add usb-stick nixos article and fixed some image issues
|
@ -0,0 +1,36 @@
|
|||
version: '3'
|
||||
|
||||
vars:
|
||||
SERVER: robi.private
|
||||
SERVER_PATH: /srv/www/tech
|
||||
|
||||
tasks:
|
||||
server:
|
||||
deps: [assets]
|
||||
cmds: ["hugo serve"]
|
||||
|
||||
build:
|
||||
deps: [assets]
|
||||
cmds: ["hugo"]
|
||||
|
||||
assets:
|
||||
deps: [css]
|
||||
|
||||
css:
|
||||
cmds:
|
||||
- lessc src/lessc/page/main.less static/css/main.css
|
||||
|
||||
publish:
|
||||
deps: [assets, build]
|
||||
cmds:
|
||||
- |
|
||||
rsync \
|
||||
--recursive \
|
||||
--compress \
|
||||
--checksum \
|
||||
--verbose \
|
||||
--human-readable \
|
||||
--partial --progress \
|
||||
--protect-args \
|
||||
--delete-after \
|
||||
public/ {{.SERVER}}:{{.SERVER_PATH}}/
|
Before Width: | Height: | Size: 5.8 KiB After Width: | Height: | Size: 5.8 KiB |
Before Width: | Height: | Size: 4.6 KiB After Width: | Height: | Size: 4.6 KiB |
After Width: | Height: | Size: 83 KiB |
After Width: | Height: | Size: 59 KiB |
|
@ -0,0 +1,233 @@
|
|||
---
|
||||
title: "nixos on encrypted USB stick"
|
||||
date: 2022-10-19T10:00:00+02:00
|
||||
tags:
|
||||
- NixOS
|
||||
- Bootable
|
||||
- USB
|
||||
summary: >
|
||||
In this article I will describe how to
|
||||
create an encrypted bootable USB stick
|
||||
running NixOS.
|
||||
---
|
||||
|
||||
How to Create and update an bootable Linux USB stick, which is encrypted
|
||||
is quite easy and has some use cases.
|
||||
|
||||
* As ultimate backup
|
||||
* As a holiday tool
|
||||
* For schools
|
||||
|
||||
|
||||
# Requirments
|
||||
|
||||
## USB Stick
|
||||
|
||||
You need an USB stick with at least 64GB otherwise major updates might get problematic.
|
||||
|
||||
The USB stick, which should hold the system, will be `/dev/sdb`.
|
||||
You can plugin the usb stick and run `dmesg` to find out which device we are using
|
||||
|
||||
|
||||
# Step by Step Guide
|
||||
|
||||
Here are the steps I use to create my encrypted USB sticks running NixOS.
|
||||
|
||||
## format and create gpt partition table
|
||||
|
||||
```
|
||||
┌────────────────────────────────┐
|
||||
│USB-stick │
|
||||
│ ┌──────────────────────────────┤
|
||||
│ │ /dev/sda1 boot1 (MBR 1MB) │
|
||||
│ ├──────────────────────────────┤
|
||||
│ │ /dev/sda2 boot2 (EFI 511MB) │
|
||||
│ ├──────────────────────────────┤
|
||||
│ │ │
|
||||
│ │ /dev/sda3 root (ext4 > 64GB) │
|
||||
│ │ (encrypted) │
|
||||
└─┴──────────────────────────────┘
|
||||
```
|
||||
|
||||
> We use 511 MB for the boot partition, but you might want to increas this partition,
|
||||
> if you want to place bootable ISOs on that partiton you want to boot instead of your NixOS system.
|
||||
|
||||
> We create an EFI partition as well a 1MB MBR partiton to make the stick boot
|
||||
> on all kinds of computers.
|
||||
|
||||
I always delete all partitions using `fdisk` before starting repartitioning.
|
||||
Than I start with the partitioning.
