diff --git a/README.md b/README.md index c6d74c1..ae4198d 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ [tech.ingolf-wagner.de](https://tech.ingolf-wagner.de) source code. ``` -rake run_server -rake publish +nix run # to run local server +nix run ".#publish" # to publish site ``` \ No newline at end of file diff --git a/content/nixos/images/2subnets.svg b/content/nixos/images/2subnets.svg index d06eaf8..6c17492 100644 --- a/content/nixos/images/2subnets.svg +++ b/content/nixos/images/2subnets.svg @@ -1,69 +1,350 @@ - - - - - - - - - blockdiag - + + + + + blockdiag + nwdiag { internet [shape = cloud]; - internet -- Gibson [address = "my.awesome.dns.com"] + internet -- Gibson [address = "my.awesome.dns.com"] network private { - address = "10.1.1.0/24"; + address = "10.1.1.0/24"; - Gibson [address = "10.1.1.1"]; - Hackbardt [address = "10.1.1.2"]; - HAL [address = "10.1.1.3"]; + Gibson [address = "10.1.1.1"]; + Hackbardt [address = "10.1.1.2"]; + HAL [address = "10.1.1.3"]; } - network "private (subnet)" { - Hackbardt [address = "10.2.2.0/24"]; - HAL [address = "10.2.3.0/24"]; + network "private (subnet)" { + Hackbardt [address = "10.2.2.0/24"]; + HAL [address = "10.2.3.0/24"]; } } - - - - - - - - - - - - - private - 10.1.1.0/24 - "private (subnet)" - - - - internet - - my.awesome.dns.com - - 10.1.1.1 - - Gibson - - 10.1.1.2 - - 10.2.2.0/24 - - Hackbardt - - 10.1.1.3 - - 10.2.3.0/24 - - HAL + + + + + + + private + 10.1.1.0/24 + "private (subnet)" + + + + internet + + my.awesome.dns.com + + 10.1.1.1 + + Gibson + + 10.1.1.2 + + 10.2.2.0/24 + + Hackbardt + + 10.1.1.3 + + 10.2.3.0/24 + + HAL + + + + blockdiag + + + diff --git a/content/nixos/images/3computers.svg b/content/nixos/images/3computers.svg index 528decd..f827fc0 100644 --- a/content/nixos/images/3computers.svg +++ b/content/nixos/images/3computers.svg @@ -1,55 +1,281 @@ - - - - - - - - - blockdiag - + + + + + blockdiag + nwdiag { internet [shape = cloud]; - internet -- Gibson [address = "my.awesome.dns.com"] + internet -- Gibson [address = "my.awesome.dns.com"] network private { - address = "10.1.1.0/24"; + address = "10.1.1.0/24"; - Gibson [address = "10.1.1.1"]; - Hackbardt [address = "10.1.1.2"]; - HAL [address = "10.1.1.3"]; + Gibson [address = "10.1.1.1"]; + Hackbardt [address = "10.1.1.2"]; + HAL [address = "10.1.1.3"]; } } - - - - - - - - - private - 10.1.1.0/24 - - - - internet - - my.awesome.dns.com - - 10.1.1.1 - - Gibson - - 10.1.1.2 - - Hackbardt - - 10.1.1.3 - - HAL + + + + private + 10.1.1.0/24 + + + + internet + + my.awesome.dns.com + + 10.1.1.1 + + Gibson + + 10.1.1.2 + + Hackbardt + + 10.1.1.3 + + HAL + + + + blockdiag + + + diff --git a/content/nixos/images/qemu-kvm-setup.svg b/content/nixos/images/qemu-kvm-setup.svg new file mode 100644 index 0000000..9f63d9c --- /dev/null +++ b/content/nixos/images/qemu-kvm-setup.svg @@ -0,0 +1,254 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + sshd + nixos-rebuild switch + + qemu-kvm /dev/sdb + host + colmena + /dev/sdb + usb-stick + + diff --git a/content/nixos/images/usb-stick-partitions.svg b/content/nixos/images/usb-stick-partitions.svg new file mode 100644 index 0000000..535498a --- /dev/null +++ b/content/nixos/images/usb-stick-partitions.svg @@ -0,0 +1,160 @@ + + + + + + + + + + USB stick + /dev/sda1 boot1 (MBR 1MB) + /dev/sda2 boot2 (EFI 511MB) + /dev/sda3 root (ext4 > 64GB) + (encrypted) + + + + + + + + + diff --git a/content/nixos/nixos-usb-stick.md b/content/nixos/nixos-usb-stick.md index