~yoctocell/yoctocell.xyz

10a379eef2eba3370bcd35bab05a15d483f90d11 — Xinglu Chen 7 months ago a1956e1
posts: Use fill-mode
M src/posts/nixos-on-btrfs-with-encrypted-root.org => src/posts/nixos-on-btrfs-with-encrypted-root.org +44 -19
@@ 2,14 2,19 @@
#+DATE: 2020-12-01
#+AUTHOR: yoctocell

In this guide I will install NixOS on btrfs with an encrypted root partition.
In this guide I will install NixOS on btrfs with an encrypted root
partition.

*Note*: This guide is mostly just some notes for myself, proceed at your own risk!
*Note*: This guide is mostly just some notes for myself, proceed at your
own risk!

** Prerequisites
You are expected to have a basic knowledge of both [[https://nixos.org][NixOS]] and the [[https://btrfs.wiki.kernel.org/index.php/Main_Page][btrfs]] filesystem, and you will need an installation media if you are doing this on bare metal.
You are expected to have a basic knowledge of both [[https://nixos.org][NixOS]] and the [[https://btrfs.wiki.kernel.org/index.php/Main_Page][btrfs]]
filesystem, and you will need an installation media if you are doing
this on bare metal.

First, download the NixOS iso and flash it to your usb, where =sdX= is the name of the usb drive.
First, download the NixOS iso and flash it to your usb, where =sdX= is
the name of the usb drive.

#+begin_src sh
sudo dd if=/path/to/iso of=/dev/sdX bs=4M status=progress


@@ 23,7 28,8 @@ wpa_supplicant -B -i interface -c <(wpa_passphrase '<SSID>' '<password>')
#+end_src

** Partitioning
The next step is to partition your drives, I will create three partitions.
The next step is to partition your drives, I will create three
partitions.

| Name      | Type                      | Size   |
|-----------+---------------------------+--------|


@@ 31,16 37,20 @@ The next step is to partition your drives, I will create three partitions.
| =/dev/sdX2= | Swap partition            | 8 GB   |
| =/dev/sdX3= | Root partition with btrfs | <rest> |

Use your favourite partition program, I will use =cfdisk=. Run =lsblk= to make sure everything you didn't mess things up.
Use your favourite partition program, I will use =cfdisk=. Run =lsblk= to
make sure everything you didn't mess things up.

** Encryption
We will encrypt the root partition (=/dev/sdX3=) using [[https://gitlab.com/cryptsetup/cryptsetup/-/wikis/DMCrypt][dm-crypt]]. First, format the partition and enter a passphrase which will be used for decrypting the partition.
We will encrypt the root partition (=/dev/sdX3=) using [[https://gitlab.com/cryptsetup/cryptsetup/-/wikis/DMCrypt][dm-crypt]]. First,
format the partition and enter a passphrase which will be used for
decrypting the partition.

#+begin_src sh
cryptsetup luksFormat /dev/sdX3
#+end_src

Decrypt the partition and give it a name, I will call it =crypted-nixos=.
Decrypt the partition and give it a name, I will call it
=crypted-nixos=.

#+begin_src sh
cryptsetup open /dev/sdX3 crypted-nixos


@@ 57,14 67,17 @@ mkfs.btrfs -L nixos /dev/mapper/crypted-nixos # Root
#+end_src

** Mounting & Subvolumes
We now have one btrfs volume and we will have to create some subvolumes.
We now have one btrfs volume and we will have to create some
subvolumes.

| Name  | Mount point | Purpose                           |
|-------+-------------+-----------------------------------|
| @     | =/=           | Root filesystem                   |
| @home | =/home=       | Home directory, will be backed up |

The home directory will backed up, everything else is either managed by nix or just temporary files. We will first mount our encrypted root partition and then create the subvolumes.
The home directory will backed up, everything else is either managed
by nix or just temporary files. We will first mount our encrypted root
partition and then create the subvolumes.

#+begin_src sh
mount -t btfs /dev/mapper/crypted-nixos /mnt # Remember the device name?


@@ 75,7 88,8 @@ btrfs subvolume create /mnt/@home
umount /mnt
#+end_src

Once the subvolumes have been created, we will mount them with our desired options.
Once the subvolumes have been created, we will mount them with our
desired options.

#+begin_src sh
mount -o subvol=@,compress=lzo,noatime /dev/mapper/crypted-nixos /mnt


@@ 91,16 105,19 @@ mkdir /mnt/boot
mount /dev/sdX1 /mnt/boot
#+end_src

We can run =btrfs subvol list /mnt/= to list our subvolumes and make sure everything is correct.
We can run =btrfs subvol list /mnt/= to list our subvolumes and make
sure everything is correct.

** Configuration
Now we can install NixOS on the filesystem. First, generate a base config.
Now we can install NixOS on the filesystem. First, generate a base
config.

#+begin_src sh
nixos-generate-config --root /mnt
#+end_src

Since we have encryption, we need to make sure that we have the following in our =hardware-configuration.nix= or =configuration.nix=.
Since we have encryption, we need to make sure that we have the
following in our =hardware-configuration.nix= or =configuration.nix=.

#+begin_src nix
{ config, lib, pkgs, ... }:


@@ 116,7 133,9 @@ Since we have encryption, we need to make sure that we have the following in our
}
#+end_src

Replace =crypted-nixos= with the name of your device, and replace =<uuid>= with the uuid of =/dev/sdX3=. The rest of the config is left for you to configure yourself.
Replace =crypted-nixos= with the name of your device, and replace =<uuid>=
with the uuid of =/dev/sdX3=. The rest of the config is left for you to
configure yourself.

