-
Notifications
You must be signed in to change notification settings - Fork 4
/
default.nix
145 lines (114 loc) · 3.68 KB
/
default.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
let
localLib = import ./lib;
outPath = localLib.fixedNixpkgs;
in
{ system ? "x86_64-linux"
, crossSystem ? null
, config ? { allowBroken = true; }
, supportedSystems ? [ "x86_64-linux" ]
, nixpkgs ? { inherit outPath; revCount = 56789; shortRev = "gfedcba"; }
, pkgs ? import nixpkgs { inherit system crossSystem config; }
}:
let
gpg-agent-conf = pkgs.writeText "gpg-agent.conf" ''
pinentry-program ${pkgs.pinentry-curses}/bin/pinentry-curses
'';
yk-scripts = pkgs.callPackage pkgs/yk-scripts {};
gpg-scripts = pkgs.callPackage pkgs/gpg-scripts {};
drduh-gpg-conf = pkgs.callPackage pkgs/drduh-gpg-conf {};
cfssl_1_4_1 = pkgs.callPackage pkgs/cfssl/1.4.1.nix {};
nixos-yubikey-configuration = {
## Image overrides.
isoImage.isoBaseName = pkgs.lib.mkForce "nixos-yubikey";
# Always copytoram so that, if the image is booted from, e.g., a
# USB stick, nothing is mistakenly written to persistent storage.
boot.kernelParams = [ "copytoram" ];
## Required packages and services.
#
# ref: https://rzetterberg.github.io/yubikey-gpg-nixos.html
environment.systemPackages = with pkgs; [
cfssl_1_4_1
cryptsetup
diceware
ent
git
gitAndTools.git-extras
gnupg
gpg-scripts
(haskell.lib.justStaticExecutables haskellPackages.hopenpgp-tools)
paperkey
parted
pcsclite
pcsctools
pgpdump
pinentry-curses
pwgen
yk-scripts
yubikey-manager
yubikey-personalization
];
services.udev.packages = [
pkgs.yubikey-personalization
];
services.pcscd.enable = true;
## Make sure networking is disabled in every way possible.
boot.initrd.network.enable = false;
networking.dhcpcd.enable = false;
networking.dhcpcd.allowInterfaces = [];
networking.firewall.enable = true;
networking.useDHCP = false;
networking.useNetworkd = false;
networking.wireless.enable = false;
## Make it easy to tell which nixpkgs the image was built from.
#
# Most of the following config is thanks to Graham Christensen,
# from:
# https://github.com/grahamc/network/blob/1d73f673b05a7f976d82ae0e0e61a65d045b3704/modules/standard/default.nix#L56
nix = {
useSandbox = true;
nixPath = [
# Copy the channel version from the deploy host to the target
"nixpkgs=/run/current-system/nixpkgs"
];
};
system.extraSystemBuilderCmds = ''
ln -sv ${pkgs.path} $out/nixpkgs
'';
environment.etc.host-nix-channel.source = pkgs.path;
## Secure defaults.
boot.cleanTmpDir = true;
boot.kernel.sysctl = {
"kernel.unprivileged_bpf_disabled" = 1;
};
## Set up the shell for making keys.
environment.interactiveShellInit = ''
unset HISTFILE
export GNUPGHOME=/run/user/$(id -u)/gnupg
[ -d $GNUPGHOME ] || install -m 0700 -d $GNUPGHOME
cp ${drduh-gpg-conf}/gpg.conf $GNUPGHOME/gpg.conf
cp ${gpg-agent-conf} $GNUPGHOME/gpg-agent.conf
echo "\$GNUPGHOME is $GNUPGHOME"
'';
};
nixos-yubikey-configuration-uk = nixos-yubikey-configuration // {
console.keyMap = "uk";
i18n.defaultLocale = "en_GB.UTF-8";
};
## Build the images.
nixos = import (localLib.fixedNixpkgs + "/nixos/release.nix") {
inherit supportedSystems nixpkgs;
configuration = nixos-yubikey-configuration;
};
nixos-yubikey = nixos.iso_minimal;
nixos-uk = import (localLib.fixedNixpkgs + "/nixos/release.nix") {
inherit supportedSystems nixpkgs;
configuration = nixos-yubikey-configuration-uk;
};
nixos-yubikey-uk = nixos-uk.iso_minimal;
in
{
inherit gpg-scripts;
inherit yk-scripts;
inherit nixos-yubikey;
inherit nixos-yubikey-uk;
}