prototype

2023-04-24 20:45:39 -06:00
parent 306ce8bc3f
commit b7549e63f5
14 changed files with 499 additions and 28 deletions
--- a/common/auto-update.nix
+++ b/common/auto-update.nix
@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, pkgs, lib, ... }:

 # Modify auto-update so that it pulls a flake

@@ -6,10 +6,20 @@ let
  cfg = config.system.autoUpgrade;
 in
 {
-  config = lib.mkIf cfg.enable {
-    system.autoUpgrade = {
-      flake = "git+https://git.neet.dev/zuckerberg/nix-config.git";
-      flags = [ "--recreate-lock-file" "--no-write-lock-file" ]; # ignore lock file, just pull the latest
-    };
-  };
+  config = lib.mkIf cfg.enable (lib.mkMerge [
+    {
+      system.autoUpgrade = {
+        flake = "git+https://git.neet.dev/zuckerberg/nix-config.git";
+        flags = [ "--recreate-lock-file" "--no-write-lock-file" ]; # ignore lock file, just pull the latest
+
+        # dates = "03:40";
+        # kexecWindow = lib.mkDefault { lower = "01:00"; upper = "05:00"; };
+        # randomizedDelaySec = "45min";
+      };
+
+      system.autoUpgrade.allowKexec = lib.mkDefault true;
+
+      luks.enableKexec = cfg.allowKexec && builtins.length config.luks.devices > 0;
+    }
+  ]);
 }
--- a/common/boot/default.nix
+++ b/common/boot/default.nix
@@ -5,6 +5,8 @@
    ./firmware.nix
    ./efi.nix
    ./bios.nix
+    ./kexec-luks.nix
+    ./luks.nix
    ./remote-luks-unlock.nix
  ];
 }
--- a/common/boot/kexec-luks.nix
+++ b/common/boot/kexec-luks.nix
@@ -0,0 +1,121 @@
+# Allows kexec'ing as an alternative to rebooting for machines that
+# have luks encrypted partitions that need to be mounted at boot.
+# These luks partitions will be automatically unlocked, no password,
+# or any interaction needed whatsoever.
+
+# This is accomplished by fetching the luks key(s) while the system is running,
+# then building a temporary initrd that contains the luks key(s), and kexec'ing.
+
+{ config, lib, pkgs, ... }:
+
+{
+  options.luks = {
+    enableKexec = lib.mkEnableOption "Enable support for transparent passwordless kexec while using luks";
+  };
+
+  config = lib.mkIf config.luks.enableKexec {
+    luks.fallbackToPassword = true;
+    luks.disableKeyring = true;
+
+    boot.initrd.luks.devices = lib.listToAttrs
+      (builtins.map
+        (item:
+          {
+            name = item;
+            value = {
+              masterKeyFile = "/etc/${item}.key";
+            };
+          })
+        config.luks.deviceNames);
+
+    systemd.services.prepare-luks-kexec-image = {
+      description = "Prepare kexec automatic LUKS unlock on kexec reboot without a password";
+
+      wantedBy = [ "kexec.target" ];
+      unitConfig.DefaultDependencies = false;
+      serviceConfig.Type = "oneshot";
+
+      path = with pkgs; [ file kexec-tools coreutils-full cpio findutils gzip xz zstd lvm2 xxd gawk ];
+
+      # based on https://github.com/flowztul/keyexec
+      script = ''
+        system=/nix/var/nix/profiles/system
+        old_initrd=$(readlink -f "$system/initrd")
+
+        umask 0077
+        CRYPTROOT_TMPDIR="$(mktemp -d --tmpdir=/dev/shm)"
+
+        cleanup() {
+          shred -fu "$CRYPTROOT_TMPDIR/initrd_contents/etc/"*.key || true
+          shred -fu "$CRYPTROOT_TMPDIR/new_initrd" || true
+          shred -fu "$CRYPTROOT_TMPDIR/secret/"* || true
+          rm -rf "$CRYPTROOT_TMPDIR"
+        }
+        # trap cleanup INT TERM EXIT
+
+        mkdir -p "$CRYPTROOT_TMPDIR"
+        cd "$CRYPTROOT_TMPDIR"
+
+        # Determine the compression type of the initrd image
+        compression=$(file -b --mime-type "$old_initrd" | awk -F'/' '{print $2}')
+
+        # Decompress the initrd image based on its compression type
+        case "$compression" in
+          gzip)
+            gunzip -c "$old_initrd" > initrd.cpio
+            ;;
+          xz)
+            unxz -c "$old_initrd" > initrd.cpio
+            ;;
+          zstd)
+            zstd -d -c "$old_initrd" > initrd.cpio
+            ;;
+          *)
+            echo "Unsupported compression type: $compression"
