config/yubikey-installer.nix

181 lines
5.7 KiB
Nix
Raw Normal View History

2023-04-08 15:47:01 +03:00
let
2023-04-08 18:06:03 +03:00
configuration = {
config,
lib,
pkgs,
...
}:
with pkgs; let
2023-04-08 15:47:01 +03:00
src = fetchGit "https://github.com/drduh/YubiKey-Guide";
guide = "${src}/README.md";
contrib = "${src}/contrib";
drduhConfig = fetchGit "https://github.com/drduh/config";
gpg-conf = "${drduhConfig}/gpg.conf";
xserverCfg = config.services.xserver;
2023-04-08 18:06:03 +03:00
pinentryFlavour =
if xserverCfg.desktopManager.lxqt.enable || xserverCfg.desktopManager.plasma5.enable
then "qt"
else if xserverCfg.desktopManager.xfce.enable
then "gtk2"
else if xserverCfg.enable || config.programs.sway.enable
then "gnome3"
else "curses";
2023-04-08 15:47:01 +03:00
# Instead of hard-coding the pinentry program, chose the appropriate one
# based on the environment of the image the user has chosen to build.
gpg-agent-conf = runCommand "gpg-agent.conf" {} ''
sed '/pinentry-program/d' ${drduhConfig}/gpg-agent.conf > $out
echo "pinentry-program ${pinentry.${pinentryFlavour}}/bin/pinentry" >> $out
'';
view-yubikey-guide = writeShellScriptBin "view-yubikey-guide" ''
viewer="$(type -P xdg-open || true)"
if [ -z "$viewer" ]; then
viewer="${glow}/bin/glow -p"
fi
exec $viewer "${guide}"
'';
shortcut = makeDesktopItem {
name = "yubikey-guide";
icon = "${yubikey-manager-qt}/share/ykman-gui/icons/ykman.png";
desktopName = "drduh's YubiKey Guide";
genericName = "Guide to using YubiKey for GPG and SSH";
comment = "Open the guide in a reader program";
2023-04-08 18:06:03 +03:00
categories = ["Documentation"];
2023-04-08 15:47:01 +03:00
exec = "${view-yubikey-guide}/bin/view-yubikey-guide";
};
yubikey-guide = symlinkJoin {
name = "yubikey-guide";
2023-04-08 18:06:03 +03:00
paths = [view-yubikey-guide shortcut];
2023-04-08 15:47:01 +03:00
};
in {
2023-04-08 18:06:03 +03:00
nixpkgs.config = {allowBroken = true;};
2023-04-08 15:47:01 +03:00
isoImage.isoBaseName = lib.mkForce "nixos-yubikey";
# Uncomment this to disable compression and speed up image creation time
isoImage.squashfsCompression = "gzip -Xcompression-level 1";
2023-04-08 15:47:01 +03:00
2023-04-08 15:53:03 +03:00
boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
2023-04-08 15:47:01 +03:00
# Always copytoram so that, if the image is booted from, e.g., a
# USB stick, nothing is mistakenly written to persistent storage.
2023-04-08 18:06:03 +03:00
boot.kernelParams = ["copytoram"];
2023-04-08 15:47:01 +03:00
# Secure defaults
boot.cleanTmpDir = true;
2023-04-08 18:06:03 +03:00
boot.kernel.sysctl = {"kernel.unprivileged_bpf_disabled" = 1;};
2023-04-08 15:47:01 +03:00
services.pcscd.enable = true;
2023-04-08 18:06:03 +03:00
services.udev.packages = [yubikey-personalization];
2023-04-08 15:47:01 +03:00
programs = {
ssh.startAgent = false;
gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
};
environment.systemPackages = [
# Tools for backing up keys
paperkey
pgpdump
parted
cryptsetup
# Yubico's official tools
yubikey-manager
yubikey-manager-qt
yubikey-personalization
yubikey-personalization-gui
yubico-piv-tool
yubioath-flutter
2023-04-08 15:47:01 +03:00
# Testing
ent
# does not compile as of 2023-07-20
#(haskell.lib.justStaticExecutables haskellPackages.hopenpgp-tools)
2023-04-08 15:47:01 +03:00
# Password generation tools
diceware
pwgen
# Miscellaneous tools that might be useful beyond the scope of the guide
cfssl
pcsctools
# This guide itself (run `view-yubikey-guide` on the terminal to open it
# in a non-graphical environment).
yubikey-guide
2023-04-08 18:06:03 +03:00
# motiejus addons
rage
sops
tmux
ssh-to-age
age-plugin-yubikey
2023-04-08 15:47:01 +03:00
];
# Disable networking so the system is air-gapped
# Comment all of these lines out if you'll need internet access
boot.initrd.network.enable = false;
networking.dhcpcd.enable = false;
networking.dhcpcd.allowInterfaces = [];
networking.interfaces = {};
networking.firewall.enable = true;
networking.useDHCP = false;
networking.useNetworkd = false;
networking.wireless.enable = false;
networking.networkmanager.enable = lib.mkForce false;
# Unset history so it's never stored
# Set GNUPGHOME to an ephemeral location and configure GPG with the
# guide's recommended settings.
environment.interactiveShellInit = ''
unset HISTFILE
export GNUPGHOME="/run/user/$(id -u)/gnupg"
if [ ! -d "$GNUPGHOME" ]; then
echo "Creating \$GNUPGHOME"
install --verbose -m=0700 --directory="$GNUPGHOME"
fi
[ ! -f "$GNUPGHOME/gpg.conf" ] && cp --verbose ${gpg-conf} "$GNUPGHOME/gpg.conf"
[ ! -f "$GNUPGHOME/gpg-agent.conf" ] && cp --verbose ${gpg-agent-conf} "$GNUPGHOME/gpg-agent.conf"
echo "\$GNUPGHOME is \"$GNUPGHOME\""
'';
# Copy the contents of contrib to the home directory, add a shortcut to
# the guide on the desktop, and link to the whole repo in the documents
# folder.
system.activationScripts.yubikeyGuide = let
homeDir = "/home/nixos/";
desktopDir = homeDir + "Desktop/";
documentsDir = homeDir + "Documents/";
in ''
mkdir -p ${desktopDir} ${documentsDir}
chown nixos ${homeDir} ${desktopDir} ${documentsDir}
cp -R ${contrib}/* ${homeDir}
ln -sf ${yubikey-guide}/share/applications/yubikey-guide.desktop ${desktopDir}
ln -sfT ${src} ${documentsDir}/YubiKey-Guide
'';
};
nixos = import <nixpkgs/nixos/release.nix> {
inherit configuration;
2023-04-08 18:06:03 +03:00
supportedSystems = ["x86_64-linux"];
2023-04-08 15:47:01 +03:00
};
# Choose the one you like:
#nixos-yubikey = nixos.iso_minimal; # No graphical environment
#nixos-yubikey = nixos.iso_gnome;
nixos-yubikey = nixos.iso_plasma5;
in {
inherit nixos-yubikey;
}