Cleanup remote LUKS unlock
This commit is contained in:
		
							parent
							
								
									2c8576a295
								
							
						
					
					
						commit
						3e0cde40b8
					
				| @ -5,6 +5,6 @@ | ||||
|     ./firmware.nix | ||||
|     ./efi.nix | ||||
|     ./bios.nix | ||||
|     ./luks.nix | ||||
|     ./remote-luks-unlock.nix | ||||
|   ]; | ||||
| } | ||||
| @ -1,22 +1,14 @@ | ||||
| { config, pkgs, lib, ... }: | ||||
| 
 | ||||
| let | ||||
|   cfg = config.luks; | ||||
|   cfg = config.remoteLuksUnlock; | ||||
| in { | ||||
|   options.luks = { | ||||
|   options.remoteLuksUnlock = { | ||||
|     enable = lib.mkEnableOption "enable luks root remote decrypt over ssh/tor"; | ||||
|     device = { | ||||
|       name = lib.mkOption { | ||||
|         type = lib.types.str; | ||||
|         default = "enc-pv"; | ||||
|       }; | ||||
|       path = lib.mkOption { | ||||
|         type = lib.types.either lib.types.str lib.types.path; | ||||
|       }; | ||||
|       allowDiscards = lib.mkOption { | ||||
|     enableTorUnlock = lib.mkOption { | ||||
|       type = lib.types.bool; | ||||
|         default = false; | ||||
|       }; | ||||
|       default = cfg.enable; | ||||
|       description = "Make machine accessable over tor for ssh boot unlock"; | ||||
|     }; | ||||
|     sshHostKeys = lib.mkOption { | ||||
|       type = lib.types.listOf (lib.types.either lib.types.str lib.types.path); | ||||
| @ -40,10 +32,10 @@ in { | ||||
|   }; | ||||
| 
 | ||||
|   config = lib.mkIf cfg.enable { | ||||
|     boot.initrd.luks.devices.${cfg.device.name} = { | ||||
|       device = cfg.device.path; | ||||
|       allowDiscards = cfg.device.allowDiscards; | ||||
|     }; | ||||
|     # boot.initrd.luks.devices.${cfg.device.name} = { | ||||
|     #   device = cfg.device.path; | ||||
|     #   allowDiscards = cfg.device.allowDiscards; | ||||
|     # }; | ||||
| 
 | ||||
|     # Unlock LUKS disk over ssh | ||||
|     boot.initrd.network.enable = true; | ||||
| @ -61,27 +53,26 @@ in { | ||||
|       echo /crypt-ramfs/passphrase >> /dev/null | ||||
|     ''; | ||||
| 
 | ||||
|     # Make machine accessable over tor for boot unlock | ||||
|     boot.initrd.secrets = { | ||||
|     boot.initrd.secrets = lib.mkIf cfg.enableTorUnlock { | ||||
|       "/etc/tor/onion/bootup" = cfg.onionConfig; | ||||
|     }; | ||||
|     boot.initrd.extraUtilsCommands = '' | ||||
|     boot.initrd.extraUtilsCommands = lib.mkIf cfg.enableTorUnlock '' | ||||
|       copy_bin_and_libs ${pkgs.tor}/bin/tor | ||||
|       copy_bin_and_libs ${pkgs.haveged}/bin/haveged | ||||
|     ''; | ||||
|     # start tor during boot process | ||||
|     boot.initrd.network.postCommands = let | ||||
|       torRc = (pkgs.writeText "tor.rc" '' | ||||
|     boot.initrd.network.postCommands = lib.mkMerge [ | ||||
|       ('' | ||||
|         # Add nice prompt for giving LUKS passphrase over ssh | ||||
|         echo 'read -s -p "Unlock Passphrase: " passphrase && echo $passphrase > /crypt-ramfs/passphrase && exit' >> /root/.profile | ||||
|       '') | ||||
|        | ||||
|       (let torRc = (pkgs.writeText "tor.rc" '' | ||||
|         DataDirectory /etc/tor | ||||
|         SOCKSPort 127.0.0.1:9050 IsolateDestAddr | ||||
|         SOCKSPort 127.0.0.1:9063 | ||||
|         HiddenServiceDir /etc/tor/onion/bootup | ||||
|         HiddenServicePort 22 127.0.0.1:22 | ||||
|       ''); | ||||
|     in '' | ||||
|       # Add nice prompt for giving LUKS passphrase over ssh | ||||
|       echo 'read -s -p "Unlock Passphrase: " passphrase && echo $passphrase > /crypt-ramfs/passphrase && exit' >> /root/.profile | ||||
| 
 | ||||
|       ''); in lib.mkIf cfg.enableTorUnlock '' | ||||
|         echo "tor: preparing onion folder" | ||||
|         # have to do this otherwise tor does not want to start | ||||
|         chmod -R 700 /etc/tor | ||||
| @ -96,6 +87,7 @@ in { | ||||
|         echo "tor: starting tor" | ||||
|         tor -f ${torRc} --verify-config | ||||
|         tor -f ${torRc} & | ||||
|     ''; | ||||
|       '') | ||||
|     ]; | ||||
|   }; | ||||
| } | ||||
| @ -8,6 +8,7 @@ let | ||||
|   # hostnames that resolve on clearnet for LUKS unlocking | ||||
