From 1514c30e46768eb978996660ad46ca8e48cef5b7 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sat, 15 May 2021 15:27:19 +0200 Subject: ... --- accounts/gkleen@sif/default.nix | 2 - accounts/gkleen@sif/emacs.el | 25 ++++++++- accounts/gkleen@sif/ssh-hosts.nix | 16 ++++++ .../gkleen@sif/xmonad/lib/XMonad/Prompt/MySsh.hs | 5 +- accounts/gkleen@sif/xmonad/xmonad.hs | 14 +++-- flake.lock | 18 +++---- hosts/sif/default.nix | 27 +++++++++- modules/luksroot.nix | 59 +++++++++++++++++++++- user-profiles/core.nix | 1 + user-profiles/mpv/default.nix | 8 +-- 10 files changed, 150 insertions(+), 25 deletions(-) diff --git a/accounts/gkleen@sif/default.nix b/accounts/gkleen@sif/default.nix index 5ee7845d..676c12a3 100644 --- a/accounts/gkleen@sif/default.nix +++ b/accounts/gkleen@sif/default.nix @@ -242,8 +242,6 @@ in { extraProfileCommands = '' export XDG_DATA_DIRS="${pkgs.gsettings-desktop-schemas}/share/gsettings-schemas/${pkgs.gsettings-desktop-schemas.name}:${pkgs.gtk3}/share/gsettings-schemas/${pkgs.gtk3.name}''${XDG_DATA_DIRS:+:''${XDG_DATA_DIRS}}" ''; - - stateVersion = "20.03"; }; fonts.fontconfig.enable = true; diff --git a/accounts/gkleen@sif/emacs.el b/accounts/gkleen@sif/emacs.el index c8356bf2..b22c00f5 100644 --- a/accounts/gkleen@sif/emacs.el +++ b/accounts/gkleen@sif/emacs.el @@ -68,7 +68,7 @@ (setq undo-tree-auto-save-history t) -(defvar expand-file-name-custom-tilde-alist '()) +(defvar expand-file-name-custom-tilde-alist '(("u2w-dev1" . "/ssh:uni2work-dev1:/home/gkleen/projects/uni2work"))) (defun my/add-to-tilde-alist (hash) (let* ((tilde:dir (split-string hash "=")) (tilde (car tilde:dir)) @@ -128,6 +128,29 @@ (setq ido-everywhere t) (ido-mode 1) +(setq tramp-default-method "ssh") +(customize-set-variable 'tramp-use-ssh-controlmaster-options nil) + +(setq direnv-enabled-hosts '("uni2work-dev1")) + +(defun tramp-sh-handle-start-file-process@my-direnv (args) + "Enable Direnv for hosts in `direnv-enabled-hosts'." + (with-parsed-tramp-file-name (expand-file-name default-directory) nil + (if (member host direnv-enabled-hosts) + (pcase-let ((`(,name ,buffer ,program . ,args) args)) + `(,name + ,buffer + "direnv" + "exec" + ,localname + ,program + ,@args)) + args))) + +(with-eval-after-load "tramp-sh" + (advice-add 'tramp-sh-handle-start-file-process + :filter-args #'tramp-sh-handle-start-file-process@my-direnv)) + (setq mail-host-address "sif.midgard.yggdrasil") (setq user-full-name "Gregor Kleen") diff --git a/accounts/gkleen@sif/ssh-hosts.nix b/accounts/gkleen@sif/ssh-hosts.nix index 0db4e342..d47410f4 100644 --- a/accounts/gkleen@sif/ssh-hosts.nix +++ b/accounts/gkleen@sif/ssh-hosts.nix @@ -91,6 +91,11 @@ user = "root"; identityFile = "~/.ssh/uni2work"; }; + "jump.uniworx4" = + { hostname = "uniworx4.ifi.lmu.de"; + user = "sshjump"; + identityFile = "~/.ssh/sshjump.uni2work"; + }; "uni2workgw" = { hostname = "uni2workgw.ifi.lmu.de"; user = "root"; @@ -206,4 +211,15 @@ user = "git"; identityFile = "~/.ssh/gkleen@gitlab.lrz.de"; }; + "uni2work-dev1" = + { hostname = "uni2work-dev1.ifi.lmu.de"; + user = "gkleen"; + identityFile = "~/.ssh/uni2work"; + proxyJump = "jump.uniworx4"; + localForwards = [ + { bind = { address = "localhost"; port = 3940; }; + host = { address = "localhost"; port = 3940; }; + } + ]; + }; } diff --git a/accounts/gkleen@sif/xmonad/lib/XMonad/Prompt/MySsh.hs b/accounts/gkleen@sif/xmonad/lib/XMonad/Prompt/MySsh.hs index c85d0f92..729941aa 100644 --- a/accounts/gkleen@sif/xmonad/lib/XMonad/Prompt/MySsh.hs +++ b/accounts/gkleen@sif/xmonad/lib/XMonad/Prompt/MySsh.hs @@ -80,9 +80,12 @@ moshCmd' p c = concat , " -- " , cCommand c ] -inTmux c +inTmux Nothing c | null $ cCommand c = c { cCommand = "tmux new-session" } | otherwise = c { cCommand = "tmux new-session \"" ++ (cCommand c) ++ "\"" } +inTmux (Just h) c + | null $ cCommand c = c { cCommand = "tmux new-session -As " <> h } + | otherwise = c { cCommand = "tmux new-session \"" ++ (cCommand c) ++ "\"" } withEnv :: [(String, String)] -> Conn -> Conn withEnv envs c = c { cCommand = "env" ++ (concat $ map (\(n, v) -> ' ' : (n ++ "=" ++ v)) envs) ++ " " ++ (cCommand c) } diff --git a/accounts/gkleen@sif/xmonad/xmonad.hs b/accounts/gkleen@sif/xmonad/xmonad.hs index 8282ed3f..3bf930c0 100644 --- a/accounts/gkleen@sif/xmonad/xmonad.hs +++ b/accounts/gkleen@sif/xmonad/xmonad.hs @@ -680,7 +680,7 @@ xPConfig = def , position = Top } -sshOverrides = map (\h -> mkOverride { oHost = h, oCommand = moshCmd . inTmux } ) +sshOverrides host = map (\h -> mkOverride { oHost = h, oCommand = moshCmd . inTmux host} ) [ "odin", "odin.asgard.yggdrasil" , "ymir", "ymir.yggdrasil.li", "ymir.niflheim.yggdrasil" @@ -691,13 +691,17 @@ sshOverrides = map (\h -> mkOverride { oHost = h, oCommand = moshCmd . inTmux } , "testworx" ] ++ - map (\h -> mkOverride { oHost = h, oCommand = moshCmd' "/run/current-system/sw/bin/mosh-server" . withEnv [("TERM", "xterm")] . inTmux} ) + map (\h -> mkOverride { oHost = h, oCommand = moshCmd' "/run/current-system/sw/bin/mosh-server" . withEnv [("TERM", "xterm")] . inTmux host} ) [ "bragi", "bragi.asgard.yggdrasil" ] ++ - map (\h -> mkOverride { oHost = h, oCommand = sshCmd . withEnv [("TERM", "xterm")] . inTmux } ) + map (\h -> mkOverride { oHost = h, oCommand = sshCmd . inTmux host } ) + [ "uni2work-dev1" + ] + ++ + map (\h -> mkOverride { oHost = h, oCommand = sshCmd . withEnv [("TERM", "xterm")] . inTmux host } ) [ "remote.cip.ifi.lmu.de" - , "uniworx3", "uniworx4", "uniworxdb" + , "uniworx3", "uniworx4", "uniworx5", "uniworxdb2" ] backlight :: (Rational -> Rational) -> X () @@ -769,7 +773,7 @@ myKeys' conf host = Map.fromList $ --, ((modm, xK_d ), spawn "exe=`dmenu_path | dmenu` && eval \"exec $exe\"") , ((modm, xK_d ), shellPrompt "Run: " xPConfig) , ((modm .|. shiftMask, xK_d ), prompt "Run in Terminal: " ("urxvtc" ++ " -e") xPConfig) - , ((modm, xK_at ), sshPrompt sshOverrides xPConfig) + , ((modm, xK_at ), sshPrompt (sshOverrides . Just $ hName host) xPConfig) -- close focused window , ((modm .|. shiftMask, xK_q ), kill) diff --git a/flake.lock b/flake.lock index d5e943cd..d284c668 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1618041827, - "narHash": "sha256-17Fzc8rmT6HOarCp+8k9RhmgMorNtzTk/rzew+FqHrA=", + "lastModified": 1620692082, + "narHash": "sha256-s/eBXs4OI47yPWNTKoAg4f/H7wMLyO+VEMmobXkzfI8=", "owner": "nix-community", "repo": "home-manager", - "rev": "f567ea8228e0ce718871d7346e444dd15ad702e5", + "rev": "23769994e8f7b212d9a257799173b120ed87736b", "type": "github" }, "original": { @@ -23,11 +23,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1618153411, - "narHash": "sha256-xevpO/rTac+Fcf/8KmGGAxdoMN9WoosZTo9tAM8rHKY=", + "lastModified": 1620889072, + "narHash": "sha256-doTvE6myl1h2fxjMw4Atn7EjwzvnYBkGoZEHMepquec=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "20443c348225791ca7ecb2787f403f4be56ab223", + "rev": "e948a04cde32f9c2551a773da5742248f6d95b8c", "type": "github" }, "original": { @@ -51,11 +51,11 @@ ] }, "locked": { - "lastModified": 1617608551, - "narHash": "sha256-5KMomBp38ujNcz5NBmVaQSpi7k29cc+b+tBPmjGoEJw=", + "lastModified": 1618840526, + "narHash": "sha256-3VAac44xE+kO8o7BQXLqHrAMUQT+XqIK8BcLkEEDwOA=", "owner": "Mic92", "repo": "sops-nix", - "rev": "5e0ea90c782d6cfae13cae0af131a687e44717e9", + "rev": "4f384662a85804fa2bc1bc1f99e70bb468e76f88", "type": "github" }, "original": { diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index daa37ad9..b090f6a7 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix @@ -62,14 +62,33 @@ networkmanager = { enable = true; dhcp = "internal"; - dns = "dnsmasq"; + dns = lib.mkForce "dnsmasq"; extraConfig = '' [connectivity] uri=https://online.yggdrasil.li ''; }; + wlanInterfaces = { + wlan0 = { + device = "wlp82s0"; + }; + }; + + bonds = { + "lan" = { + interfaces = [ "wlan0" "enp0s31f6" "dock0" ]; + driverOptions = { + miimon = "1000"; + mode = "active-backup"; + primary_reselect = "always"; + }; + }; + }; + dhcpcd.enable = false; + useDHCP = false; + useNetworkd = true; interfaces.yggdrasil = { virtual = true; @@ -78,6 +97,9 @@ }; }; + systemd.services."NetworkManager-wait-online".enable = false; + systemd.services."systemd-networkd-wait-online".enable = false; + environment.etc."NetworkManager/dnsmasq.d/libvirtd_dnsmasq.conf" = { text = '' server=/sif.libvirt/192.168.122.1 @@ -263,9 +285,10 @@ }; }; - services.udev.extraRules = with pkgs; '' + services.udev.extraRules = with pkgs; lib.mkAfter '' SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="0", RUN+="${systemd}/bin/systemctl --no-block stop ac-plugged.service" SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="1", RUN+="${systemd}/bin/systemctl --no-block start ac-plugged.service" + ACTION=="add", SUBSYSTEM=="net", DEVTYPE!="?*", ATTR{address}=="3c:e1:a1:b9:cd:e5", NAME="dock0" ''; services.borgbackup = { diff --git a/modules/luksroot.nix b/modules/luksroot.nix index e1a910d7..abaee692 100644 --- a/modules/luksroot.nix +++ b/modules/luksroot.nix @@ -140,7 +140,7 @@ let umount /crypt-ramfs 2>/dev/null ''; - openCommand = name': { name, device, header, keyFile, keyFileSize, keyFileOffset, allowDiscards, yubikey, gpgCard, fido2, clevis, fallbackToPassword, preOpenCommands, postOpenCommands, ... }: assert name' == name; + openCommand = name': { name, device, header, keyFile, keyFileSize, keyFileOffset, allowDiscards, yubikey, gpgCard, fido2, clevis, dmi, fallbackToPassword, preOpenCommands, postOpenCommands, ... }: assert name' == name; let csopen = "cryptsetup luksOpen ${device} ${name} ${optionalString allowDiscards "--allow-discards"} ${optionalString (header != null) "--header=${header}"}"; cschange = "cryptsetup luksChangeKey ${device} ${optionalString (header != null) "--header=${header}"}"; @@ -451,10 +451,30 @@ let ''} + ${optionalString (luks.dmiSupport && dmi) '' + + open_with_hardware() { + dmidecode -s system-uuid > /crypt-ramfs/passphrase + + ${csopen} --key-file=- < /crypt-ramfs/passphrase > /dev/null 2> /dev/null + + if [ $? -ne 0 ]; then + echo "Unlocking with system-uuid failed, falling back to normal open procedure" + rm -f /crypt-ramfs/passphrase + open_normally + ${optionalString (!luks.reusePassphrases) '' + else + rm -f /crypt-ramfs/passphrase + ''} + fi + } + + ''} + # commands to run right before we mount our device ${preOpenCommands} - ${if (luks.yubikeySupport && (yubikey != null)) || (luks.gpgSupport && (gpgCard != null)) || (luks.fido2Support && (fido2.credential != null)) || (luks.clevisSupport && clevis) then '' + ${if (luks.yubikeySupport && (yubikey != null)) || (luks.gpgSupport && (gpgCard != null)) || (luks.fido2Support && (fido2.credential != null)) || (luks.clevisSupport && clevis) || (luks.dmiSupport && dmi) then '' open_with_hardware '' else '' open_normally @@ -789,6 +809,14 @@ in ''; }; + dmi = mkOption { + type = types.bool; + default = false; + description = '' + Unlock device via system-uuid (via dmidecode) + ''; + }; + preOpenCommands = mkOption { type = types.lines; default = ""; @@ -849,6 +877,14 @@ in Enables support for unlocking luks volumes via clevis (e.g. with a tpm) ''; }; + + boot.initrd.luks.dmiSupport = mkOption { + default = false; + type = types.bool; + description = '' + Enables support for unlocking luks volumes via system-uuid (via dmidecode) + ''; + }; }; @@ -866,6 +902,10 @@ in { assertion = !(luks.gpgSupport && luks.clevisSupport); message = "Clevis and GPG Card may not be used at the same time."; } + + { assertion = !(luks.gpgSupport && luks.dmiSupport); + message = "DMI and GPG Card may not be used at the same time."; + } { assertion = !(luks.fido2Support && luks.yubikeySupport); message = "FIDO2 and YubiKey may not be used at the same time."; @@ -875,10 +915,18 @@ in message = "FIDO2 and Clevis may not be used at the same time."; } + { assertion = !(luks.fido2Support && luks.dmiSupport); + message = "FIDO2 and DMI may not be used at the same time."; + } + { assertion = !(luks.yubikeySupport && luks.clevisSupport); message = "Clevis and YubiKey may not be used at the same time."; } + { assertion = !(luks.yubikeySupport && luks.dmiSupport); + message = "DMI and YubiKey may not be used at the same time."; + } + ]; # actually, sbp2 driver is the one enabling the DMA attack, but this needs to be tested @@ -989,6 +1037,10 @@ in fi done ''} + + ${optionalString luks.dmiSupport '' + copy_bin_and_libs ${pkgs.dmidecode}/bin/dmidecode + ''} ''; boot.initrd.extraUtilsCommandsTest = '' @@ -1009,6 +1061,9 @@ in ${optionalString luks.clevisSupport '' $out/bin/jose alg ''} + ${optionalString luks.dmiSupport '' + $out/bin/dmidecode --version + ''} ''; boot.initrd.preFailCommands = postCommands; diff --git a/user-profiles/core.nix b/user-profiles/core.nix index 8611a0bd..fb80343d 100644 --- a/user-profiles/core.nix +++ b/user-profiles/core.nix @@ -7,6 +7,7 @@ config = { manual.manpages.enable = true; + home.stateVersion = "20.09"; }; }; } diff --git a/user-profiles/mpv/default.nix b/user-profiles/mpv/default.nix index 045094db..6b0ea076 100644 --- a/user-profiles/mpv/default.nix +++ b/user-profiles/mpv/default.nix @@ -38,13 +38,15 @@ passthru.scriptName = "reload.lua"; }; autosave = pkgs.stdenv.mkDerivation rec { - version = "0bv9wjrq"; + version = "744c3ee6"; pname = "autosave"; name = "${pname}-${version}.lua"; src = pkgs.fetchzip { - url = "https://gist.github.com/Hakkin/5489e511bd6c8068a0fc09304c9c5a82/archive/7a19f7cdb6dd0b1c6878b41e13b244e2503c15fc.zip"; - sha256 = "0bv9wjrqm2ragd7rp8vw768bja2ghascwlljd6rzzf2ybi10fxs2"; + url = "https://gist.github.com/CyberShadow/2f71a97fb85ed42146f6d9f522bc34ef/archive/744c3ee61d2f0a8e9bb4e308dec6897215ae4704.zip"; + hash = "sha256-yxA8wgzdS7SyKLoNTWN87ShsBfPKUflbOu4Y0jS2G3I="; + # url = "https://gist.github.com/Hakkin/5489e511bd6c8068a0fc09304c9c5a82/archive/7a19f7cdb6dd0b1c6878b41e13b244e2503c15fc.zip"; + # sha256 = "0bv9wjrqm2ragd7rp8vw768bja2ghascwlljd6rzzf2ybi10fxs2"; }; installPhase = '' -- cgit v1.2.3