|
| 1 | +# NixOS livesystem to generate yubikeys in an air-gapped manner |
| 2 | +# screenshot: https://dl.thalheim.io/wmxIqucOEo2xuLk0Ut45fQ/yubikey-live-system.png |
| 3 | +# $ nixos-generator -f iso -c yubikey-image.nix |
| 4 | +{ pkgs, ... }: { |
| 5 | + environment.interactiveShellInit = '' |
| 6 | + export GNUPGHOME=/run/user/$(id -u)/gnupghome |
| 7 | + if [ ! -d $GNUPGHOME ]; then |
| 8 | + mkdir $GNUPGHOME |
| 9 | + fi |
| 10 | + cp ${pkgs.fetchurl { |
| 11 | + url = "https://raw.githubusercontent.com/drduh/config/662c16404eef04f506a6a208f1253fee2f4895d9/gpg.conf"; |
| 12 | + sha256 = "118fmrsn28fz629y7wwwcx7r1wfn59h3mqz1snyhf8b5yh0sb8la"; |
| 13 | + }} "$GNUPGHOME/gpg.conf" |
| 14 | + echo "\$GNUPGHOME has been set up for you. Generated keys will be in $GNUPGHOME." |
| 15 | + ''; |
| 16 | + |
| 17 | + environment.systemPackages = with pkgs; [ |
| 18 | + yubikey-personalization |
| 19 | + cryptsetup |
| 20 | + pwgen |
| 21 | + midori |
| 22 | + ]; |
| 23 | + |
| 24 | + services.udev.packages = with pkgs; [ yubikey-personalization ]; |
| 25 | + services.pcscd.enable = true; |
| 26 | + users.extraUsers.root.initialHashedPassword = ""; |
| 27 | + |
| 28 | + # make sure we are air-gapped |
| 29 | + networking.wireless.enable = false; |
| 30 | + networking.dhcpcd.enable = false; |
| 31 | + |
| 32 | + services.mingetty.helpLine = "The 'root' account has an empty password."; |
| 33 | + |
| 34 | + services.xserver = { |
| 35 | + enable = true; |
| 36 | + displayManager.auto.enable = true; |
| 37 | + |
| 38 | + desktopManager = let |
| 39 | + guide = pkgs.stdenv.mkDerivation { |
| 40 | + name = "yubikey-guide-2019-01-21.html"; |
| 41 | + src = pkgs.fetchFromGitHub { |
| 42 | + owner = "drduh"; |
| 43 | + repo = "YubiKey-Guide"; |
| 44 | + rev = "035d98ebbed54a0218ccbf23905054d32f97508e"; |
| 45 | + sha256 = "0rzy06a5xgfjpaklxdgrxml24d0vhk78lb577l3z4x7a2p32dbyq"; |
| 46 | + }; |
| 47 | + buildInputs = [ pkgs.pandoc ]; |
| 48 | + installPhase = "pandoc --highlight-style pygments -s --toc README.md -o $out"; |
| 49 | + }; |
| 50 | + in { |
| 51 | + default = "xfce"; |
| 52 | + xterm.enable = false; |
| 53 | + xfce.enable = true; |
| 54 | + xfce.extraSessionCommands = '' |
| 55 | + ${pkgs.midori}/bin/midori ${guide} & |
| 56 | + ${pkgs.xfce.terminal}/bin/xfce4-terminal & |
| 57 | + ''; |
| 58 | + }; |
| 59 | + }; |
| 60 | +} |
0 commit comments