From 2a2715d4478f61bbe8e4de9b16916417657f2cbe Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Thu, 31 Dec 2020 02:12:29 +0100 Subject: [PATCH] support unencrypted disk provisioning --- Justfile | 11 +++--- nix/os/devices/default.nix | 28 +++++++++------ nix/os/devices/disk.nix | 35 ++++++++++++------- nix/os/devices/steveej-t14/configuration.nix | 2 +- nix/os/devices/steveej-t14/hw.nix | 1 + .../configuration.nix | 2 +- .../devices/vmd32387.contaboserver.net/hw.nix | 3 +- nix/os/lib/default.nix | 5 +++ ...{encryptedDisk.nix => opinionatedDisk.nix} | 16 +++++---- .../removable-medium/configuration.nix | 2 +- nix/os/profiles/removable-medium/hw.nix | 3 +- 11 files changed, 69 insertions(+), 39 deletions(-) rename nix/os/modules/{encryptedDisk.nix => opinionatedDisk.nix} (76%) diff --git a/Justfile b/Justfile index e3a0be5..951ba68 100755 --- a/Justfile +++ b/Justfile @@ -196,22 +196,21 @@ hm-iterate-qtile: # !!! DANGERIOUS !!! This wipes the disk which is configured for the given device. disk-prepare dir: - just -v _device diskPrepare {{dir}} --argstr rebuildarg "dummy" + just -v _device diskPrepare {{dir}} disk-relabel dir previous: - just -v _device diskRelabel {{dir}} --argstr rebuildarg "dummy" --argstr previousDiskId {{previous}} + just -v _device diskRelabel {{dir}} --argstr previousDiskId {{previous}} # Mount the target disk specified by device configuration directory. The 'dir' argument points to a device configuration, e.g. 'nix/os/devices/steveej-live-mmc-SL32G_0x259093f6' disk-mount dir: - just -v _device diskMount {{dir}} --argstr rebuildarg "dummy" - + just -v _device diskMount {{dir}} # Unmount target disk, specified by device configuration directory disk-umount dir: - just -v _device diskUmount {{dir}} --argstr rebuildarg "dummy" + just -v _device diskUmount {{dir}} # Perform an offline installation on the mounted target disk, specified by device configuration directory disk-install dir: _render_templates - just -v _device diskInstall {{dir}} --argstr rebuildarg "dummy" + just -v _device diskInstall {{dir}} verify-n-unlock sshserver attempts="10": #!/usr/bin/env bash diff --git a/nix/os/devices/default.nix b/nix/os/devices/default.nix index 932f730..92a0bc2 100644 --- a/nix/os/devices/default.nix +++ b/nix/os/devices/default.nix @@ -1,16 +1,23 @@ -{ pkgs ? import {} +{ dir +, pkgs ? import {} , ownLib ? import ../lib/default.nix { } -, dir -, rebuildarg -, moreargs ? "" -, diskId ? (import ((builtins.getEnv "PWD")+"/${dir}/hw.nix") {}).hardware.encryptedDisk.diskId , gitRoot ? "$(git rev-parse --show-toplevel)" -, previousDiskId ? "" -}: + +# FIXME: why do these need explicit mentioning? +, moreargs ? null +, rebuildarg ? "" +, ... +} @ args : let rebuildargsSudo = [ "switch" "boot" ]; - rebuild = pkgs.writeScript "script" '' + rebuild = { + rebuildarg + , gitRoot + , moreargs ? null + + , ... + }: pkgs.writeScript "script" '' #!/usr/bin/env bash set -xe @@ -35,6 +42,7 @@ let in { recipes = { - inherit rebuild; - } // (import ./disk.nix { inherit pkgs ownLib dir rebuildarg moreargs diskId gitRoot previousDiskId; }); + rebuild = rebuild { inherit gitRoot; inherit (args) rebuildarg moreargs; }; + } // (import ./disk.nix (args // { inherit pkgs ownLib gitRoot; })) + ; } diff --git a/nix/os/devices/disk.nix b/nix/os/devices/disk.nix index 58fb360..4181f1a 100644 --- a/nix/os/devices/disk.nix +++ b/nix/os/devices/disk.nix @@ -1,11 +1,12 @@ { pkgs , ownLib , dir -, rebuildarg -, moreargs -, diskId , gitRoot +, diskId ? (import ((builtins.getEnv "PWD")+"/${dir}/hw.nix") {}).hardware.opinionatedDisk.diskId +, encrypted ? (import ((builtins.getEnv "PWD")+"/${dir}/hw.nix") {}).hardware.opinionatedDisk.encrypted , previousDiskId ? "" + +, ... }: let @@ -16,7 +17,9 @@ in rec { #!