zuckerberg/nix-config
zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

Cleanup remote LUKS unlock

Browse Source
This commit is contained in:
Zuckerberg 2023-02-11 18:40:08 -07:00
parent 2c8576a295
commit 3e0cde40b8
9 changed files with 49 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
common/boot/default.nix
View File

@ -5,6 +5,6 @@
./firmware.nix ./firmware.nix
./efi.nix ./efi.nix
./bios.nix ./bios.nix
./luks.nix ./remote-luks-unlock.nix
]; ];
} }

50
common/boot/luks.nix → common/boot/remote-luks-unlock.nix
View File

@ -1,22 +1,14 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let let
cfg = config.luks; cfg = config.remoteLuksUnlock;
in { in {
options.luks = { options.remoteLuksUnlock = {
enable = lib.mkEnableOption "enable luks root remote decrypt over ssh/tor"; enable = lib.mkEnableOption "enable luks root remote decrypt over ssh/tor";
device = { enableTorUnlock = lib.mkOption {
name = lib.mkOption {
type = lib.types.str;
default = "enc-pv";
};
path = lib.mkOption {
type = lib.types.either lib.types.str lib.types.path;
};
allowDiscards = lib.mkOption {
type = lib.types.bool; type = lib.types.bool;
default = false; default = cfg.enable;
}; description = "Make machine accessable over tor for ssh boot unlock";
}; };
sshHostKeys = lib.mkOption { sshHostKeys = lib.mkOption {
type = lib.types.listOf (lib.types.either lib.types.str lib.types.path); type = lib.types.listOf (lib.types.either lib.types.str lib.types.path);
@ -40,10 +32,10 @@ in {
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
boot.initrd.luks.devices.${cfg.device.name} = { # boot.initrd.luks.devices.${cfg.device.name} = {
device = cfg.device.path; # device = cfg.device.path;
allowDiscards = cfg.device.allowDiscards; # allowDiscards = cfg.device.allowDiscards;
}; # };
# Unlock LUKS disk over ssh # Unlock LUKS disk over ssh
boot.initrd.network.enable = true; boot.initrd.network.enable = true;
@ -61,27 +53,26 @@ in {
echo /crypt-ramfs/passphrase >> /dev/null echo /crypt-ramfs/passphrase >> /dev/null
''; '';
# Make machine accessable over tor for boot unlock boot.initrd.secrets = lib.mkIf cfg.enableTorUnlock {
boot.initrd.secrets = {
"/etc/tor/onion/bootup" = cfg.onionConfig; "/etc/tor/onion/bootup" = cfg.onionConfig;
}; };
boot.initrd.extraUtilsCommands = '' boot.initrd.extraUtilsCommands = lib.mkIf cfg.enableTorUnlock ''
copy_bin_and_libs ${pkgs.tor}/bin/tor copy_bin_and_libs ${pkgs.tor}/bin/tor
copy_bin_and_libs ${pkgs.haveged}/bin/haveged copy_bin_and_libs ${pkgs.haveged}/bin/haveged
''; '';
# start tor during boot process boot.initrd.network.postCommands = lib.mkMerge [
boot.initrd.network.postCommands = let (''
torRc = (pkgs.writeText "tor.rc" '' # Add nice prompt for giving LUKS passphrase over ssh
echo 'read -s -p "Unlock Passphrase: " passphrase && echo $passphrase > /crypt-ramfs/passphrase && exit' >> /root/.profile
'')
(let torRc = (pkgs.writeText "tor.rc" ''
DataDirectory /etc/tor DataDirectory /etc/tor
SOCKSPort 127.0.0.1:9050 IsolateDestAddr SOCKSPort 127.0.0.1:9050 IsolateDestAddr
SOCKSPort 127.0.0.1:9063 SOCKSPort 127.0.0.1:9063
HiddenServiceDir /etc/tor/onion/bootup HiddenServiceDir /etc/tor/onion/bootup
HiddenServicePort 22 127.0.0.1:22 HiddenServicePort 22 127.0.0.1:22
''); ''); in lib.mkIf cfg.enableTorUnlock ''
in ''
# Add nice prompt for giving LUKS passphrase over ssh
echo 'read -s -p "Unlock Passphrase: " passphrase && echo $passphrase > /crypt-ramfs/passphrase && exit' >> /root/.profile
echo "tor: preparing onion folder" echo "tor: preparing onion folder"
# have to do this otherwise tor does not want to start # have to do this otherwise tor does not want to start
chmod -R 700 /etc/tor chmod -R 700 /etc/tor
@ -96,6 +87,7 @@ in {
echo "tor: starting tor" echo "tor: starting tor"
tor -f ${torRc} --verify-config tor -f ${torRc} --verify-config
tor -f ${torRc} & tor -f ${torRc} &
''; '')
];
}; };
} }

