diff --git a/.sops.yaml b/.sops.yaml index 1f12d95..38523c3 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,7 +1,9 @@ keys: - &sv1 age1zr5m64rzl8r5pk5cnwcfycc8ze09lx4xqa6s0cpkf24gwwxxpy2sltfsug + - &dk1-iso age14x7k4stulqyp849x3uksprk2w3vjyn6pjlvgrp6up3tem6g6xucqvms68t creation_rules: - path_regex: library/secrets/.*.yaml key_groups: - age: - *sv1 + - *dk1-iso diff --git a/applications/default.nix b/applications/default.nix index 7051552..8c4af38 100644 --- a/applications/default.nix +++ b/applications/default.nix @@ -1,2 +1,3 @@ {pkgs}: { + write-iso = pkgs.callPackage ./write-iso.nix {}; } diff --git a/applications/write-iso.nix b/applications/write-iso.nix new file mode 100644 index 0000000..586ea22 --- /dev/null +++ b/applications/write-iso.nix @@ -0,0 +1,4 @@ +{iso-writer}: { + type = "app"; + program = "${iso-writer}/bin/iso-writer"; +} diff --git a/configurations/default.nix b/configurations/default.nix index 6a710f0..e6d7ff9 100644 --- a/configurations/default.nix +++ b/configurations/default.nix @@ -1,4 +1,5 @@ {lib}: { sv1 = lib.callFragment ./sv1.nix {}; dk1 = lib.callFragment ./dk1.nix {}; + dk1-iso = lib.callFragment ./dk1-iso.nix {}; } diff --git a/configurations/dk1-iso.nix b/configurations/dk1-iso.nix new file mode 100644 index 0000000..77c02d4 --- /dev/null +++ b/configurations/dk1-iso.nix @@ -0,0 +1,9 @@ +{ + nixosSystem, + nixosSystems, + nixosModules, +}: +nixosSystem { + system = nixosSystems.x86_64-linux; + modules = [nixosModules.dk1-iso]; +} diff --git a/library/secrets/default.nix b/library/secrets/default.nix index fc449b3..92de8fd 100644 --- a/library/secrets/default.nix +++ b/library/secrets/default.nix @@ -1,3 +1,4 @@ { sb1 = ./sb1.yaml; + network-manager = ./network-manager.yaml; } diff --git a/library/secrets/network-manager.yaml b/library/secrets/network-manager.yaml new file mode 100644 index 0000000..94ac56c --- /dev/null +++ b/library/secrets/network-manager.yaml @@ -0,0 +1,31 @@ +home_ssid: ENC[AES256_GCM,data:KB/wa+XEw7KGD3sO,iv:OavELC88DUOzPkj5dQsZbpolo4k5uKPVfEmIt6nWP/0=,tag:4towJ8hav0Vj2DpFpLUF5A==,type:str] +home_psk: ENC[AES256_GCM,data:GA7ZED/cFaA=,iv:0EU06LM0MfTAmmafasPKq0xxl7w2h1Y45tBi4NVDvmA=,tag:cMGUOVlUANybdkcp7Cmd5w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1zr5m64rzl8r5pk5cnwcfycc8ze09lx4xqa6s0cpkf24gwwxxpy2sltfsug + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByRDNtR1huOVJ6clNycERp + M0R0SnM2RUVCVXFFWWUrdnZzVHVIS1luZkEwCkUrVHpjTWlPdmZJRXQ2M2xGdzBn + OTVlcDRFdzZsUlRFVE1Vd1VFKy81R00KLS0tIFRSNHowK3E0UGZlYzk1RW5HR2tV + bWNYUG16QTZ1b3RHWThPcm5vdUpGenMKs7xWFe70u3ochn51t7uGITG/oHRDC4v5 + LJIl5LBauwkJO3ddZqPnc57ci2lXukM8Z4EKi3QwYiJ6dxxtizTAng== + -----END AGE ENCRYPTED FILE----- + - recipient: age14x7k4stulqyp849x3uksprk2w3vjyn6pjlvgrp6up3tem6g6xucqvms68t + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHbG9VZDBvM3k2Z0pFMTNO + ZHQ2UUtMWnJhVGY2M256L2lEbVpLUFM4R0V3ClhCNUV1b0ZEQkhaRklMenpyRzJq + Ym95Y21BUHpacXhFcnhwY2FwMUMzQ2MKLS0tIDRuY2FnbVEzQ295R3JqUnk0NjVC + enEyWkRVT014Vk1FTktmVU5kbjVaUTAKJKIIMjBDLJxXv6y9nIzirH5vaqkQyZ6a + pF45ayqxXOAdonrnn0hbyxW8NcKp0Jjy0ehTd6AfAnNCrxPomPbflw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-04-26T11:02:52Z" + mac: ENC[AES256_GCM,data:kC+tWF+5JVFJigJHKf5RxDggOQPHbSKvllWxWCrL0DvL/FS1a0W0Xi35d473DfxkUUUKSHDguan3V0YlL64103sXlMU3hxdquFmNUjYl08s5fuzGDIpX56ROLpxtKCaDsDFgsvq41mwSSZQuT0qS7DULzAgE7PKW5luhJBxMXu8=,iv:z1OnnhP8cKZrn51FBEooiUSk8puOTqVoyXPfittM/RM=,tag:iLoN6Vh6PkXC0Gk4f2JoQA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/modules/default.nix b/modules/default.nix index 329cc50..bbc334a 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -1,4 +1,5 @@ { sv1 = import ./sv1.nix; dk1 = import ./dk1.nix; + dk1-iso = import ./dk1-iso.nix; } diff --git a/modules/dk1-iso.nix b/modules/dk1-iso.nix new file mode 100644 index 0000000..a03ee1a --- /dev/null +++ b/modules/dk1-iso.nix @@ -0,0 +1,57 @@ +{ + lib, + config, + modulesPath, + ... +}: { + imports = with lib.nixosModules; [ + (modulesPath + "/installer/cd-dvd/installation-cd-minimal.nix") + sops + ]; + + boot.extraModulePackages = with config.boot.kernelPackages; [ + rtl88xxau-aircrack + ]; + + sops = { + gnupg.sshKeyPaths = []; + age = { + sshKeyPaths = []; + keyFile = "/iso/key"; + }; + secrets = { + home_ssid.sopsFile = lib.secrets.network-manager; + home_psk.sopsFile = lib.secrets.network-manager; + }; + templates.networkManager.content = '' + home_ssid="${config.sops.placeholder.home_ssid}" + home_psk="${config.sops.placeholder.home_psk}" + ''; + }; + + networking = { + hostName = "dk1-iso"; + wireless.enable = false; + networkmanager = { + enable = true; + ensureProfiles = { + profiles.home = { + connection = { + id = "home"; + type = "wifi"; + }; + wifi = { + ssid = "$home_ssid"; + mode = "infrastructure"; + }; + wifi-security = { + auth-alg = "open"; + key-mgmt = "wpa-psk"; + psk = "$home_psk"; + }; + }; + environmentFiles = [config.sops.templates.networkManager.path]; + }; + }; + }; +} diff --git a/overlays/lib.nix b/overlays/lib.nix index 744af5d..d23eb29 100644 --- a/overlays/lib.nix +++ b/overlays/lib.nix @@ -4,13 +4,13 @@ impermanence, sops-nix, }: final: prev: let - inherit (nixos-config) overlays library; + inherit (nixos-config) library overlays nixosConfigurations nixosModules; in library - // {inherit overlays;} + // {inherit overlays nixosConfigurations;} // { nixosModules = - nixos-config.nixosModules + nixosModules // disko.nixosModules // sops-nix.nixosModules // impermanence.nixosModules; diff --git a/packages/default.nix b/packages/default.nix index aad8295..3ca6ab7 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -1,4 +1,6 @@ {pkgs}: { my-vim = pkgs.callPackage ./my-vim {}; my-site = pkgs.callPackage ./my-site {}; + iso-writer = pkgs.callPackage ./iso-writer {}; + dk1-iso = pkgs.callPackage ./dk1-iso {}; } diff --git a/packages/dk1-iso/default.nix b/packages/dk1-iso/default.nix new file mode 100644 index 0000000..56bb5f0 --- /dev/null +++ b/packages/dk1-iso/default.nix @@ -0,0 +1,4 @@ +{lib}: let + inherit (lib.nixosConfigurations) dk1-iso; +in + dk1-iso.config.system.build.isoImage diff --git a/packages/iso-writer/default.nix b/packages/iso-writer/default.nix new file mode 100644 index 0000000..ce166e1 --- /dev/null +++ b/packages/iso-writer/default.nix @@ -0,0 +1,30 @@ +{ + lib, + stdenvNoCC, + makeWrapper, + coreutils, + xorriso, + dk1-iso, +}: let + inherit (lib) makeBinPath; + runtimeInputs = [ + coreutils + xorriso + ]; +in + stdenvNoCC.mkDerivation { + name = "iso-writer"; + src = ./src; + nativeBuildInputs = [makeWrapper]; + buildInputs = runtimeInputs; + installPhase = '' + mkdir -p $out/bin + cp $src/iso-writer.sh $out/bin/iso-writer + chmod +x $out/bin/iso-writer + ''; + postFixup = '' + wrapProgram $out/bin/iso-writer \ + --set PATH ${makeBinPath runtimeInputs} \ + --set source ${dk1-iso}/iso/${dk1-iso.isoName} + ''; + } diff --git a/packages/iso-writer/src/iso-writer.sh b/packages/iso-writer/src/iso-writer.sh new file mode 100644 index 0000000..0d6f545 --- /dev/null +++ b/packages/iso-writer/src/iso-writer.sh @@ -0,0 +1,62 @@ +#!/usr/bin/env bash + +read -a arguments <<< "$@" +number_of_arguments="${#arguments[@]}" +arguments_last_index="$(expr $number_of_arguments - 1)" +for argument_index in $(seq 0 "$arguments_last_index") +do + argument="${arguments[argument_index]}" + next_argument_index="$(expr $argument_index + 1)" + next_argument="${arguments[next_argument_index]}" + case "$argument" in + --*) + name="${argument/--/}" + [ "$argument_index" -eq "$arguments_last_index" \ + -o "${next_argument:0:2}" = "--" ] \ + && declare "$name=$name" + ;; + *) + value="$argument" + [ -n "$name" ] \ + && declare "$name=$value" + name="" + ;; + esac +done + +[ -n "$help" ] \ + && printf "Usage: iso-writer" \ + && printf " [--help]" \ + && printf " --source source" \ + && printf " [--key key]" \ + && printf " [--target target]" \ + && printf " --device device" \ + && printf "\n" \ + && printf "Write a keyed nixos-config iso to a device." \ + && printf "\n" \ + && exit + +root_id="0" +[ "$(id -u)" -ne "$root_id" ] \ + && printf "Not running as root, exiting.\n" >&2 \ + && exit +[ -z "$source" ] \ + && printf "Source missing, exiting.\n" >&2 \ + && exit +[ -z "$device" ] \ + && printf "Device missing, exiting.\n" >&2 \ + && exit +[ -z "$key" ] \ + && target="$source" +[ -n "$key" -a -z "$target" ] \ + && temporary_directory="$(mktemp -d)" \ + && target="$temporary_directory/target.iso" \ + && trap "rm -rf \"$target\"" SIGTERM + +[ -n "$key" ] \ + && xorriso \ + -indev "$source" \ + -outdev "$target" \ + -map "$key" /key \ + -boot_image any replay +dd bs=4M status=progress if="$target" of="$device"