source = ./.config/sway/config.d/input-defaults.conf;
|
|
||||||
"sway/config.d/10-screens.conf".source = ./.config/sway/config.d/screens.conf;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -11,8 +11,6 @@ in
|
||||||
];
|
];
|
||||||
|
|
||||||
config = {
|
config = {
|
||||||
pub-solar.x-os.keyfile = "/etc/nixos/hosts/chocolatebar/secrets/keyfile.bin";
|
|
||||||
|
|
||||||
pub-solar.virtualisation.isolateGPU = "rx550x";
|
pub-solar.virtualisation.isolateGPU = "rx550x";
|
||||||
|
|
||||||
hardware.cpu.amd.updateMicrocode = true;
|
hardware.cpu.amd.updateMicrocode = true;
|
||||||
|
|
|
@ -22,7 +22,7 @@
|
||||||
|
|
||||||
boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/afcde41f-9811-4ac8-bb7b-a683844acc5c";
|
boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/afcde41f-9811-4ac8-bb7b-a683844acc5c";
|
||||||
|
|
||||||
fileSystems."/boot/efi" =
|
fileSystems."/boot" =
|
||||||
{
|
{
|
||||||
device = "/dev/disk/by-uuid/12FD-62A8";
|
device = "/dev/disk/by-uuid/12FD-62A8";
|
||||||
fsType = "vfat";
|
fsType = "vfat";
|
||||||
|
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -3,41 +3,19 @@
|
||||||
let
|
let
|
||||||
cfg = config.pub-solar.x-os;
|
cfg = config.pub-solar.x-os;
|
||||||
in
|
in
|
||||||
with lib; {
|
{
|
||||||
options = {
|
|
||||||
pub-solar.x-os.keyfile = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
description = "Keyfile location";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
config = {
|
config = {
|
||||||
# Enable plymouth for better experience of booting
|
# Enable plymouth for better experience of booting
|
||||||
boot.plymouth.enable = true;
|
boot.plymouth.enable = true;
|
||||||
|
|
||||||
# Use Keyfile to unlock the root partition to avoid keying in twice.
|
# Mount / luks device in initrd
|
||||||
# Allow fstrim to work on it.
|
# Allow fstrim to work on it.
|
||||||
age.secrets.luksKeyFile.file = "${self}/secrets/${cfg.keyfile}";
|
|
||||||
boot.initrd = {
|
boot.initrd = {
|
||||||
secrets = { "/keyfile.bin" = "/run/secrets/${cfg.keyfile}"; };
|
|
||||||
luks.devices."cryptroot" = {
|
luks.devices."cryptroot" = {
|
||||||
keyFile = "/keyfile.bin";
|
|
||||||
allowDiscards = true;
|
allowDiscards = true;
|
||||||
fallbackToPassword = true;
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# Use GRUB with encrypted /boot under EFI env.
|
boot.loader.systemd-boot.enable = true;
|
||||||
boot.loader = {
|
|
||||||
efi.efiSysMountPoint = "/boot/efi";
|
|
||||||
|
|
||||||
grub = {
|
|
||||||
enable = true;
|
|
||||||
version = 2;
|
|
||||||
device = "nodev";
|
|
||||||
efiSupport = true;
|
|
||||||
enableCryptodisk = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
4
secrets/.gitattributes
vendored
4
secrets/.gitattributes
vendored
|
@ -1,4 +0,0 @@
|
||||||
* filter=git-crypt diff=git-crypt
|
|
||||||
.gitattributes !filter !diff
|
|
||||||
secrets.nix !filter !diff
|
|
||||||
README.md !filter !diff
|
|
BIN
secrets/crypto_keyfile-chocolatebar.bin
Normal file
BIN
secrets/crypto_keyfile-chocolatebar.bin
Normal file
Binary file not shown.
BIN
secrets/hdd_keyfile-chocolatebar.bin
Normal file
BIN
secrets/hdd_keyfile-chocolatebar.bin
Normal file
Binary file not shown.
