diff --git a/.hugo_build.lock b/.hugo_build.lock new file mode 100644 index 0000000..e69de29 diff --git a/Taskfile.yml b/Taskfile.yml new file mode 100644 index 0000000..a036a9a --- /dev/null +++ b/Taskfile.yml @@ -0,0 +1,36 @@ +version: '3' + +vars: + SERVER: robi.private + SERVER_PATH: /srv/www/tech + +tasks: + server: + deps: [assets] + cmds: ["hugo serve"] + + build: + deps: [assets] + cmds: ["hugo"] + + assets: + deps: [css] + + css: + cmds: + - lessc src/lessc/page/main.less static/css/main.css + + publish: + deps: [assets, build] + cmds: + - | + rsync \ + --recursive \ + --compress \ + --checksum \ + --verbose \ + --human-readable \ + --partial --progress \ + --protect-args \ + --delete-after \ + public/ {{.SERVER}}:{{.SERVER_PATH}}/ diff --git a/src/images/2subnets.svg b/content/nixos/images/2subnets.svg similarity index 100% rename from src/images/2subnets.svg rename to content/nixos/images/2subnets.svg diff --git a/src/images/3computers.svg b/content/nixos/images/3computers.svg similarity index 100% rename from src/images/3computers.svg rename to content/nixos/images/3computers.svg diff --git a/content/nixos/images/screenshot1.png b/content/nixos/images/screenshot1.png new file mode 100644 index 0000000..139efbb Binary files /dev/null and b/content/nixos/images/screenshot1.png differ diff --git a/content/nixos/images/screenshot2.png b/content/nixos/images/screenshot2.png new file mode 100644 index 0000000..a36e105 Binary files /dev/null and b/content/nixos/images/screenshot2.png differ diff --git a/content/nixos/nixos-usb-stick.md b/content/nixos/nixos-usb-stick.md new file mode 100644 index 0000000..a7168f9 --- /dev/null +++ b/content/nixos/nixos-usb-stick.md @@ -0,0 +1,233 @@ +--- +title: "nixos on encrypted USB stick" +date: 2022-10-19T10:00:00+02:00 +tags: +- NixOS +- Bootable +- USB +summary: > + In this article I will describe how to + create an encrypted bootable USB stick + running NixOS. +--- + +How to Create and update an bootable Linux USB stick, which is encrypted +is quite easy and has some use cases. + +* As ultimate backup +* As a holiday tool +* For schools + + +# Requirments + +## USB Stick + +You need an USB stick with at least 64GB otherwise major updates might get problematic. + +The USB stick, which should hold the system, will be `/dev/sdb`. +You can plugin the usb stick and run `dmesg` to find out which device we are using + + +# Step by Step Guide + +Here are the steps I use to create my encrypted USB sticks running NixOS. + +## format and create gpt partition table + +``` +┌────────────────────────────────┐ +│USB-stick │ +│ ┌──────────────────────────────┤ +│ │ /dev/sda1 boot1 (MBR 1MB) │ +│ ├──────────────────────────────┤ +│ │ /dev/sda2 boot2 (EFI 511MB) │ +│ ├──────────────────────────────┤ +│ │ │ +│ │ /dev/sda3 root (ext4 > 64GB) │ +│ │ (encrypted) │ +└─┴──────────────────────────────┘ +``` + +> We use 511 MB for the boot partition, but you might want to increas this partition, +> if you want to place bootable ISOs on that partiton you want to boot instead of your NixOS system. + +> We create an EFI partition as well a 1MB MBR partiton to make the stick boot +> on all kinds of computers. + +I always delete all partitions using `fdisk` before starting repartitioning. +Than I start with the partitioning. + +```shell +parted /dev/sdb -- mklabel gpt +parted /dev/sdb -- mkpart no-fs 1MB 2MB +parted /dev/sdb -- set 1 bios_grub on +parted /dev/sdb -- mkpart ESP fat32 2MiB 512MiB +parted /dev/sdb -- set 2 boot on +parted /dev/sdb -- mkpart primary 512MiB 100% +``` + +It most likely is not necesary but to be sure, I unplug and plug the USB device again +to be sure the new partiton table will be used. + +## create and encrypt partition + +```shell +cryptsetup luksFormat /dev/sdb3 +cryptsetup luksOpen /dev/sdb3 root-enc +``` + +This will be the password you have to type in every time you boot the USB Stick. + +## create boot partitions + +```shell +mkfs.fat -F 32 -n boot /dev/sdb2 +mkfs.ext4 -L root /dev/mapper/root-enc +``` + +## prepare installation + +We have to mount the created partitons. + +```shell +mount /dev/mapper/root-enc /mnt +mkdir /mnt/boot && mount /dev/sdb2 /mnt/boot +``` + +And generate inital configuration files. + +```shell +nixos-generate-config --root /mnt +``` + +Now you can update `configuration.nix` +before installation. +You can `hardware-configuration.nix` edit as too, +but usally that is not necessary. + +> don't forget to set your ssh key in `users.users..openssh.authorizedKeys.keys` +> und `users.users..openssh.authorizedKeys.keyFiles` + +I usually have also these configurations set +``` +environment.systemPackages = with pkgs; [ + vim + wget + htop + silver-searcher + iotop +]; + +environment.extraInit = '' + # use vi shortcuts + # ---------------- + set -o vi + EDITOR=vim +''; +``` + +These options have to be added to make it bootable and to start it with qemu-kvm (See [Update stick using qemu-kvm](#update-stick-using-qemu-kvm)) + +``` +boot.loader.grub.enable = true; +boot.loader.grub.efiSupport = true; +boot.loader.grub.device = "/dev/sdb"; # todo : change me once the system booted +boot.loader.grub.efiInstallAsRemovable = true; +boot.tmpOnTmpfs = true; +``` + +You most likely have to disable these parameters + +``` +boot.loader.systemd-boot.enable = false; +boot.loader.efi.canTouchEfiVariables = false; +``` + +## Install system + +```shell +nixos-install --root /mnt +``` + +## Unmount everything + +You most likely don't want to restart your host machine, so you have to unmount everything manually + +``` +umount /mnt/boot +umount /mnt +cryptsetup luksClose /dev/mapper/root-enc +``` + +You are able to plug the USB stick in a computer now and boot from it and you +root partition is encrypted. + + +# Update stick using qemu-kvm + +To run frequent updates, it might be a hassle to boot a dedicated machine to access these updates. +This is why I use `qemu` to start the machine and update the machine via [colmena](https://colmena.cli.rs/unstable/reference/) +which my prefered NixOS provisioning system. Of course your favorit provisioning tool will work as well. + +``` +┌────┬─────────────────────────────────────┐ +│host│ │ +├────┘ │ +│ │ ┌───────────┐ +│ colmena /dev/sdb ◄─────┬────────────┼────┤ usb-stick │ +│ │ │ │ └───────────┘ +│ │ │ │ +│ │ ┌───────────────┴─┬────────┐ │ +│ │ │qemu-kvm /dev/sdb│ │ │ +│ │ ├─────────────────┘ │ │ +│ │ │ │ │ +│ └────────┤► sshd ───────┐ │ │ +│ │ ▼ │ │ +│ │ nixos-rebuild switch │ │ +│ │ │ │ +│ └──────────────────────────┘ │ +│ │ +└──────────────────────────────────────────┘ +``` + +To run `qemu-kvm` on you machine, you need these options in your host `configuration.nix`. + +``` +virtualisation.libvirtd.enable = true; +users.users.mainUser.extraGroups = [ "libvirtd" ]; +environment.systemPackages = [ + pkgs.qemu_kvm + pkgs.virt-manager +]; +``` + +To start the machine you simple have to run this command: + +```shell +sudo qemu-kvm \ + -m 4G \ + -drive file=/dev/sdb,format=raw,index=0,media=disk \ + -net user,hostfwd=tcp:127.0.0.1:2222-:22 \ + -net nic +``` + +![screenshot1.png](../images/screenshot1.png) + +Once you unlocked the root partition you should be able to access the guest system using + +``` +ssh root@localhost -p2222 +``` + +{{% content-big %}} +![screenshot2.png](../images/screenshot2.png) +{{% /content-big %}} + +So you should be able to update you usb stick with the comfort of you normal desktop setup. + + +# further inspirations + +* [Yubikey based Full Disk Encryption (NixOS Wiki)](https://nixos.wiki/wiki/Yubikey_based_Full_Disk_Encryption_(FDE)_on_NixOS) +* [Using LUKS and Yubikey](https://github.com/sgillespie/nixos-yubikey-luks) diff --git a/content/nixos/tinc.md b/content/nixos/tinc.md index 3f2a9a4..59c3899 100644 --- a/content/nixos/tinc.md +++ b/content/nixos/tinc.md @@ -108,7 +108,7 @@ You can have multiple computers which are reachable from the internet but for this example we only have one. {{< card >}} -{{
