/
yubikey-image.nix
81 lines (74 loc) · 2.18 KB
/
yubikey-image.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
# NixOS livesystem to generate yubikeys in an air-gapped manner
# screenshot: https://dl.thalheim.io/ZF5Y0yyVRZ_2MWqX2J42Gg/2020-08-12_16-00.png
# $ nixos-generate -f iso -c yubikey-image.nix
#
# to test it in a vm:
#
# $ nixos-generate --run -f vm -c yubikey-image.nix
{ pkgs, ... }:
let
guide = pkgs.stdenv.mkDerivation {
name = "yubikey-guide-2024-02-12.html";
src = pkgs.fetchFromGitHub {
owner = "drduh";
repo = "YubiKey-Guide";
rev = "53ed405";
sha256 = "sha256-dY8MFYJ9WSnvcfa8d1a3gNt52No7eN8aacky1zwJpbI=";
};
buildInputs = [ pkgs.pandoc ];
installPhase = ''
pandoc --highlight-style pygments -s --toc README.md | \
sed -e 's/<keyid>/\<keyid\>/g' > $out
'';
};
in
{
environment.interactiveShellInit = ''
export GNUPGHOME=/run/user/$(id -u)/gnupghome
if [ ! -d $GNUPGHOME ]; then
mkdir $GNUPGHOME
fi
cp ${
pkgs.fetchurl {
url = "https://raw.githubusercontent.com/drduh/config/944faed/gpg.conf";
sha256 = "sha256-3oTHeGZ9nGJ+g+lnRSEcyifNca+V9SlpjBV1VNvrnNU=";
}
} "$GNUPGHOME/gpg.conf"
echo "\$GNUPGHOME has been set up for you. Generated keys will be in $GNUPGHOME."
'';
environment.systemPackages = with pkgs; [
yubikey-personalization
cryptsetup
pwgen
midori
paperkey
gnupg
ctmg
];
services.udev.packages = with pkgs; [ yubikey-personalization ];
services.pcscd.enable = true;
# make sure we are air-gapped
networking.wireless.enable = false;
networking.dhcpcd.enable = false;
services.getty.helpLine = "The 'root' account has an empty password.";
security.sudo.wheelNeedsPassword = false;
users.users.yubikey = {
isNormalUser = true;
extraGroups = [ "wheel" ];
shell = "/run/current-system/sw/bin/bash";
};
services.xserver = {
enable = true;
displayManager.autoLogin.enable = true;
displayManager.autoLogin.user = "yubikey";
displayManager.defaultSession = "xfce";
displayManager.sessionCommands = ''
${pkgs.midori}/bin/midori ${guide} &
${pkgs.xfce.xfce4-terminal}/bin/xfce4-terminal &
'';
desktopManager = {
xterm.enable = false;
xfce.enable = true;
};
};
}