From aef08954ab561ea2494989e13dc321319cc5dabf Mon Sep 17 00:00:00 2001
From: Stefan Junker <mail@stefanjunker.de>
Date: Mon, 21 Dec 2020 14:35:50 +0100
Subject: [PATCH 1/3] steveej-t14: init

---
 README.md                                    |  3 +
 nix/os/devices/steveej-t14/boot.nix          |  8 ++
 nix/os/devices/steveej-t14/configuration.nix | 14 ++++
 nix/os/devices/steveej-t14/hw.nix            | 30 ++++++++
 nix/os/devices/steveej-t14/pkg.nix           | 12 +++
 nix/os/devices/steveej-t14/system.nix        | 78 ++++++++++++++++++++
 nix/os/devices/steveej-t14/user.nix          | 15 ++++
 nix/os/devices/steveej-t14/versions.nix      | 30 ++++++++
 nix/os/devices/steveej-t14/versions.tmpl.nix | 30 ++++++++
 9 files changed, 220 insertions(+)
 create mode 100644 nix/os/devices/steveej-t14/boot.nix
 create mode 100644 nix/os/devices/steveej-t14/configuration.nix
 create mode 100644 nix/os/devices/steveej-t14/hw.nix
 create mode 100644 nix/os/devices/steveej-t14/pkg.nix
 create mode 100644 nix/os/devices/steveej-t14/system.nix
 create mode 100644 nix/os/devices/steveej-t14/user.nix
 create mode 100644 nix/os/devices/steveej-t14/versions.nix
 create mode 100644 nix/os/devices/steveej-t14/versions.tmpl.nix

diff --git a/README.md b/README.md
index 486235b..1291c18 100644
--- a/README.md
+++ b/README.md
@@ -55,4 +55,7 @@ just --list
 * boot with an install media and go through setup
 