a7168f9..e1c66f0 100644 --- a/content/nixos/nixos-usb-stick.md +++ b/content/nixos/nixos-usb-stick.md @@ -11,52 +11,39 @@ summary: > running NixOS. --- -How to Create and update an bootable Linux USB stick, which is encrypted +How to Create and update a bootable Linux USB stick, which is encrypted is quite easy and has some use cases. * As ultimate backup * As a holiday tool * For schools +# Requirements -# Requirments - -## USB Stick - -You need an USB stick with at least 64GB otherwise major updates might get problematic. +You need a USB stick with at least 64GB otherwise major updates might get problematic. The USB stick, which should hold the system, will be `/dev/sdb`. -You can plugin the usb stick and run `dmesg` to find out which device we are using +You can plug in the usb stick and run `dmesg` to find out which device we are using -# Step by Step Guide +# Step-by-Step Guide Here are the steps I use to create my encrypted USB sticks running NixOS. -## format and create gpt partition table +## Create partitions -``` -┌────────────────────────────────┐ -│USB-stick │ -│ ┌──────────────────────────────┤ -│ │ /dev/sda1 boot1 (MBR 1MB) │ -│ ├──────────────────────────────┤ -│ │ /dev/sda2 boot2 (EFI 511MB) │ -│ ├──────────────────────────────┤ -│ │ │ -│ │ /dev/sda3 root (ext4 > 64GB) │ -│ │ (encrypted) │ -└─┴──────────────────────────────┘ -``` +{{< card footer="usb stick partitions" >}} +{{
}} +{{< /card >}} -> We use 511 MB for the boot partition, but you might want to increas this partition, -> if you want to place bootable ISOs on that partiton you want to boot instead of your NixOS system. +> We use 511 MB for the boot partition, but you might want to increase this partition, +> if you want to place bootable ISOs on that partition you want to boot instead of your NixOS system. -> We create an EFI partition as well a 1MB MBR partiton to make the stick boot +> We create an EFI partition as well a 1MB MBR partition to make the stick boot > on all kinds of computers. -I always delete all partitions using `fdisk` before starting repartitioning. -Than I start with the partitioning. +First I delete all partitions using `fdisk` before starting repartitioning, +then I start with the partitioning. ```shell parted /dev/sdb -- mklabel gpt @@ -67,69 +54,64 @@ parted /dev/sdb -- set 2 boot on parted /dev/sdb -- mkpart primary 512MiB 100% ``` -It most likely is not necesary but to be sure, I unplug and plug the USB device again -to be sure the new partiton table will be used. +It most likely is not necessary but to be sure, I unplug and plug the USB device again +to be sure the new partition table will be used. -## create and encrypt partition +## Encrypt and format root partition ```shell cryptsetup luksFormat /dev/sdb3 cryptsetup luksOpen /dev/sdb3 root-enc +mkfs.ext4 -L root /dev/mapper/root-enc ``` This will be the password you have to type in every time you boot the USB Stick. -## create boot partitions +## Format boot partition ```shell mkfs.fat -F 32 -n boot /dev/sdb2 -mkfs.ext4 -L root /dev/mapper/root-enc ``` -## prepare installation +## Prepare installation -We have to mount the created partitons. +We have to mount the created partitions +to generate initial configuration files. ```shell mount /dev/mapper/root-enc /mnt mkdir /mnt/boot && mount /dev/sdb2 /mnt/boot ``` -And generate inital configuration files. - ```shell nixos-generate-config --root /mnt ``` -Now you can update `configuration.nix` -before installation. +Now you can