}} +{{
}} {{< /card >}} Here is the `configuration.nix`. @@ -235,7 +235,7 @@ It can be resolved by using the `tincSubnet` parameter, to configure sub-network routing. {{< card >}} -{{
}} +{{
}} {{< /card >}} Achieving this is very simple, diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..6aa949d --- /dev/null +++ b/flake.lock @@ -0,0 +1,42 @@ +{ + "nodes": { + "flake-utils": { + "locked": { + "lastModified": 1659877975, + "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1666171135, + "narHash": "sha256-+0AIbPDd24ZVjZgFobJH3uuJuyLVZjiH0oQNb01hyWE=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "5720791e7fcdcc89834732e11848d73151356966", + "type": "github" + }, + "original": { + "owner": "nixos", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..e716692 --- /dev/null +++ b/flake.nix @@ -0,0 +1,48 @@ +{ + description = "my website"; + + inputs.nixpkgs.url = "github:nixos/nixpkgs"; + inputs.flake-utils.url = "github:numtide/flake-utils"; + + outputs = { self, nixpkgs, flake-utils }: + (flake-utils.lib.eachDefaultSystem (system: + let pkgs = nixpkgs.legacyPackages.${system}; + in { + + # nix develop + devShell = pkgs.mkShell { + buildInputs = with pkgs; [ hugo lessc rake go-task feh ion inotify-tools ]; + }; + + # nix run + apps.default = self.apps.${system}.server; + + # nix run ".#server" + apps.server = { + type = "app"; + program = toString (pkgs.writers.writeBash "server" '' + set -e + set -o pipefail + PATH=${ + pkgs.lib.makeBinPath [ pkgs.lessc pkgs.go-task pkgs.ion pkgs.hugo ] + } + task server + ''); + }; + + # nix run ".#publish" + apps.publish = { + type = "app"; + program = toString (pkgs.writers.writeBash "publish" '' + set -e + set -o pipefail + PATH=${ + pkgs.lib.makeBinPath [ pkgs.lessc pkgs.go-task pkgs.ion pkgs.hugo pkgs.rsync pkgs.openssh ] + } + task publish + '' + ); + }; + + })); +} diff --git a/src/images/2subnets.nwdiag b/src/images/2subnets.nwdiag deleted file mode 100644 index 9795c85..0000000 --- a/src/images/2subnets.nwdiag +++ /dev/null @@ -1,21 +0,0 @@ - -nwdiag { - - internet [shape = cloud]; - - internet -- Gibson [address = "my.awesome.dns.com"] - - network private { - address = "10.1.1.0/24"; - - Gibson [address = "10.1.1.1"]; - Hackbardt [address = "10.1.1.2"]; - HAL [address = "10.1.1.3"]; - } - - network "private (subnet)" { - Hackbardt [address = "10.2.2.0/24"]; - HAL [address = "10.2.3.0/24"]; - } - -} diff --git a/src/images/2subnets.png b/src/images/2subnets.png deleted file mode 100644 index 6e77130..0000000 Binary files a/src/images/2subnets.png and /dev/null differ diff --git a/src/images/3computers.nwdiag b/src/images/3computers.nwdiag deleted file mode 100644 index 257dd23..0000000 --- a/src/images/3computers.nwdiag +++ /dev/null @@ -1,16 +0,0 @@ - -nwdiag { - - internet [shape = cloud]; - - internet -- Gibson [address = "my.awesome.dns.com"] - - network private { - address = "10.1.1.0/24"; - - Gibson [address = "10.1.1.1"]; - Hackbardt [address = "10.1.1.2"]; - HAL [address = "10.1.1.3"]; - } - -} diff --git a/src/images/3computers.png b/src/images/3computers.png deleted file mode 100644 index 4becf99..0000000 Binary files a/src/images/3computers.png and /dev/null differ diff --git a/src/lessc/page/font.less b/src/lessc/page/font.less index b944be3..3a09eae 100644 --- a/src/lessc/page/font.less +++ b/src/lessc/page/font.less @@ -1,6 +1,7 @@ @font-normal: ~"'Roboto', sans-serif"; -@font-code: ~"'Inconsolata', monospace"; +//@font-code: ~"'Inconsolata', monospace"; +@font-code: ~"monospace"; // because diagrams look strange @font-header: ~"'Roboto', sans-serif"; //@font-header: ~"'Zilla Slab', serif"; diff --git a/src/lessc/page/main-hack.less b/src/lessc/page/main-hack.less index 4bcd54f..ef7e28d 100644 --- a/src/lessc/page/main-hack.less +++ b/src/lessc/page/main-hack.less @@ -110,3 +110,8 @@ a:hover { } +// images + +img { + width: 100%; +}