Cleanup remote LUKS unlock

2023-02-11 18:40:08 -07:00 · 2023-02-11 18:40:08 -07:00 · 3e0cde40b8
commit 3e0cde40b8
parent 2c8576a295
9 changed files with 49 additions and 54 deletions
--- a/common/boot/default.nix
+++ b/common/boot/default.nix
@ -5,6 +5,6 @@
    ./firmware.nix
    ./efi.nix
    ./bios.nix
-    ./luks.nix
+    ./remote-luks-unlock.nix
  ];
 }
--- a/common/boot/remote-luks-unlock.nix
+++ b/common/boot/remote-luks-unlock.nix
@ -1,22 +1,14 @@
 { config, pkgs, lib, ... }:

 let
-  cfg = config.luks;
+  cfg = config.remoteLuksUnlock;
 in {
-  options.luks = {
+  options.remoteLuksUnlock = {
    enable = lib.mkEnableOption "enable luks root remote decrypt over ssh/tor";
-    device = {
-      name = lib.mkOption {
-        type = lib.types.str;
-        default = "enc-pv";
-      };
-      path = lib.mkOption {
-        type = lib.types.either lib.types.str lib.types.path;
-      };
-      allowDiscards = lib.mkOption {
+    enableTorUnlock = lib.mkOption {
      type = lib.types.bool;
-        default = false;
-      };
+      default = cfg.enable;
+      description = "Make machine accessable over tor for ssh boot unlock";
    };
    sshHostKeys = lib.mkOption {
      type = lib.types.listOf (lib.types.either lib.types.str lib.types.path);
@ -40,10 +32,10 @@ in {
  };

  config = lib.mkIf cfg.enable {
-    boot.initrd.luks.devices.${cfg.device.name} = {
-      device = cfg.device.path;
-      allowDiscards = cfg.device.allowDiscards;
-    };
+    # boot.initrd.luks.devices.${cfg.device.name} = {
+    #   device = cfg.device.path;
+    #   allowDiscards = cfg.device.allowDiscards;
+    # };

    # Unlock LUKS disk over ssh
    boot.initrd.network.enable = true;
@ -61,27 +53,26 @@ in {
      echo /crypt-ramfs/passphrase >> /dev/null
    '';

-    # Make machine accessable over tor for boot unlock
-    boot.initrd.secrets = {
+    boot.initrd.secrets = lib.mkIf cfg.enableTorUnlock {
      "/etc/tor/onion/bootup" = cfg.onionConfig;
    };
-    boot.initrd.extraUtilsCommands = ''
+    boot.initrd.extraUtilsCommands = lib.mkIf cfg.enableTorUnlock ''
      copy_bin_and_libs ${pkgs.tor}/bin/tor
      copy_bin_and_libs ${pkgs.haveged}/bin/haveged
    '';
-    # start tor during boot process
-    boot.initrd.network.postCommands = let
-      torRc = (pkgs.writeText "tor.rc" ''
+    boot.initrd.network.postCommands = lib.mkMerge [
+      (''
+        # Add nice prompt for giving LUKS passphrase over ssh
+        echo 'read -s -p "Unlock Passphrase: " passphrase && echo $passphrase > /crypt-ramfs/passphrase && exit' >> /root/.profile
+      '')
+      
+      (let torRc = (pkgs.writeText "tor.rc" ''
        DataDirectory /etc/tor
        SOCKSPort 127.0.0.1:9050 IsolateDestAddr
        SOCKSPort 127.0.0.1:9063
        HiddenServiceDir /etc/tor/onion/bootup
        HiddenServicePort 22 127.0.0.1:22
-      '');
-    in ''
-      # Add nice prompt for giving LUKS passphrase over ssh
-      echo 'read -s -p "Unlock Passphrase: " passphrase && echo $passphrase > /crypt-ramfs/passphrase && exit' >> /root/.profile
-
+      ''); in lib.mkIf cfg.enableTorUnlock ''
        echo "tor: preparing onion folder"
        # have to do this otherwise tor does not want to start
        chmod -R 700 /etc/tor
@ -96,6 +87,7 @@ in {
        echo "tor: starting tor"
        tor -f ${torRc} --verify-config
        tor -f ${torRc} &
-    '';
+      '')
+    ];
  };
 }
--- a/common/network/hosts.nix
+++ b/common/network/hosts.nix
@ -8,6 +8,7 @@ let
  # hostnames that resolve on clearnet for LUKS unlocking
  unlock-clearnet-hosts = {
    ponyo = "unlock.ponyo.neet.dev";
+    s0 = "s0";
  };

