This commit is contained in:
Motiejus Jakštys 2023-04-08 18:06:03 +03:00
parent a828ba26b6
commit 8fc44ea817

View File

@ -1,7 +1,11 @@
let let
configuration = { config, lib, pkgs, ... }: configuration = {
with pkgs; config,
let lib,
pkgs,
...
}:
with pkgs; let
src = fetchGit "https://github.com/drduh/YubiKey-Guide"; src = fetchGit "https://github.com/drduh/YubiKey-Guide";
guide = "${src}/README.md"; guide = "${src}/README.md";
@ -14,14 +18,14 @@ let
xserverCfg = config.services.xserver; xserverCfg = config.services.xserver;
pinentryFlavour = if xserverCfg.desktopManager.lxqt.enable || xserverCfg.desktopManager.plasma5.enable then pinentryFlavour =
"qt" if xserverCfg.desktopManager.lxqt.enable || xserverCfg.desktopManager.plasma5.enable
else if xserverCfg.desktopManager.xfce.enable then then "qt"
"gtk2" else if xserverCfg.desktopManager.xfce.enable
else if xserverCfg.enable || config.programs.sway.enable then then "gtk2"
"gnome3" else if xserverCfg.enable || config.programs.sway.enable
else then "gnome3"
"curses"; else "curses";
# Instead of hard-coding the pinentry program, chose the appropriate one # Instead of hard-coding the pinentry program, chose the appropriate one
# based on the environment of the image the user has chosen to build. # based on the environment of the image the user has chosen to build.
@ -44,30 +48,29 @@ let
desktopName = "drduh's YubiKey Guide"; desktopName = "drduh's YubiKey Guide";
genericName = "Guide to using YubiKey for GPG and SSH"; genericName = "Guide to using YubiKey for GPG and SSH";
comment = "Open the guide in a reader program"; comment = "Open the guide in a reader program";
categories = [ "Documentation" ]; categories = ["Documentation"];
exec = "${view-yubikey-guide}/bin/view-yubikey-guide"; exec = "${view-yubikey-guide}/bin/view-yubikey-guide";
}; };
yubikey-guide = symlinkJoin { yubikey-guide = symlinkJoin {
name = "yubikey-guide"; name = "yubikey-guide";
paths = [ view-yubikey-guide shortcut ]; paths = [view-yubikey-guide shortcut];
}; };
in { in {
nixpkgs.config = { allowBroken = true; }; nixpkgs.config = {allowBroken = true;};
isoImage.isoBaseName = lib.mkForce "nixos-yubikey"; isoImage.isoBaseName = lib.mkForce "nixos-yubikey";
boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
# Always copytoram so that, if the image is booted from, e.g., a # Always copytoram so that, if the image is booted from, e.g., a
# USB stick, nothing is mistakenly written to persistent storage. # USB stick, nothing is mistakenly written to persistent storage.
boot.kernelParams = [ "copytoram" ]; boot.kernelParams = ["copytoram"];
# Secure defaults # Secure defaults
boot.cleanTmpDir = true; boot.cleanTmpDir = true;
boot.kernel.sysctl = { "kernel.unprivileged_bpf_disabled" = 1; }; boot.kernel.sysctl = {"kernel.unprivileged_bpf_disabled" = 1;};
services.pcscd.enable = true; services.pcscd.enable = true;
services.udev.packages = [ yubikey-personalization ]; services.udev.packages = [yubikey-personalization];
programs = { programs = {
ssh.startAgent = false; ssh.startAgent = false;
@ -108,12 +111,12 @@ let
# in a non-graphical environment). # in a non-graphical environment).
yubikey-guide yubikey-guide
# motiejus addons # motiejus addons
rage rage
sops sops
tmux tmux
ssh-to-age ssh-to-age
age-plugin-yubikey age-plugin-yubikey
]; ];
# Disable networking so the system is air-gapped # Disable networking so the system is air-gapped
@ -162,14 +165,13 @@ let
nixos = import <nixpkgs/nixos/release.nix> { nixos = import <nixpkgs/nixos/release.nix> {
inherit configuration; inherit configuration;
supportedSystems = [ "x86_64-linux" ]; supportedSystems = ["x86_64-linux"];
}; };
# Choose the one you like: # Choose the one you like:
#nixos-yubikey = nixos.iso_minimal; # No graphical environment #nixos-yubikey = nixos.iso_minimal; # No graphical environment
#nixos-yubikey = nixos.iso_gnome; #nixos-yubikey = nixos.iso_gnome;
nixos-yubikey = nixos.iso_plasma5; nixos-yubikey = nixos.iso_plasma5;
in { in {
inherit nixos-yubikey; inherit nixos-yubikey;
} }