nixos-setup/setup at master · usami/nixos-setup · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
#!/usr/bin/env bash

set -eufx -o pipefail

BOOT_PARTITION=$1 # e.g. /dev/sda3
LUKS_PARTITION=$2
SWAP_PARTITION=$3
EFI_MNT=/root/boot
BOOT_MNT=/mnt/boot
SALT_LENGTH=16
KEY_LENGTH=512
ITERATIONS=1000000
CIPHER=aes-xts-plain64
HASH=sha512
SLOT=2
LUKSROOT=crypted
FSROOT=root

setup_boot_partition() {
        mkfs.vfat -F 32 -n uefi $BOOT_PARTITION
        mkdir -p $EFI_MNT
        mount $BOOT_PARTITION $EFI_MNT
}

setup_swap_partition() {
        mkswap -L swap $SWAP_PARTITION
        swapon $SWAP_PARTITION
}

rbtohex() {
        ( od -An -vtx1 | tr -d ' \n' )
}

hextorb() {
        ( tr '[:lower:]' '[:upper:]' | sed -e 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf )
}

setup_crypt() {
        nix-env -i gcc-wrapper
        nix-env -i yubikey-personalization
        nix-env -i openssl
        cc -O3 -I$(find / | grep "openssl/evp\.h" | head -1 | sed -e 's|/openssl/evp\.h$||g' | tr -d '\n') \
                -L$(find / | grep "lib/libcrypto" | head -1 | sed -e 's|/libcrypto\..*$||g' | tr -d '\n') \
                $(find / | grep "pbkdf2-sha512\.c" | head -1 | tr -d '\n') -o ./pbkdf2-sha512 -lcrypto

        salt="$(dd if=/dev/random bs=1 count=$SALT_LENGTH 2>/dev/null | rbtohex)"

        ykpersonalize -"$SLOT" -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible

        challenge="$(echo -n $salt | openssl dgst -binary -sha512 | rbtohex)"
        response="$(ykchalresp -2 -x $challenge 2>/dev/null)"

        k_luks="$(echo | ./pbkdf2-sha512 $(($KEY_LENGTH / 8)) $ITERATIONS $response | rbtohex)"

        echo -n "$k_luks" | hextorb | cryptsetup luksFormat --cipher="$CIPHER" --key-size="$KEY_LENGTH" --hash="$HASH" --key-file=- $LUKS_PARTITION

        storage=/crypt-storage/default
        mkdir -p "$(dirname $EFI_MNT$storage)"
        echo -ne "$salt\n$ITERATIONS" > $EFI_MNT$storage
        echo -n "$k_luks" | hextorb | cryptsetup luksOpen --key-file=- "$LUKS_PARTITION" "$LUKSROOT"
}

setup_btrfs() {
        mkfs.btrfs -L $FSROOT "/dev/mapper/$LUKSROOT"

        mount -t btrfs "/dev/mapper/$LUKSROOT" /mnt

        btrfs subvol create /mnt/nixos

        umount /mnt
        mount -t btrfs -o subvol=nixos "/dev/mapper/$LUKSROOT" /mnt
}

setup_boot_partition
setup_swap_partition
setup_crypt
setup_btrfs

umount $EFI_MNT
mkdir -p $BOOT_MNT
mount $BOOT_PARTITION $BOOT_MNT

nixos-generate-config --root /mnt