 #### Post-Install Setup
+* clone password-manager and infra repositories
+* `chmod --recursive g-rwx,o-rwx ~/.gnupg`
+* gpg2: ultimately trust my own key
 * `gpg2 --edit-card; fetch`
diff --git a/nix/os/devices/steveej-t14/boot.nix b/nix/os/devices/steveej-t14/boot.nix
new file mode 100644
index 0000000..2f5f8ea
--- /dev/null
+++ b/nix/os/devices/steveej-t14/boot.nix
@@ -0,0 +1,8 @@
+{ lib
+, ...
+}:
+
+{
+  boot.loader.grub.efiInstallAsRemovable = lib.mkForce true;
+  boot.loader.efi.canTouchEfiVariables = lib.mkForce false; 
+}
diff --git a/nix/os/devices/steveej-t14/configuration.nix b/nix/os/devices/steveej-t14/configuration.nix
new file mode 100644
index 0000000..3828dd1
--- /dev/null
+++ b/nix/os/devices/steveej-t14/configuration.nix
@@ -0,0 +1,14 @@
+{ ... }:
+
+{
+  imports = [
+    ../../profiles/common/configuration.nix
+    ../../profiles/graphical/configuration.nix
+    ../../modules/encryptedDisk.nix
+
+    ./system.nix
+    ./hw.nix
+    ./pkg.nix
+    ./user.nix
+  ];
+}
diff --git a/nix/os/devices/steveej-t14/hw.nix b/nix/os/devices/steveej-t14/hw.nix
new file mode 100644
index 0000000..dd4c4a3
--- /dev/null
+++ b/nix/os/devices/steveej-t14/hw.nix
@@ -0,0 +1,30 @@
+{ ... }:
+
+let
+  stage1Modules =  [
+    "aesni_intel"
+    "kvm-intel"
+    "aes_x86_64"
+    "nvme"
+    "nvme_core"
+
+    "pcieport"
+    "thunderbolt"
+    "e1000e"
+    "xhci_pci"
+    "hxci_hcd"
+  ];
+
+in
+{
+  # TASK: new device
+  hardware.encryptedDisk = {
+    enable = true;
+    diskId = "nvme-SKHynix_HFS001TD9TNI-L2B0B_CJ0AN89731030AV3Q";
+  };
+
+  # boot.initrd.availableKernelModules = stage1Modules;
+  boot.initrd.kernelModules = stage1Modules;
+  boot.extraModprobeConfig = ''
+  '';
+}
diff --git a/nix/os/devices/steveej-t14/pkg.nix b/nix/os/devices/steveej-t14/pkg.nix
new file mode 100644
index 0000000..01b4cba
--- /dev/null
+++ b/nix/os/devices/steveej-t14/pkg.nix
@@ -0,0 +1,12 @@
+{ pkgs
+, ...
+}:
+
+{
+  nixpkgs.config.packageOverrides = pkgs: with pkgs; {
+    nixPath = (import ../../../default.nix { versionsPath = ./versions.nix; }).nixPath;
+  };
+  home-manager.users.steveej = import ../../../home-manager/configuration/graphical-fullblown.nix { inherit pkgs; };
+  services.teamviewer.enable = true;
+  system.stateVersion = "20.09";
+}
diff --git a/nix/os/devices/steveej-t14/system.nix b/nix/os/devices/steveej-t14/system.nix
new file mode 100644
index 0000000..cfe6f1d
--- /dev/null
+++ b/nix/os/devices/steveej-t14/system.nix
@@ -0,0 +1,78 @@
+{ pkgs
+, lib
+, config
+, ... }:
+
+let
+  keys = import ../../../variables/keys.nix;
+in {
+
+  # TASK: new device
+  networking.hostName = "steveej-t14"; # Define your hostname.
+
+  networking.bridges."virbr1".interfaces = [];
+  networking.interfaces."virbr1".ipv4.addresses = [
+      { address = "10.254.254.254"; prefixLength = 24; }
+  ];
+
+  networking.firewall.enable = true;
+  networking.firewall.allowedTCPPorts = [
+    # syncthing
+    22000
+
+    # iperf3
+    5201
+  ];
+
+  networking.firewall.logRefusedConnections = false;
+  networking.usePredictableInterfaceNames = false;
+
+  services.printing = {
+    enable = true;
+    drivers = with pkgs; [
+      hplip
+      mfcl3770cdw.driver
+      mfcl3770cdw.cupswrapper
+    ];
+  };
+
+  services.fprintd.enable = true;
+  security.pam.services = {
+    login.fprintAuth = true;
+    sudo.fprintAuth = true;
+  };
+
+  # virtualization
+  virtualisation = {
+    libvirtd = {
+      enable = true;
+    };
+
+    virtualbox.host = {
+      enable = false ;
+      addNetworkInterface = false;
+    };
+
+    docker = {
+      enable = true;
+      extraOptions = "--experimental";
+    };
+  };
+
+
+  security.pki.certificateFiles = [
+    "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
+  ];
+
+  services.xserver.videoDrivers = [ "modesetting" ];
+  services.xserver.serverFlagsSection = ''
+    Option "BlankTime" "0"
+    Option "StandbyTime" "0"
+    Option "SuspendTime" "0"
+    Option "OffTime" "0"
+  '';
+
+  boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
+
+  hardware.ledger.enable = true;
+}
diff --git a/nix/os/devices/steveej-t14/user.nix b/nix/os/devices/steveej-t14/user.nix
new file mode 100644
index 0000000..f07b2ac
--- /dev/null
+++ b/nix/os/devices/steveej-t14/user.nix
@@ -0,0 +1,15 @@
+{ config
+, pkgs
+, ... }:
+
+let
+  passwords = import ../../../variables/passwords.crypt.nix;
+  keys = import ../../../variables/keys.nix;
+  inherit (import ../../lib/default.nix { }) mkUser;
+
+in {
+  users.extraUsers.steveej2 = mkUser {
+    uid = 1001;
+    openssh.authorizedKeys.keys = keys.users.steveej.openssh;
+  };
+}
diff --git a/nix/os/devices/steveej-t14/versions.nix b/nix/os/devices/steveej-t14/versions.nix
new file mode 100644
index 0000000..ddbd1ee
--- /dev/null
+++ b/nix/os/devices/steveej-t14/versions.nix
@@ -0,0 +1,30 @@
+let
+  nixpkgs = {
+    url = "https://github.com/NixOS/nixpkgs/";
+    ref = "nixos-20.09";
+    rev = "3d2d8f281a27d466fa54b469b5993f7dde198375";
+  };
+in
+
+{
+  inherit nixpkgs;
+  nixos = nixpkgs // {
+    suffix = "/nixos";
+  };
+  "channels-nixos-stable" = nixpkgs;
+  "channels-nixos-unstable" = {
+    url = "https://github.com/NixOS/nixpkgs/";
+    ref = "nixos-unstable";
+    rev = "e9158eca70ae59e73fae23be5d13d3fa0cfc78b4";
+  };
+  "nixpkgs-master" = {
+    url = "https://github.com/NixOS/nixpkgs/";
+    ref = "master";
+    rev = "2a058487cb7a50e7650f1657ee0151a19c59ec3b";
+  };
+  "home-manager-module" = {
+    url = "https://github.com/nix-community/home-manager";
+    ref = "release-20.09";
+    rev = "63f299b3347aea183fc5088e4d6c4a193b334a41";
+  };
+}
diff --git a/nix/os/devices/steveej-t14/versions.tmpl.nix b/nix/os/devices/steveej-t14/versions.tmpl.nix
new file mode 100644
index 0000000..09f95fd
--- /dev/null
+++ b/nix/os/devices/steveej-t14/versions.tmpl.nix
@@ -0,0 +1,30 @@
+let
+  nixpkgs = {
+    url = "https://github.com/NixOS/nixpkgs/";
+    ref = "nixos-20.09";
+    rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-20.09 | awk '{ print $1 }' | tr -d '\n' -%>";
+  };
+in
+
+{
+  inherit nixpkgs;
+  nixos = nixpkgs // {
+    suffix = "/nixos";
+  };
+  "channels-nixos-stable" = nixpkgs;
+  "channels-nixos-unstable" = {
+    url = "https://github.com/NixOS/nixpkgs/";
+    ref = "nixos-unstable";
+    rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-unstable | awk '{ print $1 }' | tr -d '\n' -%>";
+  };
+  "nixpkgs-master" = {
+    url = "https://github.com/NixOS/nixpkgs/";
+    ref = "master";
+    rev = "<% git ls-remote https://github.com/NixOS/nixpkgs.git master | head -n1 | awk '{ print $1 }' | tr -d '\n' -%>";
+  };
+  "home-manager-module" = {
+    url = "https://github.com/nix-community/home-manager";
+    ref = "release-20.09";
+    rev = "<% git ls-remote https://github.com/nix-community/home-manager.git release-20.09 | awk '{ print $1 }' | tr -d '\n' -%>";
+  };
+}
-- 
2.49.0