/usr/bin/env bash set -xe echo Mounting ${diskId} - sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} + ${pkgs.lib.strings.optionalString encrypted '' + sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} + ''} sleep 1 sudo vgchange -ay ${ownLib.disk.volumeGroup diskId} sudo mkdir -p /mnt @@ -32,7 +35,9 @@ in rec { sudo umount -Rl ${mntRootVol} sudo rmdir ${mntRootVol} sudo vgchange -an ${ownLib.disk.volumeGroup diskId} - sudo cryptsetup close ${ownLib.disk.luksName diskId} + ${pkgs.lib.strings.optionalString encrypted '' + sudo cryptsetup close ${ownLib.disk.luksName diskId} + ''} sync ''; @@ -56,7 +61,7 @@ in rec { #!/usr/bin/env bash set -xe - read -p "Continue to format ${ownLib.disk.bootGrubDevice diskId} (YES/n)?" choice + read -p "Continue to format ${ownLib.disk.bootGrubDevice diskId} (YES/n)? " choice case "$choice" in YES ) echo "Continuing in 3 seconds..."; sleep 3;; n|N ) echo "Exiting..."; exit 0;; @@ -100,12 +105,14 @@ in rec { sleep 1 - # Encrypt - sudo cryptsetup luksFormat ${ownLib.disk.bootLuksDevice diskId} - - sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} + ${pkgs.lib.strings.optionalString encrypted '' + # Encrypt + sudo cryptsetup luksFormat ${ownLib.disk.bootLuksDevice diskId} - + sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} + ''} # LVM - sudo vgcreate ${ownLib.disk.volumeGroup diskId} ${ownLib.disk.luksPhysicalVolume diskId} + sudo vgcreate ${ownLib.disk.volumeGroup diskId} ${ownLib.disk.lvmPv diskId encrypted} sudo lvcreate ${ownLib.disk.volumeGroup diskId} -L 2G -n swap sudo lvcreate ${ownLib.disk.volumeGroup diskId} -l 100%FREE -n root @@ -160,7 +167,9 @@ in rec { if test "${previousDiskId}"; then - sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} + ${pkgs.lib.strings.optionalString encrypted '' + sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} + ''} sync sleep 1 if sudo vgs ${previousDiskId}; then @@ -168,6 +177,8 @@ in rec { sudo vgscan fi fi - sudo cryptsetup close ${ownLib.disk.luksName diskId} + ${pkgs.lib.strings.optionalString encrypted '' + sudo cryptsetup close ${ownLib.disk.luksName diskId} + ''} ''; } diff --git a/nix/os/devices/steveej-t14/configuration.nix b/nix/os/devices/steveej-t14/configuration.nix index 3828dd1..021be3d 100644 --- a/nix/os/devices/steveej-t14/configuration.nix +++ b/nix/os/devices/steveej-t14/configuration.nix @@ -4,7 +4,7 @@ imports = [ ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix - ../../modules/encryptedDisk.nix + ../../modules/opnionatedDisk.nix ./system.nix ./hw.nix diff --git a/nix/os/devices/steveej-t14/hw.nix b/nix/os/devices/steveej-t14/hw.nix index dd4c4a3..ad63d6c 100644 --- a/nix/os/devices/steveej-t14/hw.nix +++ b/nix/os/devices/steveej-t14/hw.nix @@ -20,6 +20,7 @@ in # TASK: new device hardware.encryptedDisk = { enable = true; + encrypted = true; diskId = "nvme-SKHynix_HFS001TD9TNI-L2B0B_CJ0AN89731030AV3Q"; }; diff --git