diff --git a/hosts/steamdeck.cloonar.com/configuration.nix b/hosts/steamdeck.cloonar.com/configuration.nix index a6f6c16..83f6e53 100644 --- a/hosts/steamdeck.cloonar.com/configuration.nix +++ b/hosts/steamdeck.cloonar.com/configuration.nix @@ -18,6 +18,10 @@ ./hardware-configuration.nix ]; + nixpkgs.overlays = [ + (import ./utils/overlays/packages.nix) + ]; + cloonar.sway.additionalConfig = '' output eDP-1 disable ''; @@ -80,6 +84,7 @@ extraGroups = [ "networkmanager" "wheel" ]; packages = with pkgs; [ firefox + ykfde # thunderbird ]; }; diff --git a/hosts/steamdeck.cloonar.com/hardware-configuration.nix b/hosts/steamdeck.cloonar.com/hardware-configuration.nix index 3b2fbdd..b412c57 100644 --- a/hosts/steamdeck.cloonar.com/hardware-configuration.nix +++ b/hosts/steamdeck.cloonar.com/hardware-configuration.nix @@ -11,33 +11,31 @@ boot.extraModulePackages = [ ]; fileSystems."/" = - { device = "/dev/disk/by-uuid/2bc0a1c5-dd58-4824-9a27-4e6e6f33a2e8"; + { device = "/dev/disk/by-uuid/ea402301-d29d-4e6c-a72b-f1132051a23e"; fsType = "ext4"; }; - # boot.initrd.luks.devices."luks-4dfc511b-12f9-46ef-be2a-f4e026263005".device = "/dev/disk/by-uuid/4dfc511b-12f9-46ef-be2a-f4e026263005"; - boot.initrd.luks = { yubikeySupport = true; - devices."luks-4dfc511b-12f9-46ef-be2a-f4e026263005" = { - device = "/dev/disk/by-uuid/4dfc511b-12f9-46ef-be2a-f4e026263005"; + devices."luks-09c74bcb-f82c-405d-b938-2c4e6c3c8a54" = { + device = "/dev/disk/by-uuid/09c74bcb-f82c-405d-b938-2c4e6c3c8a54"; yubikey = { slot = 2; twoFactor = false; storage = { - device = "/dev/disk/by-uuid/661D-F155"; + device = "/dev/disk/by-uuid/7694-405E"; }; }; }; }; fileSystems."/boot" = - { device = "/dev/disk/by-uuid/661D-F155"; + { device = "/dev/disk/by-uuid/7694-405E"; fsType = "vfat"; }; fileSystems."/run/media/sdcard" = - { device = "/dev/disk/by-uuid/de7d0993-d547-4d9b-a99a-8a8d71fc05e2"; + { device = "/dev/disk/by-uuid/09c74bcb-f82c-405d-b938-2c4e6c3c8a54"; fsType = "ext4"; }; diff --git a/utils/overlays/packages.nix b/utils/overlays/packages.nix index 249800b..35dd7ed 100644 --- a/utils/overlays/packages.nix +++ b/utils/overlays/packages.nix @@ -1,5 +1,6 @@ self: super: { bento = (super.callPackage ../pkgs/bento { }); + ykfde = (super.callPackage ../pkgs/ykfde { }); howdy = (super.callPackage ../pkgs/howdy { }); linux-enable-ir-emitter = (super.callPackage ../pkgs/linux-enable-ir-emitter { }); } diff --git a/utils/pkgs/ykfde/default.nix b/utils/pkgs/ykfde/default.nix new file mode 100644 index 0000000..7f870c8 --- /dev/null +++ b/utils/pkgs/ykfde/default.nix @@ -0,0 +1,11 @@ +{ pkgs, lib, stdenv }: + +stdenv.mkDerivation { + name = "ykfde"; + src = ./scripts; + nativeBuildInputs = [ makeWrapper ]; + installPhase = '' + mkdir -p $out/bin + install -D --target $out/bin * + ''; +} diff --git a/utils/pkgs/ykfde/scripts/ykfde_enroll b/utils/pkgs/ykfde/scripts/ykfde_enroll new file mode 100644 index 0000000..58ffb94 --- /dev/null +++ b/utils/pkgs/ykfde/scripts/ykfde_enroll @@ -0,0 +1,37 @@ +#!/bin/bash -p + +set -euo pipefail + +nix-shell https://github.com/sgillespie/nixos-yubikey-luks/archive/master.tar.gz + +# sanitize environment +YKFDE_SLOT=2 +YKFDE_SALT_LENGTH=16 +YKFDE_SALT="" +YKFDE_CHALLENGE="" +YKFDE_RESPONSE="" +YKFDE_SLOT_CHECK="" +YKFDE_KEY_LENGTH=512 +YKFDE_ITERATIONS=1000000 +YKFDE_STORAGE=/boot/crypt-storage/default + + +YKFDE_SLOT_CHECK="$(ykinfo -q -"$YKFDE_CHALLENGE_SLOT")" +[ "$DBG" ] && printf '%s\n' " > YubiKey slot status 'ykinfo -q -$YKFDE_CHALLENGE_SLOT': $YKFDE_SLOT_CHECK" + +if [ "$YKFDE_SLOT_CHECK" != 1 ]; then + printf '%s\n' "ERROR: Chosen YubiKey slot '$YKFDE_CHALLENGE_SLOT' isn't configured. Please choose slot configured for 'HMAC-SHA1 Challenge-Response' mode in '/etc/ykfde.conf'" + exit 1 +fi + +YKFDE_SALT="$(dd if=/dev/random bs=1 count=$YKFDE_SALT_LENGTH 2>/dev/null | rbtohex)" +YKFDE_CHALLENGE="$(echo -n $salt | openssl dgst -binary -sha512 | rbtohex)" +YKFDE_RESPONSE="$(ykchalresp -2 -x $YKFDE_CHALLANGE 2>/dev/null)" +YKFDE_K_LUKS ="$(echo | pbkdf2-sha512 $(($YKFDE_KEY_LENGTH / 8)) $YKFDE_ITERATIONS $YKFDE_RESPONSE | rbtohex)" +mkdir -p "$(dirname $YKFDE_STORAGE)" +echo -ne "$YKFDE_SALT\n$YKFDE_ITERATIONS" > $YKFDE_STORAGE +echo $YKFDE_K_LUKS > luks.key +cryptsetup luksAddKey /dev/nvme0n1p2 luks.key +rm luks.key + +exit 0