diff options
Diffstat (limited to 'nix')
| -rw-r--r-- | nix/diceware-vt.patch | 65 | ||||
| -rw-r--r-- | nix/flake.lock | 44 | ||||
| -rw-r--r-- | nix/flake.nix | 282 |
3 files changed, 391 insertions, 0 deletions
diff --git a/nix/diceware-vt.patch b/nix/diceware-vt.patch new file mode 100644 index 0000000..8911ed2 --- /dev/null +++ b/nix/diceware-vt.patch @@ -0,0 +1,65 @@ +diff --git a/index.html b/index.html +index 2f26ed9..3b4a2d3 100644 +--- a/index.html ++++ b/index.html +@@ -920,8 +920,19 @@ + <!-- core application JS --> + <script + src="index.js" +- integrity="sha384-++jBnvz86d0OUZ3chFxES5Sj6jjOZ/jKegsrHhXhOEzWxrvn7LhRGB0HP+bvLeNI" ++ integrity="sha384-v759g0TMj/jSFxhXsmlahbhJnj5NYNBopqVDq9WQaMOWsLZ0sJzLKxIoP+WzY9Yq" + crossorigin="anonymous" + ></script> ++ <script> ++ $(document).ready(function () { ++ 'use strict' ++ // Use the 6 word list as the default ++ var numWords, numRolls ++ numWords = parseInt(6, 10) ++ numRolls = parseInt(5, 10) ++ displayWords(getWords(numWords, numRolls)) ++ displayCrackTime(wordList) ++ }) ++ </script> + </body> + </html> +diff --git a/index.js b/index.js +index e95e2a1..9d45377 100644 +--- a/index.js ++++ b/index.js +@@ -238,11 +238,28 @@ function getWordFromWordNum (wordNum) { + function displayWords (words) { + 'use strict' + ++ // get symbol and number for the first and third words (CMD) ++ if (words.length > 1) { ++ var symbols = getWords(1,2) ++ var number = Math.floor(Math.random() * 100) ++ var symbol_pos = Math.floor(Math.random() * words.length) ++ var number_pos = Math.floor(Math.random() * words.length) ++ var capitalize_pos = Math.floor(Math.random() * words.length) ++ } ++ + // add the word to the global array of words + $.each(words, function (index, obj) { + var objEntropy = new Big(obj.entropy) + totalEntropy = totalEntropy.plus(objEntropy) + $('#totalEntropy').text(totalEntropy.toFixed(2)) ++ if (words.length > 1) { ++ // add symbol to random word (CMD) ++ if (index == symbol_pos) obj.word = obj.word + symbols[0].word ++ // add number to random word (CMD) ++ if (index == number_pos) obj.word = obj.word + number ++ // capitalize random word (CMD) ++ if (index == capitalize_pos) obj.word = obj.word.charAt(0).toUpperCase() + obj.word.substring(1) ++ } + wordList.push(obj.word) + }) + +@@ -370,4 +387,4 @@ $(document).ready(function () { + $('#addFiveDieRollWord').val('') + displayCrackTime(wordList) + }) +-}) ++}) +\ No newline at end of file diff --git a/nix/flake.lock b/nix/flake.lock new file mode 100644 index 0000000..38f65c8 --- /dev/null +++ b/nix/flake.lock @@ -0,0 +1,44 @@ +{ + "nodes": { + "drduhConfig": { + "flake": false, + "locked": { + "lastModified": 1719781410, + "narHash": "sha256-cmtAG7UQX7mVNoHHpVIqasfkjnO7VtBMcz8MJ7frO0k=", + "owner": "drduh", + "repo": "config", + "rev": "4eca229664d056737f1a097cdbdb10e5f247b0bc", + "type": "github" + }, + "original": { + "owner": "drduh", + "repo": "config", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1721226092, + "narHash": "sha256-UBvzVpo5sXSi2S/Av+t+Q+C2mhMIw/LBEZR+d6NMjws=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c716603a63aca44f39bef1986c13402167450e0a", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "drduhConfig": "drduhConfig", + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/flake.nix b/nix/flake.nix new file mode 100644 index 0000000..475885c --- /dev/null +++ b/nix/flake.nix @@ -0,0 +1,282 @@ +{ + description = "A Nix Flake for an xfce-based system with YubiKey setup"; + + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05"; + drduhConfig.url = "github:drduh/config"; + drduhConfig.flake = false; + }; + + outputs = { + self, + nixpkgs, + drduhConfig, + }: let + mkSystem = system: + nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + "${nixpkgs}/nixos/modules/profiles/all-hardware.nix" + "${nixpkgs}/nixos/modules/installer/cd-dvd/iso-image.nix" + ( + { + lib, + pkgs, + config, + ... + }: let + gpgAgentConf = pkgs.runCommand "gpg-agent.conf" {} '' + sed '/pinentry-program/d' ${drduhConfig}/gpg-agent.conf > $out + echo "pinentry-program ${pkgs.pinentry.curses}/bin/pinentry" >> $out + ''; + dicewareAddress = "localhost"; + dicewarePort = 8080; + viewYubikeyGuide = pkgs.writeShellScriptBin "view-yubikey-guide" '' + viewer="$(type -P xdg-open || true)" + if [ -z "$viewer" ]; then + viewer="${pkgs.glow}/bin/glow -p" + fi + exec $viewer "${self}/README.md" + ''; + shortcut = pkgs.makeDesktopItem { + name = "yubikey-guide"; + icon = "${pkgs.yubikey-manager-qt}/share/icons/hicolor/128x128/apps/ykman.png"; + desktopName = "drduh's YubiKey Guide"; + genericName = "Guide to using YubiKey for GnuPG and SSH"; + comment = "Open the guide in a reader program"; + categories = ["Documentation"]; + exec = "${viewYubikeyGuide}/bin/view-yubikey-guide"; + }; + yubikeyGuide = pkgs.symlinkJoin { + name = "yubikey-guide"; + paths = [viewYubikeyGuide shortcut]; + }; + dicewareScript = pkgs.writeShellScriptBin "diceware-webapp" '' + viewer="$(type -P xdg-open || true)" + if [ -z "$viewer" ]; then + viewer="firefox" + fi + exec $viewer "http://"${lib.escapeShellArg dicewareAddress}":${toString dicewarePort}/index.html" + ''; + dicewarePage = pkgs.stdenv.mkDerivation { + name = "diceware-page"; + src = pkgs.fetchFromGitHub { + owner = "grempe"; + repo = "diceware"; + rev = "9ef886a2a9699f73ae414e35755fd2edd69983c8"; + sha256 = "44rpK8svPoKx/e/5aj0DpEfDbKuNjroKT4XUBpiOw2g="; + }; + patches = [ + # Include changes published on https://secure.research.vt.edu/diceware/ + ./diceware-vt.patch + ]; + buildPhase = '' + cp -a . $out + ''; + }; + dicewareWebApp = pkgs.makeDesktopItem { + name = "diceware"; + icon = "${dicewarePage}/favicon.ico"; + desktopName = "Diceware Passphrase Generator"; + genericName = "Passphrase Generator"; + comment = "Open the passphrase generator in a web browser"; + categories = ["Utility"]; + exec = "${dicewareScript}/bin/${dicewareScript.name}"; + }; + in { + isoImage = { + isoName = "yubikeyLive.iso"; + # As of writing, zstd-based iso is 1542M, takes ~2mins to + # compress. If you prefer a smaller image and are happy to + # wait, delete the line below, it will default to a + # slower-but-smaller xz (1375M in 8mins as of writing). + squashfsCompression = "zstd"; + + appendToMenuLabel = " YubiKey Live ${self.lastModifiedDate}"; + makeEfiBootable = true; # EFI booting + makeUsbBootable = true; # USB booting + }; + + swapDevices = []; + + boot = { + tmp.cleanOnBoot = true; + kernel.sysctl = {"kernel.unprivileged_bpf_disabled" = 1;}; + }; + + services = { + pcscd.enable = true; + udev.packages = [pkgs.yubikey-personalization]; + # Automatically log in at the virtual consoles. + getty.autologinUser = "nixos"; + # Comment out to run in a console for a smaller iso and less RAM. + xserver = { + enable = true; + desktopManager.xfce = { + enable = true; + enableScreensaver = false; + }; + displayManager = { + lightdm.enable = true; + }; + }; + displayManager = { + autoLogin = { + enable = true; + user = "nixos"; + }; + }; + # Host the `https://secure.research.vt.edu/diceware/` website offline + nginx = { + enable = true; + virtualHosts."diceware.local" = { + listen = [ + { + addr = dicewareAddress; + port = dicewarePort; + } + ]; + root = "${dicewarePage}"; + }; + }; + }; + + programs = { + # Add firefox for running the diceware web app + firefox = { + enable = true; + preferences = { + # Disable data reporting confirmation dialogue + "datareporting.policy.dataSubmissionEnabled" = false; + # Disable welcome tab + "browser.aboutwelcome.enabled" = false; + }; + # Make preferences appear as user-defined values + preferencesStatus = "user"; + }; + ssh.startAgent = false; + gnupg = { + dirmngr.enable = true; + agent = { + enable = true; + enableSSHSupport = true; + }; + }; + }; + + # Use less privileged nixos user + users.users = { + nixos = { + isNormalUser = true; + extraGroups = ["wheel" "video"]; + initialHashedPassword = ""; + }; + root.initialHashedPassword = ""; + }; + + security = { + pam.services.lightdm.text = '' + auth sufficient pam_succeed_if.so user ingroup wheel + ''; + sudo = { + enable = true; + wheelNeedsPassword = false; + }; + }; + + environment.systemPackages = with pkgs; [ + # Tools for backing up keys + paperkey + pgpdump + parted + cryptsetup + + # Yubico's official tools + yubikey-manager + yubikey-manager-qt + yubikey-personalization + yubikey-personalization-gui + yubico-piv-tool + yubioath-flutter + + # Testing + ent + + # Password generation tools + diceware + dicewareWebApp + pwgen + rng-tools + + # Might be useful beyond the scope of the guide + cfssl + pcsctools + tmux + htop + + # This guide itself (run `view-yubikey-guide` on the terminal + # to open it in a non-graphical environment). + yubikeyGuide + + # PDF and Markdown viewer + okular + ]; + + # Disable networking so the system is air-gapped + # Comment all of these lines out if you'll need internet access + boot.initrd.network.enable = false; + networking = { + resolvconf.enable = false; + dhcpcd.enable = false; + dhcpcd.allowInterfaces = []; + interfaces = {}; + firewall.enable = true; + useDHCP = false; + useNetworkd = false; + wireless.enable = false; + networkmanager.enable = lib.mkForce false; + }; + + # Unset history so it's never stored Set GNUPGHOME to an + # ephemeral location and configure GPG with the guide + + environment.interactiveShellInit = '' + unset HISTFILE + export GNUPGHOME="/run/user/$(id -u)/gnupg" + if [ ! -d "$GNUPGHOME" ]; then + echo "Creating \$GNUPGHOME…" + install --verbose -m=0700 --directory="$GNUPGHOME" + fi + [ ! -f "$GNUPGHOME/gpg.conf" ] && cp --verbose "${drduhConfig}/gpg.conf" "$GNUPGHOME/gpg.conf" + [ ! -f "$GNUPGHOME/gpg-agent.conf" ] && cp --verbose ${gpgAgentConf} "$GNUPGHOME/gpg-agent.conf" + echo "\$GNUPGHOME is \"$GNUPGHOME\"" + ''; + + # Copy the contents of contrib to the home directory, add a + # shortcut to the guide on the desktop, and link to the whole + # repo in the documents folder. + system.activationScripts.yubikeyGuide = let + homeDir = "/home/nixos/"; + desktopDir = homeDir + "Desktop/"; + documentsDir = homeDir + "Documents/"; + in '' + mkdir -p ${desktopDir} ${documentsDir} + chown nixos ${homeDir} ${desktopDir} ${documentsDir} + + cp -R ${self}/contrib/* ${homeDir} + ln -sf ${yubikeyGuide}/share/applications/yubikey-guide.desktop ${desktopDir} + ln -sf ${dicewareWebApp}/share/applications/${dicewareWebApp.name} ${desktopDir} + ln -sfT ${self} ${documentsDir}/YubiKey-Guide + ''; + system.stateVersion = "24.05"; + } + ) + ]; + }; + in { + nixosConfigurations.yubikeyLive.x86_64-linux = mkSystem "x86_64-linux"; + nixosConfigurations.yubikeyLive.aarch64-linux = mkSystem "aarch64-linux"; + formatter.x86_64-linux = (import nixpkgs {system = "x86_64-linux";}).alejandra; + formatter.aarch64-linux = (import nixpkgs {system = "aarch64-linux";}).alejandra; + }; +} |