update `configuration.nix` before installation. You can `hardware-configuration.nix` edit as too, -but usally that is not necessary. +but usually that is not necessary. > don't forget to set your ssh key in `users.users..openssh.authorizedKeys.keys` > und `users.users..openssh.authorizedKeys.keyFiles` I usually have also these configurations set -``` + +```nix environment.systemPackages = with pkgs; [ - vim - wget - htop - silver-searcher - iotop + vim wget htop silver-searcher iotop ]; +# use vi shortcuts environment.extraInit = '' - # use vi shortcuts - # ---------------- set -o vi EDITOR=vim ''; ``` -These options have to be added to make it bootable and to start it with qemu-kvm (See [Update stick using qemu-kvm](#update-stick-using-qemu-kvm)) +These options have to be added to make it bootable and to start it with qemu-kvm +(See [Update stick using qemu-kvm](#update-stick-using-qemu-kvm)) -``` +```nix boot.loader.grub.enable = true; boot.loader.grub.efiSupport = true; boot.loader.grub.device = "/dev/sdb"; # todo : change me once the system booted @@ -139,7 +121,7 @@ boot.tmpOnTmpfs = true; You most likely have to disable these parameters -``` +```nix boot.loader.systemd-boot.enable = false; boot.loader.efi.canTouchEfiVariables = false; ``` @@ -168,32 +150,15 @@ root partition is encrypted. To run frequent updates, it might be a hassle to boot a dedicated machine to access these updates. This is why I use `qemu` to start the machine and update the machine via [colmena](https://colmena.cli.rs/unstable/reference/) -which my prefered NixOS provisioning system. Of course your favorit provisioning tool will work as well. +which my preferred NixOS provisioning system. Of course your favorite provisioning tool will work as well. -``` -┌────┬─────────────────────────────────────┐ -│host│ │ -├────┘ │ -│ │ ┌───────────┐ -│ colmena /dev/sdb ◄─────┬────────────┼────┤ usb-stick │ -│ │ │ │ └───────────┘ -│ │ │ │ -│ │ ┌───────────────┴─┬────────┐ │ -│ │ │qemu-kvm /dev/sdb│ │ │ -│ │ ├─────────────────┘ │ │ -│ │ │ │ │ -│ └────────┤► sshd ───────┐ │ │ -│ │ ▼ │ │ -│ │ nixos-rebuild switch │ │ -│ │ │ │ -│ └──────────────────────────┘ │ -│ │ -└──────────────────────────────────────────┘ -``` +{{< card footer="partitions on the usb-stick">}} +{{
}} +{{< /card >}} To run `qemu-kvm` on you machine, you need these options in your host `configuration.nix`. -``` +```nix virtualisation.libvirtd.enable = true; users.users.mainUser.extraGroups = [ "libvirtd" ]; environment.systemPackages = [ @@ -202,8 +167,9 @@ environment.systemPackages = [ ]; ``` -To start the machine you simple have to run this command: +To start the machine you simply have to run this command: +{{% code footer="start vm from /dev/sdb with port forwarding 2222 -> 22" %}} ```shell sudo qemu-kvm \ -m 4G \ @@ -211,6 +177,7 @@ sudo qemu-kvm \ -net user,hostfwd=tcp:127.0.0.1:2222-:22 \ -net nic ``` +{{% /code %}} ![screenshot1.png](../images/screenshot1.png) @@ -226,7 +193,6 @@ ssh root@localhost -p2222 So you should be able to update you usb stick with the comfort of you normal desktop setup. - # further inspirations * [Yubikey based Full Disk Encryption (NixOS Wiki)](https://nixos.wiki/wiki/Yubikey_based_Full_Disk_Encryption_(FDE)_on_NixOS) diff --git a/layouts/shortcodes/card.html b/layouts/shortcodes/card.html index e7f876d..4d49819 100644 --- a/layouts/shortcodes/card.html +++ b/layouts/shortcodes/card.html @@ -4,4 +4,5 @@ {{ with .Get "text" }}

{{ . }}

{{ end }} {{ .Inner }} +{{ with .Get "footer" }}