|
||||
|
||||
```shell
|
||||
parted /dev/sdb -- mklabel gpt
|
||||
parted /dev/sdb -- mkpart no-fs 1MB 2MB
|
||||
parted /dev/sdb -- set 1 bios_grub on
|
||||
parted /dev/sdb -- mkpart ESP fat32 2MiB 512MiB
|
||||
parted /dev/sdb -- set 2 boot on
|
||||
parted /dev/sdb -- mkpart primary 512MiB 100%
|
||||
```
|
||||
|
||||
It most likely is not necesary but to be sure, I unplug and plug the USB device again
|
||||
to be sure the new partiton table will be used.
|
||||
|
||||
## create and encrypt partition
|
||||
|
||||
```shell
|
||||
cryptsetup luksFormat /dev/sdb3
|
||||
cryptsetup luksOpen /dev/sdb3 root-enc
|
||||
```
|
||||
|
||||
This will be the password you have to type in every time you boot the USB Stick.
|
||||
|
||||
## create boot partitions
|
||||
|
||||
```shell
|
||||
mkfs.fat -F 32 -n boot /dev/sdb2
|
||||
mkfs.ext4 -L root /dev/mapper/root-enc
|
||||
```
|
||||
|
||||
## prepare installation
|
||||
|
||||
We have to mount the created partitons.
|
||||
|
||||
```shell
|
||||
mount /dev/mapper/root-enc /mnt
|
||||
mkdir /mnt/boot && mount /dev/sdb2 /mnt/boot
|
||||
```
|
||||
|
||||
And generate inital configuration files.
|
||||
|
||||
```shell
|
||||
nixos-generate-config --root /mnt
|
||||
```
|
||||
|
||||
Now you can update `configuration.nix`
|
||||
before installation.
|
||||
You can `hardware-configuration.nix` edit as too,
|
||||
but usally that is not necessary.
|
||||
|
||||
> don't forget to set your ssh key in `users.users.<name>.openssh.authorizedKeys.keys`
|
||||
> und `users.users.<name>.openssh.authorizedKeys.keyFiles`
|
||||
|
||||
I usually have also these configurations set
|
||||
```
|
||||
environment.systemPackages = with pkgs; [
|
||||
vim
|
||||
wget
|
||||
htop
|
||||
silver-searcher
|
||||
iotop
|
||||
];
|
||||
|
||||
environment.extraInit = ''
|
||||
# use vi shortcuts
|
||||
# ----------------
|
||||
set -o vi
|
||||
EDITOR=vim
|
||||
'';
|
||||
```
|
||||
|
||||
These options have to be added to make it bootable and to start it with qemu-kvm (See [Update stick using qemu-kvm](#update-stick-using-qemu-kvm))
|
||||
|
||||
```
|
||||
boot.loader.grub.enable = true;
|
||||
boot.loader.grub.efiSupport = true;
|
||||
boot.loader.grub.device = "/dev/sdb"; # todo : change me once the system booted
|
||||
boot.loader.grub.efiInstallAsRemovable = true;
|
||||
boot.tmpOnTmpfs = true;
|
||||
```
|
||||
|
||||
You most likely have to disable these parameters
|
||||
|
||||
```
|
||||
boot.loader.systemd-boot.enable = false;
|
||||
boot.loader.efi.canTouchEfiVariables = false;
|
||||
```
|
||||
|
||||
## Install system
|
||||
|
||||
```shell
|
||||
nixos-install --root /mnt
|
||||
```
|
||||
|
||||
## Unmount everything
|
||||
|
||||
You most likely don't want to restart your host machine, so you have to unmount everything manually
|
||||
|
||||
```
|
||||
umount /mnt/boot
|
||||
umount /mnt
|
||||
cryptsetup luksClose /dev/mapper/root-enc
|
||||
```
|
||||
|
||||
You are able to plug the USB stick in a computer now and boot from it and you
|
||||
root partition is encrypted.
|
||||
|
||||
|
||||
# Update stick using qemu-kvm
|
||||
|
||||
To run frequent updates, it might be a hassle to boot a dedicated machine to access these updates.
|
||||
This is why I use `qemu` to start the machine and update the machine via [colmena](https://colmena.cli.rs/unstable/reference/)
|
||||
which my prefered NixOS provisioning system. Of course your favorit provisioning tool will work as well.