Go back to the shell and install the system.



@@ 125,12 144,17 @@ nixos-install
poweroff
#+end_src

If it all goes well, we should be able enter our dm-crypt passphrase and login as a user.
If it all goes well, we should be able enter our dm-crypt passphrase
and login as a user.

** Post-installation
When your system works you probably want to make snapshots on a regular basis in case something goes wrong. I like to take snapshots every time my system starts up and shuts down, so that's what we will configure in this guide.
When your system works you probably want to make snapshots on a
regular basis in case something goes wrong. I like to take snapshots
every time my system starts up and shuts down, so that's what we will
configure in this guide.

We first want to create a script which will take snapshot for us. The following script is based on a script from the [[https://wiki.gentoo.org/wiki/Btrfs#Snapshots][Gentoo wiki]].
We first want to create a script which will take snapshot for us. The
following script is based on a script from the [[https://wiki.gentoo.org/wiki/Btrfs#Snapshots][Gentoo wiki]].

#+begin_src nix
{ config, lib, pkgs, ... }:


@@ 154,7 178,8 @@ in
}
#+end_src

Now we want to create a systemd service that runs this script on startup and shutdown.
Now we want to create a systemd service that runs this script on
startup and shutdown.

#+begin_src nix
{ config, lib, pkgs, ... }:

M src/posts/securing-nixos-with-yubikey.org => src/posts/securing-nixos-with-yubikey.org +27 -10
@@ 2,12 2,16 @@
#+AUTHOR: yoctocell
#+DATE: 2020-12-14

In this blog post I will go over some things I have configured with NixOS and a yubikey to improve the security of my system. I will not go into detail on how to setup a GPG keypair, there are already plenty of great tutorials. [fn:1]
In this blog post I will go over some things I have configured with
NixOS and a yubikey to improve the security of my system. I will not
go into detail on how to setup a GPG keypair, there are already plenty
of great tutorials. [fn:1]

[fn:1] See [[https://wiki.debian.org/Subkeys][here]], [[https://blog.tinned-software.net/create-gnupg-key-with-sub-keys-to-sign-encrypt-authenticate/][here]] and [[https://sanctum.geek.nz/arabesque/series/gnu-linux-crypto/][here]].

** GnuPG
To use GPG with a yubikey, we first need to install some packages, put the following in your =configuration.nix=
To use GPG with a yubikey, we first need to install some packages, put
the following in your =configuration.nix=

#+begin_src nix
{


@@ 24,7 28,8 @@ To use GPG with a yubikey, we first need to install some packages, put the follo

#+end_src

We will export the subkeys to our yubikey so we can use it when signing and decrypting mail, but first plug in the yubikey and run
We will export the subkeys to our yubikey so we can use it when
signing and decrypting mail, but first plug in the yubikey and run

#+begin_src sh
$ gpg --card-status


@@ 36,9 41,15 @@ Then run =gpg --card-edit= and you should see a prompt like this.
gpg/card> 
#+end_src

Type =admin= and then =passwd= to change the user and the admin pin. The user pin will be used for day-to-day things like signing and decrypting files, the admin pin will only be used for operations concerning the configuration of the yubikey, eg. adding subkeys. The default user pin is =123456= and the default admin pin is =12345678=.
Type =admin= and then =passwd= to change the user and the admin pin. The
user pin will be used for day-to-day things like signing and
decrypting files, the admin pin will only be used for operations
concerning the configuration of the yubikey, eg. adding subkeys. The
default user pin is =123456= and the default admin pin is =12345678=.

Now it's time to export the keys, beware that this process will remove the keys from your computer, so make sure your keys are backed up on an external drive.
Now it's time to export the keys, beware that this process will remove
the keys from your computer, so make sure your keys are backed up on
an external drive.

#+begin_src sh
gpg --edit-key <keyid>


@@ 75,9 86,11 @@ ssb>  rsa4096/38E09A208656B970 2020-12-13 [E] [expires: 2021-12-13]
ssb>  rsa4096/18ED52D1A730A8CA 2020-12-13 [A] [expires: 2021-12-13]
#+end_src

The =>= next to =ssb= means that it is a pointer to the subkey on your yubikey.
The =>= next to =ssb= means that it is a pointer to the subkey on your
yubikey.

If you are currently running a live OS like Tails, you have to export your subkeys to an external drive.
If you are currently running a live OS like Tails, you have to export
your subkeys to an external drive.

#+begin_src sh
gpg --armor --output=/path/to/external/drive --export-secret-subkeys <keyid>


@@ 89,7 102,8 @@ You can import the subkeys on your main computer by running
gpg --import /path/to/external/drive
#+end_src

To test if everything is working, encrypt a file and then decrypt it with your private key
To test if everything is working, encrypt a file and then decrypt it
with your private key

#+begin_src sh
echo 'test' > test.txt


@@ 100,7 114,8 @@ gpg --decrypt test.gpg
This should prompt you for the user pin you created for your yubikey.

** PAM
There is a PAM modules that allows us to use the yubikey to authenticate when logging in.
There is a PAM modules that allows us to use the yubikey to
authenticate when logging in.

#+begin_src nix
security.pam.yubico = { 


@@ 119,4 134,6 @@ ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
ykpamcfg -2 -v
#+end_src

You now need your yubikey and your password to login to your machine, if don't want to enter the password just remove the =control = "required";= line.
You now need your yubikey and your password to login to your machine,
if don't want to enter the password just remove the =control =
"required";= line.