{{ . }}
{{ end }} \ No newline at end of file diff --git a/layouts/shortcodes/code.html b/layouts/shortcodes/code.html new file mode 100644 index 0000000..7de6440 --- /dev/null +++ b/layouts/shortcodes/code.html @@ -0,0 +1,5 @@ +
+{{ with .Get "header" }}
{{ . }}
{{ end }} +{{.Inner}} +{{ with .Get "footer" }}
{{ . }}
{{ end }} +
diff --git a/src/lessc/page/color.less b/src/lessc/page/color.less index 3480658..6ee8a47 100644 --- a/src/lessc/page/color.less +++ b/src/lessc/page/color.less @@ -4,9 +4,12 @@ @color-body-background: @gb-lm-bg0-hard; @color-body-background-highlight: @gb-lm-bg0-soft; @color-body-font: @gb-lm-fg0; + @color-header-font-symbol: @gb-lm-light-gray; @color-code-border: @gb-lm-light-yellow; @color-code-inline: @gb-lm-light-gray; +@color-code-footer: @gb-lm-fg4; +@color-code-header: @gb-lm-fg4; @color-note-background: @color-body-background; @color-note-border: @gb-lm-light-green; diff --git a/src/lessc/page/font.less b/src/lessc/page/font.less index 3a09eae..79cfe6a 100644 --- a/src/lessc/page/font.less +++ b/src/lessc/page/font.less @@ -1,7 +1,7 @@ @font-normal: ~"'Roboto', sans-serif"; -//@font-code: ~"'Inconsolata', monospace"; -@font-code: ~"monospace"; // because diagrams look strange +@font-code: ~"'Inconsolata', monospace"; +//@font-code: ~"monospace"; // because diagrams look strange @font-header: ~"'Roboto', sans-serif"; //@font-header: ~"'Zilla Slab', serif"; diff --git a/src/lessc/page/main-hack-card.less b/src/lessc/page/main-hack-card.less index dd3e538..d7fc98b 100644 --- a/src/lessc/page/main-hack-card.less +++ b/src/lessc/page/main-hack-card.less @@ -57,6 +57,21 @@ blockquote{ border-top: 2px solid @color-card-border; border-left: 2px solid @color-card-border; border-right: 2px solid @color-card-border; + + } + + .card-footer{ + text-align: right; + color: @color-code-footer; + + padding-top: .3em ; + padding-bottom: .3em; + padding-left: .5em; + padding-right: .5em; + + border-bottom: 2px solid @color-card-border; + border-left: 2px solid @color-card-border; + border-right: 2px solid @color-card-border; } .card-body{ diff --git a/src/lessc/page/main-hack-code.less b/src/lessc/page/main-hack-code.less index 821d5ca..9fd7c72 100644 --- a/src/lessc/page/main-hack-code.less +++ b/src/lessc/page/main-hack-code.less @@ -40,3 +40,34 @@ li > code { .inline-code(); } + + .code-block { + margin-bottom: @standard-margin; + margin-top: @standard-margin; + .code-header{ + text-align: left; + color: @color-code-header; + border-top: 1px solid @color-code-border; + border-left: 1px solid @color-code-border; + border-right: 1px solid @color-code-border; + padding-left: .5em; + padding-top: .3em ; + padding-right: .5em; + padding-bottom: 0.3em; + } + pre { + margin-bottom: 0; + margin-top: 0; + } + .code-footer { + text-align: right; + color: @color-code-footer; + border-bottom: 1px solid @color-code-border; + border-left: 1px solid @color-code-border; + border-right: 1px solid @color-code-border; + padding-left: .5em; + padding-top: .3em ; + padding-right: .5em; + padding-bottom: 0.3em; + } + } \ No newline at end of file diff --git a/src/lessc/page/main-hack.less b/src/lessc/page/main-hack.less index ef7e28d..a370cf9 100644 --- a/src/lessc/page/main-hack.less +++ b/src/lessc/page/main-hack.less @@ -30,7 +30,7 @@ h1, h2, h3, h4, h5, h6 { h1:before, h2:before, h3:before, h4:before, h5:before, h6:before { display: inline; - color: @gb-lm-fg4; + color: @color-header-font-symbol; } h1:before {