6
common/network/hosts.nix
View File

@ -8,6 +8,7 @@ let
# hostnames that resolve on clearnet for LUKS unlocking # hostnames that resolve on clearnet for LUKS unlocking
unlock-clearnet-hosts = { unlock-clearnet-hosts = {
ponyo = "unlock.ponyo.neet.dev"; ponyo = "unlock.ponyo.neet.dev";
s0 = "s0";
}; };
# hostnames that resolve on tor for LUKS unlocking # hostnames that resolve on tor for LUKS unlocking
@ -15,6 +16,7 @@ let
liza = "5synsrjgvfzywruomjsfvfwhhlgxqhyofkzeqt2eisyijvjvebnu2xyd.onion"; liza = "5synsrjgvfzywruomjsfvfwhhlgxqhyofkzeqt2eisyijvjvebnu2xyd.onion";
router = "jxx2exuihlls2t6ncs7rvrjh2dssubjmjtclwr2ysvxtr4t7jv55xmqd.onion"; router = "jxx2exuihlls2t6ncs7rvrjh2dssubjmjtclwr2ysvxtr4t7jv55xmqd.onion";
ponyo = "cfamr6artx75qvt7ho3rrbsc7mkucmv5aawebwflsfuorusayacffryd.onion"; ponyo = "cfamr6artx75qvt7ho3rrbsc7mkucmv5aawebwflsfuorusayacffryd.onion";
s0 = "r3zvf7f2ppaeithzswigma46pajt3hqytmkg3rshgknbl3jbni455fqd.onion";
}; };
in { in {
networking.hosts = { networking.hosts = {
@ -57,6 +59,10 @@ in {
hostNames = [ "s0" "s0.zt.neet.dev" ]; hostNames = [ "s0" "s0.zt.neet.dev" ];
publicKey = system.s0; publicKey = system.s0;
}; };
s0-unlock = {
hostNames = [ unlock-onion-hosts.s0 ];
publicKey = system.s0-unlock;
};
n1 = { n1 = {
hostNames = [ "n1" ]; hostNames = [ "n1" ];
publicKey = system.n1; publicKey = system.n1;

1
common/ssh.nix
View File

@ -14,6 +14,7 @@ rec {
router = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFr2IHmWFlaLaLp5dGoSmFEYKA/eg2SwGXAogaOmLsHL"; router = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFr2IHmWFlaLaLp5dGoSmFEYKA/eg2SwGXAogaOmLsHL";
router-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOw5dTPmtKqiPBH6VKyz5MYBubn8leAh5Eaw7s/O85c"; router-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOw5dTPmtKqiPBH6VKyz5MYBubn8leAh5Eaw7s/O85c";
s0 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q"; s0 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";
s0-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNiceeFMos5ZXcYem4yFxh8PiZNNnuvhlyLbQLrgIZH";
n1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPWlhd1Oid5Xf2zdcBrcdrR0TlhObutwcJ8piobRTpRt"; n1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPWlhd1Oid5Xf2zdcBrcdrR0TlhObutwcJ8piobRTpRt";
n2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ7bRiRutnI7Bmyt/I238E3Fp5DqiClIXiVibsccipOr"; n2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ7bRiRutnI7Bmyt/I238E3Fp5DqiClIXiVibsccipOr";
n3 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+rJEaRrFDGirQC2UoWQkmpzLg4qgTjGJgVqiipWiU5"; n3 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+rJEaRrFDGirQC2UoWQkmpzLg4qgTjGJgVqiipWiU5";