Binary file not shown.
Binary file not shown.
44
secrets/mopidy.conf
Normal file
44
secrets/mopidy.conf
Normal file
|
@ -0,0 +1,44 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-rsa kFDS0A
|
||||||
|
pgJUXnYT0UgB7h8dWOBCIO6OuXwpjmBuQpJBXnI2Zh5X2fiGQVyrrcrm8VSWLHOd
|
||||||
|
za9SME+PxcGXDGgwaGpCl8tOh93WRUC0RtNTBmoiyzrfkbQtm9gfnt51JpHscuTc
|
||||||
|
wzZ9cxMvtKSNGsCuK5oeX9ZxVgXH5QFomwvADXoy14HacgEOzLTPU6vrPrOonGAG
|
||||||
|
kDqYDzf87V2BfPttzONoScsVsFV26EQntxDx5/8Hja4ceOvgBwm2GczUzpgfIRCA
|
||||||
|
To+az2B1Y0h/BWMqzRAhobuN/UIQcZAKro4uf8SbpKqPQrON+k1tAE+lrMUFLx1A
|
||||||
|
2ZayulT/Partcm6L8Yb0JAn24eXFla52XQ6JyukSbtoqZxEQIcjbM34+KFKMftIA
|
||||||
|
M8taZIG2JWyFdHBPO4RAMyGbNpQN5hsDvJWGIJePj4bAxW7GX9JJiT7gg1iCKce3
|
||||||
|
SINdaBt4O3RJ49wTGqJtMSJSlfzLf7s4zHx5oaozAEt84h97A2Yt/8Lg1Wmc2Aji
|
||||||
|
Q4XG6w8OQ/Fk8E/EeSZ27udMHF94TfQ9mzbKdMJRclLDlKKlxeYA6gea4QYb6GLi
|
||||||
|
8tY6qnDpF9jwV7ehehM9KYhJcCLw7MYNwGI6oPmTagZCRhXDYULbmK5gfkspcrZ1
|
||||||
|
zZn5yOCwt+MA3U2NfpxNOMs0LvaGU7HOruzyD9DLp+4
|
||||||
|
-> ssh-ed25519 TnSWKQ SWZZJeUCYeSkYwIKmrsMa/MUkNK7xIn+213hy6X51Uk
|
||||||
|
FDzM+HzDh+5+9RI+gjTPKNT74DPSvxA+CKJpHXSMX5c
|
||||||
|
-> ssh-rsa 8daibg
|
||||||
|
XthUstyN7tDd/vAw3y6knQWNI1M2GEKGDzvmOXFMgwxUcBUNPZmPnZvTfmUXY81Z
|
||||||
|
iF13Lruwid0/4Pb9dcYyyifzoqnNb6SvnzczoUSpqQc6m+6BLX4kSTIN1Pulwt8A
|
||||||
|
kWrOekvKy9J7Z2QsW6QKfxB4xaAc+BA9kHOgWWpLTyx2GOm0ksLjUnsd3Zo/xXsc
|
||||||
|
JpjuSNcsUM9mCP00RjamX1SwrAc/tRnoOSOD6jmED5M0Xfb7bE2AORUQ3Em8B4iG
|
||||||
|
CgaTEXFppZN96+BHOumOP1wAbH7uI0EdQP/SvR+qelCH35C0pSWZ4AuyvT5kvoYL
|
||||||
|
CyK6GQ8rVnDrBaWQIj4TPhpB1xVxKd01AZX9ITdhPdTATJFwCcVxoWgCTtjNGaIc
|
||||||