|   unlock-clearnet-hosts = { | ||||
|     ponyo = "unlock.ponyo.neet.dev"; | ||||
|     s0 = "s0"; | ||||
|   }; | ||||
| 
 | ||||
|   # hostnames that resolve on tor for LUKS unlocking | ||||
| @ -15,6 +16,7 @@ let | ||||
|     liza = "5synsrjgvfzywruomjsfvfwhhlgxqhyofkzeqt2eisyijvjvebnu2xyd.onion"; | ||||
|     router = "jxx2exuihlls2t6ncs7rvrjh2dssubjmjtclwr2ysvxtr4t7jv55xmqd.onion"; | ||||
|     ponyo = "cfamr6artx75qvt7ho3rrbsc7mkucmv5aawebwflsfuorusayacffryd.onion"; | ||||
|     s0 = "r3zvf7f2ppaeithzswigma46pajt3hqytmkg3rshgknbl3jbni455fqd.onion"; | ||||
|   }; | ||||
| in { | ||||
|   networking.hosts = { | ||||
| @ -57,6 +59,10 @@ in { | ||||
|       hostNames = [ "s0" "s0.zt.neet.dev" ]; | ||||
|       publicKey = system.s0; | ||||
|     }; | ||||
|     s0-unlock = { | ||||
|       hostNames = [ unlock-onion-hosts.s0 ]; | ||||
|       publicKey = system.s0-unlock; | ||||
|     }; | ||||
|     n1 = { | ||||
|       hostNames = [ "n1" ]; | ||||
|       publicKey = system.n1; | ||||
|  | ||||
| @ -14,6 +14,7 @@ rec { | ||||
|     router = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFr2IHmWFlaLaLp5dGoSmFEYKA/eg2SwGXAogaOmLsHL"; | ||||
|     router-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOw5dTPmtKqiPBH6VKyz5MYBubn8leAh5Eaw7s/O85c"; | ||||
|     s0 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q"; | ||||
|     s0-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNiceeFMos5ZXcYem4yFxh8PiZNNnuvhlyLbQLrgIZH"; | ||||
|     n1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPWlhd1Oid5Xf2zdcBrcdrR0TlhObutwcJ8piobRTpRt"; | ||||
|     n2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ7bRiRutnI7Bmyt/I238E3Fp5DqiClIXiVibsccipOr"; | ||||
|     n3 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+rJEaRrFDGirQC2UoWQkmpzLg4qgTjGJgVqiipWiU5"; | ||||
|  | ||||
| @ -20,10 +20,8 @@ | ||||
|     device = "/dev/sda"; | ||||
|   }; | ||||
| 
 | ||||
|   luks = { | ||||
|     enable = true; | ||||
|     device.path = "/dev/disk/by-uuid/2f736fba-8a0c-4fb5-8041-c849fb5e1297"; | ||||
|   }; | ||||
|   remoteLuksUnlock.enable = true; | ||||
|   boot.initrd.luks.devices."enc-pv".device = "/dev/disk/by-uuid/2f736fba-8a0c-4fb5-8041-c849fb5e1297"; | ||||
| 
 | ||||
|   fileSystems."/" = | ||||
|     { device = "/dev/disk/by-uuid/b90eaf3c-2f91-499a-a066-861e0f4478df"; | ||||
|  | ||||
| @ -17,10 +17,8 @@ | ||||
|     device = "/dev/sda"; | ||||
|   }; | ||||
| 
 | ||||
|   luks = { | ||||
|     enable = true; | ||||
|     device.path = "/dev/disk/by-uuid/4cc36be4-dbff-4afe-927d-69bf4637bae2"; | ||||
|   }; | ||||
|   remoteLuksUnlock.enable = true; | ||||
|   boot.initrd.luks.devices."enc-pv".device = "/dev/disk/by-uuid/4cc36be4-dbff-4afe-927d-69bf4637bae2"; | ||||
| 
 | ||||
|   fileSystems."/" = | ||||
|     { device = "/dev/mapper/enc-pv"; | ||||
|  | ||||
| @ -34,6 +34,7 @@ | ||||
|   }; | ||||
| 
 | ||||
|   # disks | ||||
|   remoteLuksUnlock.enable = true; | ||||
|   boot.initrd.luks.devices."enc-pv" = { | ||||
|     device = "/dev/disk/by-uuid/c1822e5f-4137-44e1-885f-954e926583ce"; | ||||
|     allowDiscards = true; | ||||
|  | ||||
| @ -27,10 +27,8 @@ | ||||
|   }; | ||||
| 
 | ||||
|   # disks | ||||
|   luks = { | ||||
|     enable = true; | ||||
|     device.path = "/dev/disk/by-uuid/9b090551-f78e-45ca-8570-196ed6a4af0c"; | ||||
|   }; | ||||
|   remoteLuksUnlock.enable = true; | ||||
|   boot.initrd.luks.devices."enc-pv".device = "/dev/disk/by-uuid/9b090551-f78e-45ca-8570-196ed6a4af0c"; | ||||
|   fileSystems."/" = | ||||
|     { device = "/dev/disk/by-uuid/421c82b9-d67c-4811-8824-8bb57cb10fce"; | ||||
|       fsType = "btrfs"; | ||||
|  | ||||
| @ -23,6 +23,7 @@ | ||||
|   boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; | ||||
| 
 | ||||
|   # luks | ||||
|   remoteLuksUnlock.enable = true; | ||||
|   boot.initrd.luks.devices."enc-pv1".device = "/dev/disk/by-uuid/d52e99a9-8825-4d0a-afc1-8edbef7e0a86"; | ||||
|   boot.initrd.luks.devices."enc-pv2".device = "/dev/disk/by-uuid/f7275585-7760-4230-97de-36704b9a2aa3"; | ||||
|   boot.initrd.luks.devices."enc-pv3".device = "/dev/disk/by-uuid/5d1002b8-a0ed-4a1c-99f5-24b8816d9e38"; | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user