6
machines/liza/hardware-configuration.nix
View File

@ -20,10 +20,8 @@
device = "/dev/sda"; device = "/dev/sda";
}; };
luks = { remoteLuksUnlock.enable = true;
enable = true; boot.initrd.luks.devices."enc-pv".device = "/dev/disk/by-uuid/2f736fba-8a0c-4fb5-8041-c849fb5e1297";
device.path = "/dev/disk/by-uuid/2f736fba-8a0c-4fb5-8041-c849fb5e1297";
};
fileSystems."/" = fileSystems."/" =
{ device = "/dev/disk/by-uuid/b90eaf3c-2f91-499a-a066-861e0f4478df"; { device = "/dev/disk/by-uuid/b90eaf3c-2f91-499a-a066-861e0f4478df";

6
machines/ponyo/hardware-configuration.nix
View File

@ -17,10 +17,8 @@
device = "/dev/sda"; device = "/dev/sda";
}; };
luks = { remoteLuksUnlock.enable = true;
enable = true; boot.initrd.luks.devices."enc-pv".device = "/dev/disk/by-uuid/4cc36be4-dbff-4afe-927d-69bf4637bae2";
device.path = "/dev/disk/by-uuid/4cc36be4-dbff-4afe-927d-69bf4637bae2";
};
fileSystems."/" = fileSystems."/" =
{ device = "/dev/mapper/enc-pv"; { device = "/dev/mapper/enc-pv";

1
machines/ray/hardware-configuration.nix
View File

@ -34,6 +34,7 @@
}; };
# disks # disks
remoteLuksUnlock.enable = true;
boot.initrd.luks.devices."enc-pv" = { boot.initrd.luks.devices."enc-pv" = {
device = "/dev/disk/by-uuid/c1822e5f-4137-44e1-885f-954e926583ce"; device = "/dev/disk/by-uuid/c1822e5f-4137-44e1-885f-954e926583ce";
allowDiscards = true; allowDiscards = true;

6
machines/router/hardware-configuration.nix
View File

@ -27,10 +27,8 @@
}; };
# disks # disks
luks = { remoteLuksUnlock.enable = true;
enable = true; boot.initrd.luks.devices."enc-pv".device = "/dev/disk/by-uuid/9b090551-f78e-45ca-8570-196ed6a4af0c";
device.path = "/dev/disk/by-uuid/9b090551-f78e-45ca-8570-196ed6a4af0c";
};
fileSystems."/" = fileSystems."/" =
{ device = "/dev/disk/by-uuid/421c82b9-d67c-4811-8824-8bb57cb10fce"; { device = "/dev/disk/by-uuid/421c82b9-d67c-4811-8824-8bb57cb10fce";
fsType = "btrfs"; fsType = "btrfs";

1
machines/storage/s0/hardware-configuration.nix
View File

@ -23,6 +23,7 @@
boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
# luks # luks
remoteLuksUnlock.enable = true;
boot.initrd.luks.devices."enc-pv1".device = "/dev/disk/by-uuid/d52e99a9-8825-4d0a-afc1-8edbef7e0a86"; boot.initrd.luks.devices."enc-pv1".device = "/dev/disk/by-uuid/d52e99a9-8825-4d0a-afc1-8edbef7e0a86";
boot.initrd.luks.devices."enc-pv2".device = "/dev/disk/by-uuid/f7275585-7760-4230-97de-36704b9a2aa3"; boot.initrd.luks.devices."enc-pv2".device = "/dev/disk/by-uuid/f7275585-7760-4230-97de-36704b9a2aa3";
boot.initrd.luks.devices."enc-pv3".device = "/dev/disk/by-uuid/5d1002b8-a0ed-4a1c-99f5-24b8816d9e38"; boot.initrd.luks.devices."enc-pv3".device = "/dev/disk/by-uuid/5d1002b8-a0ed-4a1c-99f5-24b8816d9e38";