|
||||
|
||||
```
|
||||
┌────┬─────────────────────────────────────┐
|
||||
│host│ │
|
||||
├────┘ │
|
||||
│ │ ┌───────────┐
|
||||
│ colmena /dev/sdb ◄─────┬────────────┼────┤ usb-stick │
|
||||
│ │ │ │ └───────────┘
|
||||
│ │ │ │
|
||||
│ │ ┌───────────────┴─┬────────┐ │
|
||||
│ │ │qemu-kvm /dev/sdb│ │ │
|
||||
│ │ ├─────────────────┘ │ │
|
||||
│ │ │ │ │
|
||||
│ └────────┤► sshd ───────┐ │ │
|
||||
│ │ ▼ │ │
|
||||
│ │ nixos-rebuild switch │ │
|
||||
│ │ │ │
|
||||
│ └──────────────────────────┘ │
|
||||
│ │
|
||||
└──────────────────────────────────────────┘
|
||||
```
|
||||
|
||||
To run `qemu-kvm` on you machine, you need these options in your host `configuration.nix`.
|
||||
|
||||
```
|
||||
virtualisation.libvirtd.enable = true;
|
||||
users.users.mainUser.extraGroups = [ "libvirtd" ];
|
||||
environment.systemPackages = [
|
||||
pkgs.qemu_kvm
|
||||
pkgs.virt-manager
|
||||
];
|
||||
```
|
||||
|
||||
To start the machine you simple have to run this command:
|
||||
|
||||
```shell
|
||||
sudo qemu-kvm \
|
||||
-m 4G \
|
||||
-drive file=/dev/sdb,format=raw,index=0,media=disk \
|
||||
-net user,hostfwd=tcp:127.0.0.1:2222-:22 \
|
||||
-net nic
|
||||
```
|
||||
|
||||
![screenshot1.png](../images/screenshot1.png)
|
||||
|
||||
Once you unlocked the root partition you should be able to access the guest system using
|
||||
|
||||
```
|
||||
ssh root@localhost -p2222
|
||||
```
|
||||
|
||||
{{% content-big %}}
|
||||
![screenshot2.png](../images/screenshot2.png)
|
||||
{{% /content-big %}}
|
||||
|
||||
So you should be able to update you usb stick with the comfort of you normal desktop setup.
|
||||
|
||||
|
||||
# further inspirations
|
||||
|
||||
* [Yubikey based Full Disk Encryption (NixOS Wiki)](https://nixos.wiki/wiki/Yubikey_based_Full_Disk_Encryption_(FDE)_on_NixOS)
|
||||
* [Using LUKS and Yubikey](https://github.com/sgillespie/nixos-yubikey-luks)
|
|
@ -108,7 +108,7 @@ You can have multiple computers which are reachable from the internet
|
|||
but for this example we only have one.
|
||||
|
||||
{{< card >}}
|
||||
{{<figure src="/nixos/tinc/3computers.svg" width=100% >}}
|
||||
{{<figure src="../images/3computers.svg" width=100% >}}
|
||||
{{< /card >}}
|
||||
|
||||
Here is the `configuration.nix`.
|
||||
|
@ -235,7 +235,7 @@ It can be resolved by using the `tincSubnet` parameter,
|
|||
to configure sub-network routing.