From be985e63b23f71bcf6912f1128d1d168292d56fc Mon Sep 17 00:00:00 2001
From: Stefan Junker <mail@stefanjunker.de>
Date: Tue, 22 Dec 2020 00:51:23 +0100
Subject: [PATCH 2/3] README: add more post-install steps

---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 1291c18..4fe7213 100644
--- a/README.md
+++ b/README.md
@@ -55,7 +55,7 @@ just --list
 * boot with an install media and go through setup
 
 #### Post-Install Setup
-* clone password-manager and infra repositories
 * `chmod --recursive g-rwx,o-rwx ~/.gnupg`
-* gpg2: ultimately trust my own key
 * `gpg2 --edit-card; fetch`
+* clone password-manager and infra repositories
+* gpg2: ultimately trust my own key
-- 
2.49.0


From b215e8280d0f2a137fa3269501191f8f0c12f869 Mon Sep 17 00:00:00 2001
From: Stefan Junker <mail@stefanjunker.de>
Date: Mon, 21 Dec 2020 16:47:00 +0100
Subject: [PATCH 3/3] graphical-systems: disable pcscd

Also add udev rule to allow users device access. This is required for
users accessing the Yubikey directly which is the case when using gpg
without pcscd
---
 nix/home-manager/profiles/qtile-desktop.nix | 3 ++-
 nix/os/devices/steveej-t14/system.nix       | 1 +
 nix/os/profiles/graphical/system.nix        | 5 ++++-
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/nix/home-manager/profiles/qtile-desktop.nix b/nix/home-manager/profiles/qtile-desktop.nix
index 004f821..382bfaa 100644
--- a/nix/home-manager/profiles/qtile-desktop.nix
+++ b/nix/home-manager/profiles/qtile-desktop.nix
@@ -316,7 +316,8 @@ in {
       enableScDaemon = true;
       enableSshSupport = true;
       grabKeyboardAndMouse = true;
-      extraConfig = "pinentry-program ${pkgs.pinentry-gtk2}/bin/pinentry";
+      pinentryFlavor = "gtk2";
+      extraConfig = "";
     };
     flameshot.enable = true;
   };
diff --git a/nix/os/devices/steveej-t14/system.nix b/nix/os/devices/steveej-t14/system.nix
index cfe6f1d..52ab96b 100644
--- a/nix/os/devices/steveej-t14/system.nix
+++ b/nix/os/devices/steveej-t14/system.nix
@@ -74,5 +74,6 @@ in {
 
   boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
 
+
   hardware.ledger.enable = true;
 }
diff --git a/nix/os/profiles/graphical/system.nix b/nix/os/profiles/graphical/system.nix
index ff3def4..06e7d69 100644
--- a/nix/os/profiles/graphical/system.nix
+++ b/nix/os/profiles/graphical/system.nix
@@ -20,7 +20,7 @@
 
   # hardware related services
   services.illum.enable = true;
-  services.pcscd.enable = true;
+  services.pcscd.enable = false;
   hardware = {
     bluetooth.enable = true;
     pulseaudio = {
@@ -109,6 +109,9 @@
     SUBSYSTEM=="usb", ATTR{idVendor}=="047f", ATTR{idProduct}=="011a", GROUP="users", MODE="0777"
     SUBSYSTEM=="usb", ATTR{idVendor}=="047f", ATTR{idProduct}=="fffe", GROUP="users", MODE="0777"
     SUBSYSTEM=="usb", ATTR{idVendor}=="047f", ATTR{idProduct}=="0001", GROUP="users", MODE="0777"
+
+    # Yubikey 4/5 U2F+CCID
+    SUBSYSTEM=="usb", ATTR{idVendor}=="1050", ATTR{idProduct}=="0406", ENV{ID_SECURITY_TOKEN}="1", GROUP="wheel"
   '';
 
 
-- 
2.49.0