a/nix/os/devices/vmd32387.contaboserver.net/configuration.nix b/nix/os/devices/vmd32387.contaboserver.net/configuration.nix index ffce549..b681c06 100644 --- a/nix/os/devices/vmd32387.contaboserver.net/configuration.nix +++ b/nix/os/devices/vmd32387.contaboserver.net/configuration.nix @@ -5,7 +5,7 @@ ]; imports = [ ../../profiles/common/configuration.nix - ../../modules/encryptedDisk.nix + ../../modules/opinionatedDisk.nix ./system.nix ./hw.nix diff --git a/nix/os/devices/vmd32387.contaboserver.net/hw.nix b/nix/os/devices/vmd32387.contaboserver.net/hw.nix index 7a04340..75d5aae 100644 --- a/nix/os/devices/vmd32387.contaboserver.net/hw.nix +++ b/nix/os/devices/vmd32387.contaboserver.net/hw.nix @@ -18,8 +18,9 @@ let in { # TASK: new device - hardware.encryptedDisk = { + hardware.opinionatedDisk = { enable = true; + encrypted = true; diskId = "scsi-0QEMU_QEMU_HARDDISK_drive-scsi0"; }; diff --git a/nix/os/lib/default.nix b/nix/os/lib/default.nix index 566ccb9..503d30e 100644 --- a/nix/os/lib/default.nix +++ b/nix/os/lib/default.nix @@ -48,5 +48,10 @@ bootLuksDevice = diskId: "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("3-"+diskId)); luksName = diskId: (volumeGroup diskId)+"pv"; luksPhysicalVolume = diskId: "/dev/mapper/" + (luksName diskId); + lvmPv = diskId: encrypted: + if encrypted == true + then luksPhysicalVolume diskId + else bootLuksDevice diskId + ; }; } diff --git a/nix/os/modules/encryptedDisk.nix b/nix/os/modules/opinionatedDisk.nix similarity index 76% rename from nix/os/modules/encryptedDisk.nix rename to nix/os/modules/opinionatedDisk.nix index b70c7be..c9864ed 100644 --- a/nix/os/modules/encryptedDisk.nix +++ b/nix/os/modules/opinionatedDisk.nix @@ -4,14 +4,18 @@ with lib; let - cfg = config.hardware.encryptedDisk; + cfg = config.hardware.opinionatedDisk; ownLib = import ../lib/default.nix { }; in { - options.hardware.encryptedDisk = { - enable = mkEnableOption "Enable encrypted filesystem layout"; + options.hardware.opinionatedDisk = { + enable = mkEnableOption "Enable opinionated filesystem layout"; diskId = mkOption { type = types.str; }; + encrypted = mkOption { + default = true; + type = types.bool; + }; }; config = lib.mkIf cfg.enable { @@ -36,10 +40,10 @@ in { boot.loader.grub = { device = (ownLib.disk.bootGrubDevice cfg.diskId); - enableCryptodisk = true; + enableCryptodisk = cfg.encrypted; }; - boot.initrd.luks.devices = builtins.listToAttrs [ + boot.initrd.luks.devices = lib.optionalAttrs cfg.encrypted (builtins.listToAttrs [ { name = let @@ -53,6 +57,6 @@ in { allowDiscards = true; }; } - ]; + ]); }; } diff --git a/nix/os/profiles/removable-medium/configuration.nix b/nix/os/profiles/removable-medium/configuration.nix index 883c2a4..77d7eb5 100644 --- a/nix/os/profiles/removable-medium/configuration.nix +++ b/nix/os/profiles/removable-medium/configuration.nix @@ -2,7 +2,7 @@ { imports = [ - ../../modules/encryptedDisk.nix + ../../modules/opinionatedDisk.nix ./pkg.nix ./hw.nix diff --git a/nix/os/profiles/removable-medium/hw.nix b/nix/os/profiles/removable-medium/hw.nix index 99f014f..b463622 100644 --- a/nix/os/profiles/removable-medium/hw.nix +++ b/nix/os/profiles/removable-medium/hw.nix @@ -1,6 +1,7 @@ { ... }: { - hardware.encryptedDisk.enable = true; + hardware.opnionatedDisk.enable = true; + hardware.opnionatedDisk.encrypted = true; hardware.enableAllFirmware = true; }