|
4GldFh0+nXUUV9spzxFbAhiJwy+PHfNfuJ1gyYMrgLY4mQPhA6ntPeWqZOb20cYZ
|
||||||
|
ABl7eHN9AAQnibw6EufkgH/U9v81HlWjbLWedAHNPGAldDF5uNrY+FRiqXWT2Ivb
|
||||||
|
9CkU/pUFAAcZs7GwEHTVz2dWsuxthS/P/DhN1YshDmY17gTBEf+40SUATsD1wBV0
|
||||||
|
tdmbU3i79djbfXXvazR+hi7qDtKo+zJKCDORSq66J70njl0pwN/QIKGQnKt5sYCm
|
||||||
|
3kPTZHrR6ys82MhTFk/C1G4aJjQScTz4buA5UH+0hsE
|
||||||
|
-> ssh-ed25519 2Ca8Kg eqyr8Yr3rrWlhCd+TmKsnywFdp1mwt3jZwuJzO0TwzM
|
||||||
|
mcfYZGTAebrZY9Ool8sPn25wPiwe6StBUzdVAyEErAE
|
||||||
|
-> ssh-rsa 2ggJWw
|
||||||
|
h00c7evck2bHux9EhMjLQa1f3O3tReLd65LDJB28jH7SbpT6t8Gxfk9tamGFHg4Z
|
||||||
|
lGxkzZjK9xnroBpZv5ikuP+tD7A6A2saDXDnnAw+wHUGv0UO5yzr0HPIvwE1bVR5
|
||||||
|
GOW1iqPMHKB2v6NeTaBG1g5TohSYEDDINkQv+Q4NyPhdpX9bGd3biWiBAa1gy3Xp
|
||||||
|
XmDwtUfBg9IN+EeQTpC/tc4C1pLd3k7E+5pZDQebfTlvXZ83SH05BpBnpakPWNty
|
||||||
|
Pf3s/iMwWBiJ+8GiwQ7c6FjTrr9ImJe8nD6mknWGpsMEQ9wB4Bd9l5RTjpTW9wCo
|
||||||
|
DNtN8Mo0SGgFXjj/5XO0kMDhDike/GLr6wfD0HVgRP9MtcatvEaezp4RY6NIknjy
|
||||||
|
F49KFsZWhzqwU2c4VX3ayFGJHcn/TT6o2QL3qZoI6x23ZFHQlXtQjXfhTkXk2qJt
|
||||||
|
565cgrWzLYV7y+DB5fwaG/+Twlnr8rMQOPwyEnrWylh+AY3H/2/M1qQz2b2UQapl
|
||||||
|
|
||||||
|
-> }L0d&,o-grease QVMP gPkF4&,`
|
||||||
|
YaavYxfymQIl4xRnz1AZxLAY7+r2R9Mftt9AIk11bEymVtCWhsWtSbnhsq9q+fjm
|
||||||
|
yYwVUyIh4eeH4oOdz3ssnmB3gg
|
||||||
|
--- 5VOiRneXGtTtik3m0OJY8zV8Sboh18DIB4eM07M+1Lo
|
||||||
|
ö™:üŠØþI{ˆzþ)ƒô½-tÈ«½©jT»0rE™ÚYæg4wFA³SÖ÷9RÐ…çëQ¡5<C2A1>c{ºÈz–j…lÁRAØãàÛH”L y£ø²W•6¢¢l>¸–ߪ}m¤Ý¿óÆbѱ“ô6*ÎËg"ßãÈè}Xˆí>W¬œÛÇ<C39B>ÕTÉÞ™é¼Ì#
mÍi@êiö:°zõ愲jbc(ƦŸýìùô{ô™¨ª¯©âwã(ÖθÈäyÔ§`iÌó_ïC-`ŽP‘ô³²e«¶ç<C2B6>CÈ»tSÆ5Ž·e÷Zp%þQ´B¿Êh4yžC°dY¿«<C2BF>—Lˆ<Nw½µýÆ<>„ÊVñ4ù/ð:•+Ÿãx5ÚÞÁ8_V F6ð½)a>….