|
||||
|
||||
{{< card >}}
|
||||
{{<figure src="/nixos/tinc/2subnets.svg" width=100% >}}
|
||||
{{<figure src="../images/2subnets.svg" width=100% >}}
|
||||
{{< /card >}}
|
||||
|
||||
Achieving this is very simple,
|
||||
|
|
|
@ -0,0 +1,42 @@
|
|||
{
|
||||
"nodes": {
|
||||
"flake-utils": {
|
||||
"locked": {
|
||||
"lastModified": 1659877975,
|
||||
"narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1666171135,
|
||||
"narHash": "sha256-+0AIbPDd24ZVjZgFobJH3uuJuyLVZjiH0oQNb01hyWE=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "5720791e7fcdcc89834732e11848d73151356966",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"flake-utils": "flake-utils",
|
||||
"nixpkgs": "nixpkgs"
|
||||
}
|
||||
}
|
||||
},
|
||||
"root": "root",
|
||||
"version": 7
|
||||
}
|
|
@ -0,0 +1,48 @@
|
|||
{
|
||||
description = "my website";
|
||||
|
||||
inputs.nixpkgs.url = "github:nixos/nixpkgs";
|
||||
inputs.flake-utils.url = "github:numtide/flake-utils";
|
||||
|
||||
outputs = { self, nixpkgs, flake-utils }:
|
||||
(flake-utils.lib.eachDefaultSystem (system:
|
||||
let pkgs = nixpkgs.legacyPackages.${system};
|
||||
in {
|
||||
|
||||
# nix develop
|
||||
devShell = pkgs.mkShell {
|
||||
buildInputs = with pkgs; [ hugo lessc rake go-task feh ion inotify-tools ];
|
||||
};
|
||||
|
||||
# nix run
|
||||
apps.default = self.apps.${system}.server;
|
||||
|
||||
# nix run ".#server"
|
||||
apps.server = {
|
||||
type = "app";
|
||||
program = toString (pkgs.writers.writeBash "server" ''
|
||||
set -e
|
||||
set -o pipefail
|
||||
PATH=${
|
||||
pkgs.lib.makeBinPath [ pkgs.lessc pkgs.go-task pkgs.ion pkgs.hugo ]
|
||||
}
|
||||
task server
|
||||
'');
|
||||
};
|
||||
|
||||
# nix run ".#publish"
|
||||
apps.publish = {
|
||||
type = "app";
|
||||
program = toString (pkgs.writers.writeBash "publish" ''
|
||||
set -e
|
||||
set -o pipefail
|
||||
PATH=${
|
||||
pkgs.lib.makeBinPath [ pkgs.lessc pkgs.go-task pkgs.ion pkgs.hugo pkgs.rsync pkgs.openssh ]
|
||||
}
|
||||
task publish
|
||||
''
|
||||
);
|
||||
};
|
||||
|
||||
}));
|
||||
}
|
|
@ -1,21 +0,0 @@
|
|||
|
||||
nwdiag {
|
||||
|
||||
internet [shape = cloud];
|
||||
|
||||
internet -- Gibson [address = "my.awesome.dns.com"]
|
||||
|
||||
network private {
|
||||
address = "10.1.1.0/24";
|
||||
|
||||
Gibson [address = "10.1.1.1"];
|
||||
Hackbardt [address = "10.1.1.2"];
|
||||
HAL [address = "10.1.1.3"];
|
||||
}
|
||||
|
||||
network "private (subnet)" {
|
||||
Hackbardt [address = "10.2.2.0/24"];
|
||||
HAL [address = "10.2.3.0/24"];
|
||||
}
|
||||
|
||||
}
|
Before Width: | Height: | Size: 8.8 KiB |
|
@ -1,16 +0,0 @@
|
|||
|
||||
nwdiag {
|
||||
|
||||
internet [shape = cloud];
|
||||
|
||||
internet -- Gibson [address = "my.awesome.dns.com"]
|
||||
|
||||
network private {
|
||||
address = "10.1.1.0/24";
|
||||
|
||||
Gibson [address = "10.1.1.1"];
|
||||
Hackbardt [address = "10.1.1.2"];
|
||||
HAL [address = "10.1.1.3"];
|
||||
}
|
||||
|
||||
}
|
Before Width: | Height: | Size: 7.7 KiB |
|
@ -1,6 +1,7 @@
|
|||
@font-normal: ~"'Roboto', sans-serif";
|
||||
|
||||
@font-code: ~"'Inconsolata', monospace";
|
||||
//@font-code: ~"'Inconsolata', monospace";
|
||||
@font-code: ~"monospace"; // because diagrams look strange
|
||||
|
||||
@font-header: ~"'Roboto', sans-serif";
|
||||
//@font-header: ~"'Zilla Slab', serif";
|
||||
|
|
|
@ -110,3 +110,8 @@ a:hover {
|
|||
}
|
||||
|
||||
|
||||
// images
|
||||
|
||||
img {
|
||||
width: 100%;
|
||||
}
|
||||
|
|