+            exit 1
+            ;;
+        esac
+
+        # Extract the contents of the cpio archive
+        mkdir -p initrd_contents
+        cd initrd_contents
+        cpio -idv < ../initrd.cpio
+
+        # Generate keys and add them to the extracted initrd filesystem
+        luksDeviceNames=(${builtins.concatStringsSep " " config.luks.deviceNames})
+        for item in "''${luksDeviceNames[@]}"; do
+          dmsetup --showkeys table "$item" | cut -d ' ' -f5 | xxd -ps -g1 -r > "./etc/$item.key"
+        done
+
+        # Add normal initrd secrets too
+        ${lib.concatStringsSep "\n" (lib.mapAttrsToList (dest: source:
+            let source' = if source == null then dest else builtins.toString source; in
+              ''
+                mkdir -p $(dirname "./${dest}")
+                cp -a ${source'} "./${dest}"
+              ''
+          ) config.boot.initrd.secrets)
+        }
+
+        # Create a new cpio archive with the modified contents
+        find . | cpio -o -H newc -v > ../new_initrd.cpio
+
+        # Compress the new cpio archive using the original compression type
+        cd ..
+        case "$compression" in
+          gzip)
+            gunzip -c new_initrd.cpio > new_initrd
+            ;;
+          xz)
+            unxz -c new_initrd.cpio > new_initrd
+            ;;
+          zstd)
+            zstd -c new_initrd.cpio > new_initrd
+            ;;
+        esac
+
+        kexec --load "$system/kernel" --append "init=$system/init ${builtins.concatStringsSep " " config.boot.kernelParams}" --initrd "$CRYPTROOT_TMPDIR/new_initrd"
+      '';
+    };
+  };
+}
--- a/common/boot/luks.nix
+++ b/common/boot/luks.nix
@@ -0,0 +1,74 @@
+# Makes it a little easier to configure luks partitions for boot
+# Additionally, this solves a circular dependency between kexec luks
+# and NixOS's luks module.
+
+{ config, lib, ... }:
+
+let
+  cfg = config.luks;
+
+  deviceCount = builtins.length cfg.devices;
+
+  deviceMap = lib.imap
+    (i: item: {
+      device = item;
+      name =
+        if deviceCount == 1 then "enc-pv"
+        else "enc-pv${builtins.toString (i + 1)}";
+    })
+    cfg.devices;
+in
+{
+  options.luks = {
+    devices = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ ];
+    };
+
+    allowDiscards = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+    };
+
+    fallbackToPassword = lib.mkEnableOption
+      "Fallback to interactive passphrase prompt if the cannot be found.";
+
+    disableKeyring = lib.mkEnableOption
+      "When opening LUKS2 devices, don't use the kernel keyring";
+
+    # set automatically, don't touch
+    deviceNames = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+    };
+  };
+
+  config = lib.mkMerge [
+    {
+      assertions = [
+        {
+          assertion = deviceCount == builtins.length (builtins.attrNames config.boot.initrd.luks.devices);
+          message = ''
+            All luks devices must be specified using `luks.devices` not `boot.initrd.luks.devices`.
+          '';
+        }
+      ];
+    }
+    (lib.mkIf (deviceCount != 0) {
+      luks.deviceNames = builtins.map (device: device.name) deviceMap;
+
+      boot.initrd.luks.devices = lib.listToAttrs (
+        builtins.map
+          (item:
+            {
+              name = item.name;
+              value = {
+                device = item.device;
+                allowDiscards = cfg.allowDiscards;
+                fallbackToPassword = cfg.fallbackToPassword;
+                disableKeyring = cfg.disableKeyring;
+              };
+            })
+          deviceMap);
+    })
+  ];
+}
--- a/common/boot/remote-luks-unlock.nix
+++ b/common/boot/remote-luks-unlock.nix
@@ -33,11 +33,6 @@ in
  };

  config = lib.mkIf cfg.enable {
-    # boot.initrd.luks.devices.${cfg.device.name} = {
-    #   device = cfg.device.path;
-    #   allowDiscards = cfg.device.allowDiscards;
-    # };
-
    # Unlock LUKS disk over ssh
    boot.initrd.network.enable = true;
    boot.initrd.kernelModules = cfg.kernelModules;