}É‘^h¿óÖ®îÍ<C3AE>ø.Ÿ’<C5B8>»ËË¿GÑà”›ÿ~ÝŒd¢EoZ=|×C•O
ö”x7›,Nƒ•ïú¹PÖ䥈%*I%®kÎ[<5B>ØÐ|-<2D>ÈžT¦úe~3¥6ËÞ!C"Öai/kDmì]<5D>íJ÷Û>ü¬n^»OýÚ—MãÌíü‚SÁ°7„¼»<C2BC>1P\ý€ú?x\;B¸#u”BŽ$hѵ:¶Ë
|
|
@ -5,8 +5,8 @@ let
|
||||||
biolimo-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZzg8pfVtFonx/IvO2MKG5uVF/sMJAOt1Ifm9Vds2eA root@biolimo";
|
biolimo-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZzg8pfVtFonx/IvO2MKG5uVF/sMJAOt1Ifm9Vds2eA root@biolimo";
|
||||||
biolimo-user = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDDoYNvXWunQYFORRjcYH1F98+zr20U79ROh+gmaC7AY/x3yf4y8uyMayF56VgQLVNwgEchT5t4dNb9qo2+1oUnjiKrKAVfQMN6WMMMEr4F4WT784uvBx5Uo6vmhgAa+xoo62c4TV2Uf49ZiPd+zAApBHW1F/whPtunPF28Wfr9g+ozSidhnAr+3nkfJh331tz9s+wgQ39AFzFWftQ60Guulpfj8SaVyxyv/yZZAuFpXNzN0Cz4fWBIWFOsib6Z8y+SlUCzSzOguZ7FygHjwlvOxoISsASAuf0OfUKHxVshiL5F5AX1ddmUgXbUKUTp/3Iunr74pfOQC8TXzZHqhrlFzYDmK5J9E6eADSpgx++bCCaHycl73BWeertCBZSHBXeb3Db9HX+mxwpfP3alVAt4ZqQb3YD/VB7XGDvHbmLn+wSfecO2qA9PxiA0yX7e2BZLN9r3G3bRNSk0GpnYM0i84FE9IipiKKnWVjj7J0UPQmz7rzAn2Lki1CnX9PDdxZneqTxgpBomHJt4H+vXMw13scA4xxEDBvfS5KkjbEJqWLbfklCoER6nV3NPLZ6CBl0Xe/VQBSkqEuUEIXih/oa8emDOGUODNF75ck5NJmKiGg6AFZoeiDa7PZMIxhhOq4vsR2Ty43rztUJ0CMX7iSIk3Eql7kqNdvrJaJ7z0GBsiw== ben@biolimo";
|
biolimo-user = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDDoYNvXWunQYFORRjcYH1F98+zr20U79ROh+gmaC7AY/x3yf4y8uyMayF56VgQLVNwgEchT5t4dNb9qo2+1oUnjiKrKAVfQMN6WMMMEr4F4WT784uvBx5Uo6vmhgAa+xoo62c4TV2Uf49ZiPd+zAApBHW1F/whPtunPF28Wfr9g+ozSidhnAr+3nkfJh331tz9s+wgQ39AFzFWftQ60Guulpfj8SaVyxyv/yZZAuFpXNzN0Cz4fWBIWFOsib6Z8y+SlUCzSzOguZ7FygHjwlvOxoISsASAuf0OfUKHxVshiL5F5AX1ddmUgXbUKUTp/3Iunr74pfOQC8TXzZHqhrlFzYDmK5J9E6eADSpgx++bCCaHycl73BWeertCBZSHBXeb3Db9HX+mxwpfP3alVAt4ZqQb3YD/VB7XGDvHbmLn+wSfecO2qA9PxiA0yX7e2BZLN9r3G3bRNSk0GpnYM0i84FE9IipiKKnWVjj7J0UPQmz7rzAn2Lki1CnX9PDdxZneqTxgpBomHJt4H+vXMw13scA4xxEDBvfS5KkjbEJqWLbfklCoER6nV3NPLZ6CBl0Xe/VQBSkqEuUEIXih/oa8emDOGUODNF75ck5NJmKiGg6AFZoeiDa7PZMIxhhOq4vsR2Ty43rztUJ0CMX7iSIk3Eql7kqNdvrJaJ7z0GBsiw== ben@biolimo";
|
||||||
|
|
||||||
chocolatebar-host = "";
|
chocolatebar-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINZT3QrKugNTWNOwYziQnxrT5zFqWQDafWjScDuIpMhN root@chocolatebar";
