diff --git a/common/boot/default.nix b/common/boot/default.nix index e651288..3a22364 100644 --- a/common/boot/default.nix +++ b/common/boot/default.nix @@ -5,6 +5,6 @@ ./firmware.nix ./efi.nix ./bios.nix - ./luks.nix + ./remote-luks-unlock.nix ]; } \ No newline at end of file diff --git a/common/boot/luks.nix b/common/boot/remote-luks-unlock.nix similarity index 55% rename from common/boot/luks.nix rename to common/boot/remote-luks-unlock.nix index cbf1c7b..6e32658 100644 --- a/common/boot/luks.nix +++ b/common/boot/remote-luks-unlock.nix @@ -1,22 +1,14 @@ { config, pkgs, lib, ... }: let - cfg = config.luks; + cfg = config.remoteLuksUnlock; in { - options.luks = { + options.remoteLuksUnlock = { enable = lib.mkEnableOption "enable luks root remote decrypt over ssh/tor"; - device = { - name = lib.mkOption { - type = lib.types.str; - default = "enc-pv"; - }; - path = lib.mkOption { - type = lib.types.either lib.types.str lib.types.path; - }; - allowDiscards = lib.mkOption { - type = lib.types.bool; - default = false; - }; + enableTorUnlock = lib.mkOption { + type = lib.types.bool; + default = cfg.enable; + description = "Make machine accessable over tor for ssh boot unlock"; }; sshHostKeys = lib.mkOption { type = lib.types.listOf (lib.types.either lib.types.str lib.types.path); @@ -40,10 +32,10 @@ in { }; config = lib.mkIf cfg.enable { - boot.initrd.luks.devices.${cfg.device.name} = { - device = cfg.device.path; - allowDiscards = cfg.device.allowDiscards; - }; + # boot.initrd.luks.devices.${cfg.device.name} = { + # device = cfg.device.path; + # allowDiscards = cfg.device.allowDiscards; + # }; # Unlock LUKS disk over ssh boot.initrd.network.enable = true; @@ -61,41 +53,41 @@ in { echo /crypt-ramfs/passphrase >> /dev/null ''; - # Make machine accessable over tor for boot unlock - boot.initrd.secrets = { + boot.initrd.secrets = lib.mkIf cfg.enableTorUnlock { "/etc/tor/onion/bootup" = cfg.onionConfig; }; - boot.initrd.extraUtilsCommands = '' + boot.initrd.extraUtilsCommands = lib.mkIf cfg.enableTorUnlock '' copy_bin_and_libs ${pkgs.tor}/bin/tor copy_bin_and_libs ${pkgs.haveged}/bin/haveged ''; - # start tor during boot process - boot.initrd.network.postCommands = let - torRc = (pkgs.writeText "tor.rc" '' + boot.initrd.network.postCommands = lib.mkMerge [ + ('' + # Add nice prompt for giving LUKS passphrase over ssh + echo 'read -s -p "Unlock Passphrase: " passphrase && echo $passphrase > /crypt-ramfs/passphrase && exit' >> /root/.profile + '') + + (let torRc = (pkgs.writeText "tor.rc" '' DataDirectory /etc/tor SOCKSPort 127.0.0.1:9050 IsolateDestAddr SOCKSPort 127.0.0.1:9063 HiddenServiceDir /etc/tor/onion/bootup HiddenServicePort 22 127.0.0.1:22 - ''); - in '' - # Add nice prompt for giving LUKS passphrase over ssh - echo 'read -s -p "Unlock Passphrase: " passphrase && echo $passphrase > /crypt-ramfs/passphrase && exit' >> /root/.profile + ''); in lib.mkIf cfg.enableTorUnlock '' + echo "tor: preparing onion folder" + # have to do this otherwise tor does not want to start + chmod -R 700 /etc/tor - echo "tor: preparing onion folder" - # have to do this otherwise tor does not want to start - chmod -R 700 /etc/tor + echo "make sure localhost is up" + ip a a 127.0.0.1/8 dev lo + ip link set lo up - echo "make sure localhost is up" - ip a a 127.0.0.1/8 dev lo - ip link set lo up + echo "haveged: starting haveged" + haveged -F & - echo "haveged: starting haveged" - haveged -F & - - echo "tor: starting tor" - tor -f ${torRc} --verify-config - tor -f ${torRc} & - ''; + echo "tor: starting tor" + tor -f ${torRc} --verify-config + tor -f ${torRc} & + '') + ]; }; } diff --git a/common/network/hosts.nix b/common/network/hosts.nix index 87da16c..364a626 100644 --- a/common/network/hosts.nix +++ b/common/network/hosts.nix @@ -8,6 +8,7 @@ let # hostnames that resolve on clearnet for LUKS unlocking unlock-clearnet-hosts = { ponyo = "unlock.ponyo.neet.dev"; + s0 = "s0"; }; # hostnames that resolve on tor for LUKS unlocking @@ -15,6 +16,7 @@ let liza = "5synsrjgvfzywruomjsfvfwhhlgxqhyofkzeqt2eisyijvjvebnu2xyd.onion"; router = "jxx2exuihlls2t6ncs7rvrjh2dssubjmjtclwr2ysvxtr4t7jv55xmqd.onion"; ponyo = "cfamr6artx75qvt7ho3rrbsc7mkucmv5aawebwflsfuorusayacffryd.onion"; + s0 = "r3zvf7f2ppaeithzswigma46pajt3hqytmkg3rshgknbl3jbni455fqd.onion"; }; in { networking.hosts = { @@ -57,6 +59,10 @@ in { hostNames = [ "s0" "s0.zt.neet.dev" ]; publicKey = system.s0; }; + s0-unlock = { + hostNames = [ unlock-onion-hosts.s0 ]; + publicKey = system.s0-unlock; + }; n1 = { hostNames = [ "n1" ]; publicKey = system.n1; diff --git a/common/ssh.nix b/common/ssh.nix index 899c212..8fb554a 100644 --- a/common/ssh.nix +++ b/common/ssh.nix @@ -14,6 +14,7 @@ rec { router = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFr2IHmWFlaLaLp5dGoSmFEYKA/eg2SwGXAogaOmLsHL"; router-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOw5dTPmtKqiPBH6VKyz5MYBubn8leAh5Eaw7s/O85c"; s0 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q"; + s0-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNiceeFMos5ZXcYem4yFxh8PiZNNnuvhlyLbQLrgIZH"; n1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPWlhd1Oid5Xf2zdcBrcdrR0TlhObutwcJ8piobRTpRt"; n2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ7bRiRutnI7Bmyt/I238E3Fp5DqiClIXiVibsccipOr"; n3 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+rJEaRrFDGirQC2UoWQkmpzLg4qgTjGJgVqiipWiU5"; diff --git a/machines/liza/hardware-configuration.nix b/machines/liza/hardware-configuration.nix index e38f0d9..85c0eda 100644 --- a/machines/liza/hardware-configuration.nix +++ b/machines/liza/hardware-configuration.nix @@ -20,10 +20,8 @@ device = "/dev/sda"; }; - luks = { - enable = true; - device.path = "/dev/disk/by-uuid/2f736fba-8a0c-4fb5-8041-c849fb5e1297"; - }; + remoteLuksUnlock.enable = true; + boot.initrd.luks.devices."enc-pv".device = "/dev/disk/by-uuid/2f736fba-8a0c-4fb5-8041-c849fb5e1297"; fileSystems."/" = { device = "/dev/disk/by-uuid/b90eaf3c-2f91-499a-a066-861e0f4478df"; diff --git a/machines/ponyo/hardware-configuration.nix b/machines/ponyo/hardware-configuration.nix index 31fb0f7..82a83e7 100644 --- a/machines/ponyo/hardware-configuration.nix +++ b/machines/ponyo/hardware-configuration.nix @@ -17,10 +17,8 @@ device = "/dev/sda"; }; - luks = { - enable = true; - device.path = "/dev/disk/by-uuid/4cc36be4-dbff-4afe-927d-69bf4637bae2"; - }; + remoteLuksUnlock.enable = true; + boot.initrd.luks.devices."enc-pv".device = "/dev/disk/by-uuid/4cc36be4-dbff-4afe-927d-69bf4637bae2"; fileSystems."/" = { device = "/dev/mapper/enc-pv"; diff --git a/machines/ray/hardware-configuration.nix b/machines/ray/hardware-configuration.nix index f876e17..bc16c19 100644 --- a/machines/ray/hardware-configuration.nix +++ b/machines/ray/hardware-configuration.nix @@ -34,6 +34,7 @@ }; # disks + remoteLuksUnlock.enable = true; boot.initrd.luks.devices."enc-pv" = { device = "/dev/disk/by-uuid/c1822e5f-4137-44e1-885f-954e926583ce"; allowDiscards = true; diff --git a/machines/router/hardware-configuration.nix b/machines/router/hardware-configuration.nix index 5df36fd..13d2d98 100644 --- a/machines/router/hardware-configuration.nix +++ b/machines/router/hardware-configuration.nix @@ -27,10 +27,8 @@ }; # disks - luks = { - enable = true; - device.path = "/dev/disk/by-uuid/9b090551-f78e-45ca-8570-196ed6a4af0c"; - }; + remoteLuksUnlock.enable = true; + boot.initrd.luks.devices."enc-pv".device = "/dev/disk/by-uuid/9b090551-f78e-45ca-8570-196ed6a4af0c"; fileSystems."/" = { device = "/dev/disk/by-uuid/421c82b9-d67c-4811-8824-8bb57cb10fce"; fsType = "btrfs"; diff --git a/machines/storage/s0/hardware-configuration.nix b/machines/storage/s0/hardware-configuration.nix index 855f993..4c1d87c 100644 --- a/machines/storage/s0/hardware-configuration.nix +++ b/machines/storage/s0/hardware-configuration.nix @@ -23,6 +23,7 @@ boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; # luks + remoteLuksUnlock.enable = true; boot.initrd.luks.devices."enc-pv1".device = "/dev/disk/by-uuid/d52e99a9-8825-4d0a-afc1-8edbef7e0a86"; boot.initrd.luks.devices."enc-pv2".device = "/dev/disk/by-uuid/f7275585-7760-4230-97de-36704b9a2aa3"; boot.initrd.luks.devices."enc-pv3".device = "/dev/disk/by-uuid/5d1002b8-a0ed-4a1c-99f5-24b8816d9e38";