  # hostnames that resolve on tor for LUKS unlocking
@ -15,6 +16,7 @@ let
    liza = "5synsrjgvfzywruomjsfvfwhhlgxqhyofkzeqt2eisyijvjvebnu2xyd.onion";
    router = "jxx2exuihlls2t6ncs7rvrjh2dssubjmjtclwr2ysvxtr4t7jv55xmqd.onion";
    ponyo = "cfamr6artx75qvt7ho3rrbsc7mkucmv5aawebwflsfuorusayacffryd.onion";
+    s0 = "r3zvf7f2ppaeithzswigma46pajt3hqytmkg3rshgknbl3jbni455fqd.onion";
  };
 in {
  networking.hosts = {
@ -57,6 +59,10 @@ in {
      hostNames = [ "s0" "s0.zt.neet.dev" ];
      publicKey = system.s0;
    };
+    s0-unlock = {
+      hostNames = [ unlock-onion-hosts.s0 ];
+      publicKey = system.s0-unlock;
+    };
    n1 = {
      hostNames = [ "n1" ];
      publicKey = system.n1;
--- a/common/ssh.nix
+++ b/common/ssh.nix
@ -14,6 +14,7 @@ rec {
    router = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFr2IHmWFlaLaLp5dGoSmFEYKA/eg2SwGXAogaOmLsHL";
    router-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOw5dTPmtKqiPBH6VKyz5MYBubn8leAh5Eaw7s/O85c";
    s0 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";
+    s0-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNiceeFMos5ZXcYem4yFxh8PiZNNnuvhlyLbQLrgIZH";
    n1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPWlhd1Oid5Xf2zdcBrcdrR0TlhObutwcJ8piobRTpRt";
    n2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ7bRiRutnI7Bmyt/I238E3Fp5DqiClIXiVibsccipOr";
    n3 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+rJEaRrFDGirQC2UoWQkmpzLg4qgTjGJgVqiipWiU5";
--- a/machines/liza/hardware-configuration.nix
+++ b/machines/liza/hardware-configuration.nix
@ -20,10 +20,8 @@
    device = "/dev/sda";
  };

-  luks = {
-    enable = true;
-    device.path = "/dev/disk/by-uuid/2f736fba-8a0c-4fb5-8041-c849fb5e1297";
-  };
+  remoteLuksUnlock.enable = true;
+  boot.initrd.luks.devices."enc-pv".device = "/dev/disk/by-uuid/2f736fba-8a0c-4fb5-8041-c849fb5e1297";

  fileSystems."/" =
    { device = "/dev/disk/by-uuid/b90eaf3c-2f91-499a-a066-861e0f4478df";
--- a/machines/ponyo/hardware-configuration.nix
+++ b/machines/ponyo/hardware-configuration.nix
@ -17,10 +17,8 @@
    device = "/dev/sda";
  };

-  luks = {
-    enable = true;
-    device.path = "/dev/disk/by-uuid/4cc36be4-dbff-4afe-927d-69bf4637bae2";
-  };
+  remoteLuksUnlock.enable = true;
+  boot.initrd.luks.devices."enc-pv".device = "/dev/disk/by-uuid/4cc36be4-dbff-4afe-927d-69bf4637bae2";

  fileSystems."/" =
    { device = "/dev/mapper/enc-pv";
--- a/machines/ray/hardware-configuration.nix
+++ b/machines/ray/hardware-configuration.nix
@ -34,6 +34,7 @@
  };

  # disks
+  remoteLuksUnlock.enable = true;
  boot.initrd.luks.devices."enc-pv" = {
    device = "/dev/disk/by-uuid/c1822e5f-4137-44e1-885f-954e926583ce";
    allowDiscards = true;
--- a/machines/router/hardware-configuration.nix
+++ b/machines/router/hardware-configuration.nix
@ -27,10 +27,8 @@
  };

  # disks
-  luks = {
-    enable = true;
-    device.path = "/dev/disk/by-uuid/9b090551-f78e-45ca-8570-196ed6a4af0c";
-  };
+  remoteLuksUnlock.enable = true;
+  boot.initrd.luks.devices."enc-pv".device = "/dev/disk/by-uuid/9b090551-f78e-45ca-8570-196ed6a4af0c";
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/421c82b9-d67c-4811-8824-8bb57cb10fce";
      fsType = "btrfs";
--- a/machines/storage/s0/hardware-configuration.nix
+++ b/machines/storage/s0/hardware-configuration.nix
@ -23,6 +23,7 @@
  boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;

  # luks
+  remoteLuksUnlock.enable = true;
  boot.initrd.luks.devices."enc-pv1".device = "/dev/disk/by-uuid/d52e99a9-8825-4d0a-afc1-8edbef7e0a86";
  boot.initrd.luks.devices."enc-pv2".device = "/dev/disk/by-uuid/f7275585-7760-4230-97de-36704b9a2aa3";
  boot.initrd.luks.devices."enc-pv3".device = "/dev/disk/by-uuid/5d1002b8-a0ed-4a1c-99f5-24b8816d9e38";