|
||||||
chocolatebar-user = "";
|
chocolatebar-user = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDwyNsGCMuyI9x2IxYEbYIL6oYsEfe1wqhHaRxSnK9oc10ge1LJni5o7g6XgryoQpCD9YenImcCxwkKblmlLQ2327uoVC2PUo07li1uT0eIPk0TQoxwp6besFs7/LEzZlgWQsc3gkEXmjk/E0mu0U6z2fkqciJ/ZxWYt9fLP6jBG47U9878rSaZ7k7Ilv6oRA3suArH189k1nerk/tonS4EWXeHZxHh/Eu0tqwmxN/6+g2GicYn6b+MbFQVdQAkctqT5Yz9USm9UKzbaAuZ799u0dJzagHm9JJZOr8r11ENtAkY9kAzRzm3u/ACiSdVzyLdjAK6m0dIPhp3OhedzuHiI6/wRll60tYtQTH1XwUpVbtir3+DT+jwZgO1zH3yL4iNh79kuUo+UEg1ZmGkSZRzSS2vb5qr0J5aSJmCd5sNB7a01PTtSlQPOqSF9PB+UmcLDF7JoKFub0KT/gRZ5neZkXTYQ/Y05qtaaFVlOVISijnm+sLUvKBv6OW8oYXIHBk= ben@chocolatebar";
|
||||||
|
|
||||||
allKeys = [
|
allKeys = [
|
||||||
bbcom
|
bbcom
|
||||||
|
@ -34,5 +34,10 @@ let
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
"keyfile-biolimo.bin".publicKeys = biolimoKeys;
|
"keyfile-biolimo.bin".publicKeys = biolimoKeys;
|
||||||
"keyfile-chocolatebar.bin".publicKeys = biolimoKeys;
|
|
||||||
|
"keyfile-chocolatebar.bin".publicKeys = chocolatebarKeys;
|
||||||
|
"crypto_keyfile-chocolatebar.bin".publicKeys = chocolatebarKeys;
|
||||||
|
"hdd_keyfile-chocolatebar.bin".publicKeys = chocolatebarKeys;
|
||||||
|
|
||||||
|
"mopidy.conf".publicKeys = allKeys;
|
||||||
}
|
}
|
||||||
|
|
1
users/ben/.gitattributes
vendored
1
users/ben/.gitattributes
vendored
|
@ -1 +0,0 @@
|
||||||
secrets/** filter=git-crypt-4406E80E13CD656C diff=git-crypt-4406E80E13CD656C
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, self, ... }:
|
||||||
with lib;
|
with lib;
|
||||||
let
|
let
|
||||||
psCfg = config.pub-solar;
|
psCfg = config.pub-solar;
|
||||||
|
@ -50,5 +50,6 @@ in
|
||||||
# xdg.configFile."wallpaper.jpg".source = ./assets/wallpaper.jpg;
|
# xdg.configFile."wallpaper.jpg".source = ./assets/wallpaper.jpg;
|
||||||
};
|
};
|
||||||
|
|
||||||
services.mopidy.configuration = mkIf config.pub-solar.audio.enable (builtins.readFile ./secrets/mopidy.conf);
|
age.secrets.mopidyConf.file = "${self}/secrets/mopidy.conf";
|
||||||
|
services.mopidy.extraConfigFiles = [ "/run/secrets/mopidy.conf" ];
|
||||||
}
|
}
|
||||||
|
|
Binary file not shown.
Loading…
Reference in a new issue