fix boot devices steamdeck, add ykfde

2023-09-28 19:29:50 +02:00
parent a82b2fac68
commit 6d47e49918
5 changed files with 60 additions and 8 deletions
--- a/hosts/steamdeck.cloonar.com/configuration.nix
+++ b/hosts/steamdeck.cloonar.com/configuration.nix
@@ -18,6 +18,10 @@
    ./hardware-configuration.nix
  ];
  nixpkgs.overlays = [
    (import ./utils/overlays/packages.nix)
  ];
  cloonar.sway.additionalConfig = ''
    output eDP-1 disable
  '';
@@ -80,6 +84,7 @@
    extraGroups = [ "networkmanager" "wheel" ];
    packages = with pkgs; [
      firefox
      ykfde
    #  thunderbird
    ];
  };
--- a/hosts/steamdeck.cloonar.com/hardware-configuration.nix
+++ b/hosts/steamdeck.cloonar.com/hardware-configuration.nix
@@ -11,33 +11,31 @@
  boot.extraModulePackages = [ ];
  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/2bc0a1c5-dd58-4824-9a27-4e6e6f33a2e8";
+    { device = "/dev/disk/by-uuid/ea402301-d29d-4e6c-a72b-f1132051a23e";
      fsType = "ext4";
    };
  # boot.initrd.luks.devices."luks-4dfc511b-12f9-46ef-be2a-f4e026263005".device = "/dev/disk/by-uuid/4dfc511b-12f9-46ef-be2a-f4e026263005";
  boot.initrd.luks = {
    yubikeySupport = true;
-    devices."luks-4dfc511b-12f9-46ef-be2a-f4e026263005" = {
+    devices."luks-09c74bcb-f82c-405d-b938-2c4e6c3c8a54" = {
-      device = "/dev/disk/by-uuid/4dfc511b-12f9-46ef-be2a-f4e026263005";
+      device = "/dev/disk/by-uuid/09c74bcb-f82c-405d-b938-2c4e6c3c8a54";
      yubikey = {
        slot = 2;
        twoFactor = false;
        storage = {
-          device = "/dev/disk/by-uuid/661D-F155";
+          device = "/dev/disk/by-uuid/7694-405E";
        };
      };
    };
  };
  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/661D-F155";
+    { device = "/dev/disk/by-uuid/7694-405E";
      fsType = "vfat";
    };
  fileSystems."/run/media/sdcard" =
-    { device = "/dev/disk/by-uuid/de7d0993-d547-4d9b-a99a-8a8d71fc05e2";
+    { device = "/dev/disk/by-uuid/09c74bcb-f82c-405d-b938-2c4e6c3c8a54";
      fsType = "ext4";
    };
--- a/utils/overlays/packages.nix
+++ b/utils/overlays/packages.nix
@@ -1,5 +1,6 @@
 self: super: {
  bento = (super.callPackage ../pkgs/bento { });
  ykfde = (super.callPackage ../pkgs/ykfde { });
  howdy = (super.callPackage ../pkgs/howdy { });
  linux-enable-ir-emitter = (super.callPackage ../pkgs/linux-enable-ir-emitter { });
 }
--- a/utils/pkgs/ykfde/default.nix
+++ b/utils/pkgs/ykfde/default.nix
@@ -0,0 +1,11 @@
 { pkgs, lib, stdenv }:
 stdenv.mkDerivation {
  name = "ykfde";
  src = ./scripts;
  nativeBuildInputs = [ makeWrapper ];
  installPhase = ''
    mkdir -p $out/bin
    install -D --target $out/bin *
  '';
 }
--- a/utils/pkgs/ykfde/scripts/ykfde_enroll
+++ b/utils/pkgs/ykfde/scripts/ykfde_enroll
@@ -0,0 +1,37 @@
 #!/bin/bash -p
 set -euo pipefail
 nix-shell https://github.com/sgillespie/nixos-yubikey-luks/archive/master.tar.gz
 # sanitize environment
 YKFDE_SLOT=2
 YKFDE_SALT_LENGTH=16
 YKFDE_SALT=""
 YKFDE_CHALLENGE=""
 YKFDE_RESPONSE=""
 YKFDE_SLOT_CHECK=""
 YKFDE_KEY_LENGTH=512
 YKFDE_ITERATIONS=1000000
 YKFDE_STORAGE=/boot/crypt-storage/default
 YKFDE_SLOT_CHECK="$(ykinfo -q -"$YKFDE_CHALLENGE_SLOT")"
 [ "$DBG" ] && printf '%s\n' " > YubiKey slot status 'ykinfo -q -$YKFDE_CHALLENGE_SLOT': $YKFDE_SLOT_CHECK"
 if [ "$YKFDE_SLOT_CHECK" != 1 ]; then
  printf '%s\n' "ERROR: Chosen YubiKey slot '$YKFDE_CHALLENGE_SLOT' isn't configured. Please choose slot configured for 'HMAC-SHA1 Challenge-Response' mode in '/etc/ykfde.conf'"
  exit 1
 fi
 YKFDE_SALT="$(dd if=/dev/random bs=1 count=$YKFDE_SALT_LENGTH 2>/dev/null | rbtohex)"
 YKFDE_CHALLENGE="$(echo -n $salt | openssl dgst -binary -sha512 | rbtohex)"
 YKFDE_RESPONSE="$(ykchalresp -2 -x $YKFDE_CHALLANGE 2>/dev/null)"
 YKFDE_K_LUKS ="$(echo | pbkdf2-sha512 $(($YKFDE_KEY_LENGTH / 8)) $YKFDE_ITERATIONS $YKFDE_RESPONSE | rbtohex)"
 mkdir -p "$(dirname $YKFDE_STORAGE)"
 echo -ne "$YKFDE_SALT\n$YKFDE_ITERATIONS" > $YKFDE_STORAGE
 echo $YKFDE_K_LUKS > luks.key
 cryptsetup luksAddKey /dev/nvme0n1p2 luks.key
 rm luks.key
 exit 0