install-yubikey.sh at darwin · hyl.st/helm

hyl.st / helm
nix config
helm / install-yubikey.sh
at darwin 5.0 kB view raw
  1#!/usr/bin/env bash
  2
  3rbtohex() {
  4    ( od -An -vtx1 | tr -d ' \n' )
  5}
  6
  7hextorb() {
  8    ( tr '[:lower:]' '[:upper:]' | sed -e 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI'| xargs printf )
  9}
 10
 11# Setup
 12# nix-env -i gcc-wrapper
 13# nix-env -i yubikey-personalization
 14# nix-env -i openssl
 15# Use nix-shell https://github.com/sgillespie/nixos-yubikey-luks/archive/master.tar.gz
 16
 17# Compile correct version of OpenSSL key derivation
 18cc -O3 -I$(nix-build "<nixpkgs>" --no-build-output -A openssl.dev)/include -L$(nix-build "<nixpkgs>" --no-build-output -A openssl.out)/lib $(nix eval "(with import <nixpkgs> {}; pkgs.path)")/nixos/modules/system/boot/pbkdf2-sha512.c -o ./pbkdf2-sha512 -lcrypto
 19
 20# Yubikey Setup
 21SLOT=2
 22ykpersonalize -"$SLOT" -ochal-resp -ochal-hmac
 23SALT_LENGTH=16
 24salt="$(dd if=/dev/random bs=1 count=$SALT_LENGTH 2>/dev/null | rbtohex)"
 25k_user=PASSWORDCHANGEMEPLAEASES 
 26challenge="$(echo -n $salt | openssl dgst -binary -sha512 | rbtohex)"
 27response="$(ykchalresp -2 -x $challenge 2>/dev/null)"
 28
 29# Setup LUKS device
 30KEY_LENGTH=512
 31ITERATIONS=1000000
 32k_luks="$(echo -n $k_user | ./pbkdf2-sha512 $(($KEY_LENGTH / 8)) $ITERATIONS $response | rbtohex)"
 33
 34EFI_PART=/dev/sda1
 35LUKS_PART=/dev/sda2
 36EFI_MNT=/boot/
 37mkdir -p "$EFI_MNT"
 38mkfs.fat -F 32 -n boot "$EFI_PART"
 39mount "$EFI_PART" "$EFI_MNT"
 40STORAGE=/crypt-storage/default
 41mkdir -p "$(dirname $EFI_MNT$STORAGE)"
 42echo -ne "$salt\n$ITERATIONS" > $EFI_MNT$STORAGE
 43CIPHER=aes-xts-plain64
 44HASH=sha512
 45echo -n "$k_luks" | hextorb | cryptsetup luksFormat --cipher="$CIPHER" --key-size="$KEY_LENGTH" --hash="$HASH" --key-file=- "$LUKS_PART"
 46umount "$EFI_MNT"
 47
 48# LVM Setup
 49LUKSROOT=crypthome
 50echo -n "$k_luks" | hextorb | cryptsetup luksOpen $LUKS_PART $LUKSROOT --key-file=- 
 51pvcreate "/dev/mapper/$LUKSROOT"
 52VGNAME=partitions
 53vgcreate "$VGNAME" "/dev/mapper/$LUKSROOT"
 54lvcreate -L 2G -n swap "$VGNAME"
 55FSROOT=fsroot
 56lvcreate -l 100%FREE -n "$FSROOT" "$VGNAME"
 57
 58vgchange -ay
 59mkswap -L swap /dev/partitions/swap
 60
 61# BTRFS Setup
 62mkfs.btrfs -L "$FSROOT" "/dev/partitions/$FSROOT"
 63
 64# incase the above breaks
 65#mkdir /mnt-root
 66#touch /mnt-root/nix-store.squashfs
 67
 68mount "/dev/partitions/$FSROOT" /mnt
 69cd /mnt || exit
 70btrfs subvolume create root
 71btrfs subvolume create home
 72cd
 73umount /mnt
 74mount -o subvol=root "/dev/partitions/$FSROOT" /mnt
 75mkdir /mnt/home
 76mount -o subvol=home "/dev/partitions/$FSROOT" /mnt/home
 77mkdir /mnt/boot
 78mount "$EFI_PART" /mnt/boot
 79
 80swapon /dev/partitions/swap
 81
 82# Install NixOS
 83nixos-generate-config --root /mnt
 84
 85# Change the config
 86cat > /mnt/etc/nixos/configuration.nix <<'endmsg'
 87{ config, pkgs, ... }:
 88
 89{
 90  imports =
 91    [ # Include the results of the hardware scan.
 92      ./hardware-configuration.nix
 93    ];
 94
 95  boot.loader.grub.enable = true;
 96  boot.loader.grub.version = 2;
 97  # Define on which hard drive you want to install Grub.
 98  boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
 99
100  # Minimal list of modules to use the EFI system partition and the YubiKey
101  boot.initrd.kernelModules = [ "vfat" "nls_cp437" "nls_iso8859-1" "usbhid" ];
102  
103  # Enable support for the YubiKey PBA
104  boot.initrd.luks.yubikeySupport = true;
105  
106  # Configuration to use your Luks device
107  boot.initrd.luks.devices = {
108    "crypthome" = {
109      device = "/dev/sda2";
110      preLVM = true; # You may want to set this to false if you need to start a network service first
111      yubikey = {
112        slot = 2;
113        twoFactor = true; # Set to false if you did not set up a user password.
114        storage = {
115          device = "/dev/sda1";
116        };
117      };
118    }; 
119  };
120
121  # Enable Flakes
122  nix = {
123    package = pkgs.nixUnstable;
124    extraOptions = ''
125      experimental-features = nix-command flakes
126    '';
127   };
128
129  networking.hostName = "curve"; # Define your hostname.
130  networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
131
132  time.timeZone = "Australia/Brisbane";
133
134  networking.useDHCP = false;
135  networking.interfaces.enp0s31f6.useDHCP = true;
136  networking.interfaces.wlp3s0.useDHCP = true;
137
138  # Select internationalisation properties.
139  i18n.defaultLocale = "en_US.UTF-8";
140  # console = {
141  #   font = "Lat2-Terminus16";
142  #   keyMap = "us";
143  # };
144
145  services.xserver.layout = "us,dvorak";
146
147  sound.enable = true;
148  hardware.pulseaudio.enable = true;
149
150  services.xserver.libinput.enable = true;
151
152  # Hmmm maybe somewhere else? 
153  users.users.anish = {
154    isNormalUser = true;
155    extraGroups = [ "wheel" ]; 
156  };
157
158  # Enable the OpenSSH daemon.
159  # services.openssh.enable = true;
160
161  # This value determines the NixOS release from which the default
162  # settings for stateful data, like file locations and database versions
163  # on your system were taken. It‘s perfectly fine and recommended to leave
164  # this value at the release version of the first install of this system.
165  # Before changing this value read the documentation for this option
166  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
167  system.stateVersion = "22.11"; # Did you read the comment?
168}
169
170endmsg
171
172cd /mnt || exit
173nixos-install --root /mnt
174passwd