From d853036fb1433402f4459d1eb5f79ac0035081f6 Mon Sep 17 00:00:00 2001 From: Ryan Yin Date: Fri, 16 Aug 2024 22:42:13 +0800 Subject: [PATCH] feat: data-crypted --- flake.lock | 6 +- hosts/idols-aquamarine/disko-fs.nix | 93 +++++++++++++------ hosts/idols-aquamarine/transmission.nix | 2 +- outputs/x86_64-linux/src/idols-aquamarine.nix | 1 + secrets/nixos.nix | 20 ++++ 5 files changed, 89 insertions(+), 33 deletions(-) diff --git a/flake.lock b/flake.lock index a54480a4..9961c0a7 100644 --- a/flake.lock +++ b/flake.lock @@ -470,10 +470,10 @@ "mysecrets": { "flake": false, "locked": { - "lastModified": 1722412796, - "narHash": "sha256-bV+DbfqItujekh62XWpqC2ldkw6KqAo6LOpKLh9M7Sc=", + "lastModified": 1723827270, + "narHash": "sha256-nBq/Sp7u+riKV7xNWq85+owzUGfWdpKdq3qR/0PYTSU=", "ref": "refs/heads/main", - "rev": "8e3cf78c9f6b016625681f668e154b3705851a0d", + "rev": "f80a6c11f7b27e257e07f294b45c64a1369438a4", "shallow": true, "type": "git", "url": "ssh://git@github.com/ryan4yin/nix-secrets.git" diff --git a/hosts/idols-aquamarine/disko-fs.nix b/hosts/idols-aquamarine/disko-fs.nix index cb0c9461..5ac145a2 100644 --- a/hosts/idols-aquamarine/disko-fs.nix +++ b/hosts/idols-aquamarine/disko-fs.nix @@ -1,42 +1,81 @@ # auto disk partitioning: # nix run github:nix-community/disko -- --mode disko ./disko-fs.nix { + fileSystems."/data/fileshare/public".depends = ["/data/fileshare"]; + disko.devices = { - disk.data-apps = { + disk.data-encrypted = { type = "disk"; - device = "/dev/disk/by-id/ata-WDC_WD40EJRX-89T1XY0_WD-WCC7K0XDCZE6"; + device = "/dev/disk/by-id/ata-WDC_WD40EZRZ-22GXCB0_WD-WCC7K7VV9613"; content = { type = "gpt"; - partitions.data-apps = { - size = "100%"; - content = { - type = "btrfs"; - # extraArgs = ["-f"]; # Override existing partition - subvolumes = { - "@persistent" = { - mountpoint = "/data/apps"; - mountOptions = [ - "compress-force=zstd:1" - # https://www.freedesktop.org/software/systemd/man/latest/systemd.mount.html - "nofail" - ]; + partitions = { + luks = { + size = "100%"; + content = { + type = "luks"; + name = "data-encrypted"; + settings = { + keyFile = "/etc/agenix/hdd-luks-crypt-key"; + # The maximum size of the keyfile is 8192 KiB + # type `cryptsetup --help` to see the compiled-in key and passphrase maximum sizes + # to generate a key file: + # dd bs=512 count=1024 iflag=fullblock if=/dev/random of=./hdd-luks-crypt-key + keyFileSize = 512 * 64; # match the `bs * count` of the `dd` command + keyFileOffset = 512 * 128; # match the `bs * skip` of the `dd` command + fallbackToPassword = true; + allowDiscards = true; }; - "@backups" = { - mountpoint = "/data/backups"; - mountOptions = ["compress-force=zstd:1" "noatime" "nofail"]; - }; - "@snapshots" = { - mountpoint = "/data/apps-snapshots"; - mountOptions = ["compress-force=zstd:1" "noatime" "nofail"]; + + # encrypt the root partition with luks2 and argon2id, will prompt for a passphrase, which will be used to unlock the partition. + # cryptsetup luksFormat + extraFormatArgs = [ + "--type luks2" + "--cipher aes-xts-plain64" + "--hash sha512" + "--iter-time 5000" + "--key-size 256" + "--pbkdf argon2id" + # use true random data from /dev/random, will block until enough entropy is available + "--use-random" + ]; + extraOpenArgs = [ + "--timeout 10" + ]; + content = { + type = "btrfs"; + extraArgs = ["-f"]; # Force override existing partition + subvolumes = { + "@apps" = { + mountpoint = "/data/apps"; + mountOptions = [ + "compress-force=zstd:1" + # https://www.freedesktop.org/software/systemd/man/latest/systemd.mount.html + "nofail" + ]; + }; + "@fileshare" = { + mountpoint = "/data/fileshare"; + mountOptions = ["compress-force=zstd:1" "noatime" "nofail"]; + }; + "@backups" = { + mountpoint = "/data/backups"; + mountOptions = ["compress-force=zstd:1" "noatime" "nofail"]; + }; + "@snapshots" = { + mountpoint = "/data/apps-snapshots"; + mountOptions = ["compress-force=zstd:1" "noatime" "nofail"]; + }; + }; }; }; }; }; }; }; - disk.data-fileshare = { + disk.data-public = { type = "disk"; - device = "/dev/disk/by-id/ata-WDC_WD40EZRZ-22GXCB0_WD-WCC7K7VV9613"; + device = "/dev/disk/by-id/ata-WDC_WD40EJRX-89T1XY0_WD-WCC7K0XDCZE6"; content = { type = "gpt"; partitions.data-fileshare = { @@ -46,13 +85,9 @@ # extraArgs = ["-f"]; # Override existing partition subvolumes = { "@persistent" = { - mountpoint = "/data/fileshare"; + mountpoint = "/data/fileshare/public"; mountOptions = ["compress-force=zstd:1" "nofail"]; }; - "@snapshots" = { - mountpoint = "/data/fileshare-snapshots"; - mountOptions = ["compress-force=zstd:1" "noatime" "nofail"]; - }; }; }; }; diff --git a/hosts/idols-aquamarine/transmission.nix b/hosts/idols-aquamarine/transmission.nix index a03177ac..20832e6d 100644 --- a/hosts/idols-aquamarine/transmission.nix +++ b/hosts/idols-aquamarine/transmission.nix @@ -3,7 +3,7 @@ myvars, ... }: let - dataDir = "/data/apps/transmission"; + dataDir = "/data/fileshare/public/transmission"; name = "transmission"; in { # the headless Transmission BitTorrent daemon diff --git a/outputs/x86_64-linux/src/idols-aquamarine.nix b/outputs/x86_64-linux/src/idols-aquamarine.nix index 0e621d34..46e2212e 100644 --- a/outputs/x86_64-linux/src/idols-aquamarine.nix +++ b/outputs/x86_64-linux/src/idols-aquamarine.nix @@ -29,6 +29,7 @@ {modules.secrets.server.application.enable = true;} {modules.secrets.server.operation.enable = true;} {modules.secrets.server.webserver.enable = true;} + {modules.secrets.server.storage.enable = true;} ]; home-modules = map mylib.relativeToRoot [ "home/linux/tui.nix" diff --git a/secrets/nixos.nix b/secrets/nixos.nix index 52e52e9d..f9170711 100644 --- a/secrets/nixos.nix +++ b/secrets/nixos.nix @@ -35,6 +35,7 @@ in { server.operation.enable = mkEnableOption "NixOS Secrets for Operation Servers(Backup, Monitoring, etc)"; server.kubernetes.enable = mkEnableOption "NixOS Secrets for Kubernetes"; server.webserver.enable = mkEnableOption "NixOS Secrets for Web Servers(contains tls cert keys)"; + server.storage.enable = mkEnableOption "NixOS Secrets for HDD Data's LUKS Encryption"; impermanence.enable = mkEnableOption "whether use impermanence and ephemeral root file system"; }; @@ -249,5 +250,24 @@ in { }; }; }) + + (mkIf cfg.server.storage.enable { + age.secrets = { + "hdd-luks-crypt-key" = { + file = "${mysecrets}/hdd-luks-crypt-key.age"; + mode = "0400"; + owner = "root"; + }; + }; + + # place secrets in /etc/ + environment.etc = { + "agenix/hdd-luks-crypt-key" = { + source = config.age.secrets."hdd-luks-crypt-key".path; + mode = "0400"; + user = "root"; + }; + }; + }) ]); }