Test ignucius Deployment

src/nixos/machines/default.nix

@@ -1,5 +1,6 @@
 {
 	imports = [
+		./ignucius
 		./morph
 		./mracek
 		./sinnenfreude

src/nixos/machines/ignucius/README.md

@@ -0,0 +1,3 @@
+# ignucius
+
+Role:

src/nixos/machines/ignucius/config/bootloader.nix

@@ -0,0 +1,11 @@
+{ ... }:
+
+# Bootloader management of IGNUCIUS
+
+{
+	# FIXME(Krey): Seems that the keys have to be compiled in coreboot for this to work, TBD management
+	boot.lanzaboote.enable = false; # Whether to use NixOS's implementation of secure-boot
+	boot.loader.systemd-boot.enable = true;
+
+	boot.loader.efi.canTouchEfiVariables = true;
+}

src/nixos/machines/ignucius/config/disks.nix

@@ -0,0 +1,250 @@
+{ config, lib, ... }:
+
+# Nix-based Disk Management of IGNUCIUS with disko and impermenance on tmpfs
+
+# Formatting strategy:
+#    Table: GPT
+#    2048 - 1050623 (1048576) -- 512M EFI System
+#    1050624 - 913858559 (912807936) -- -30G nix store BTRFS
+#    913858560 - 976773119 (62914560) -- 100% Encrypted swap
+
+# Deployment:
+#     # nix run 'github:nix-community/disko#disko-install' -- --flake 'github:kreyren/nixos-config#ignucius' --disk system /dev/disk/by-id/ata-WDC_WDS500G2B0A-00SM50_21101J456803
+
+# FIXME(Krey): Refer to https://github.com/nix-community/disko/issues/490
+
+# Reference: https://github.com/ryan4yin/nix-config/blob/82dccbdecaf73835153a6470c1792d397d2881fa/hosts/12kingdoms-suzu/disko-fs.nix#L21
+
+# Reference: https://github.com/lilyinstarlight/foosteros/blob/ccaca3910a61ee790f9cfd000cf77074524676b8/hosts/minimal/disks.nix#L4
+
+let
+	inherit (lib) mkMerge;
+
+	diskoDevice = "/dev/disk/by-id/ata-TOSHIBA_MQ01ABF050_33Q7S25ZS";
+in mkMerge [
+	{
+		age.secrets.ignucius-disks-password.file = ../secrets/ignucius-disks-password.age; # Supply password for disk encryption
+	}
+
+	# FIXME(Krey): Causes infinite recursion, no idea why
+	# (if (config.boot.impermenance.enable == true) then {
+	(if (true) then {
+		age.identityPaths = [ "/nix/persist/system/etc/ssh/ssh_host_ed25519_key" ]; # Change the identity path to use our disko path
+
+		fileSystems."/nix/persist/system".neededForBoot = true;
+
+		# FIXME(Krey): Figure out how to do labels
+		disko.devices = {
+			nodev."/" = {
+				fsType = "tmpfs";
+				mountOptions = [
+					"size=1G"
+					"defaults"
+					"mode=755"
+				];
+			};
+
+			disk = {
+				system = {
+					device = diskoDevice;
+					type = "disk";
+					imageSize = "50G"; # Size of the generated image
+					content = {
+						type = "gpt";
+						partitions = {
+
+							boot = {
+								priority = 1; # Needs to be first partition
+								type = "EF00"; # EFI System Partition/
+								size = "512M";
+								content = {
+									type = "filesystem";
+									format = "vfat"; # FAT32
+									mountpoint = "/boot";
+								};
+							};
+
+							store = {
+								priority = 3;
+								size = "100%";
+								content = {
+									name = "store";
+									type = "luks";
+									settings.allowDiscards = true;
+
+									passwordFile = config.age.secrets.ignucius-disks-password.path;
+
+									initrdUnlock = true; # Add a boot.initrd.luks.devices entry for the specified disk
+
+									extraFormatArgs = [
+										"--use-random" # use true random data from /dev/random, will block until enough entropy is available
+										"--label=CRYPT_NIX"
+									];
+
+									extraOpenArgs = [
+										"--timeout 10"
+									];
+
+									content = {
+										type = "btrfs";
+										extraArgs = [ "--label NIX_STORE" ];
+										subvolumes = {
+											"@nix" = {
+												mountpoint = "/nix";
+												mountOptions = [ "compress=lzo" "noatime" ];
+											};
+											"@system-persist" = {
+												mountpoint = "/nix/persist/system";
+												mountOptions = [ "compress=lzo" "noatime" ];
+											};
+											"@user-persist" = {
+												mountpoint = "/nix/persist/users";
+												mountOptions = [ "compress=lzo" "noatime" ];
+											};
+										};
+									};
+								};
+							};
+
+							swap = {
+								priority = 2;
+								size = "30G";
+								content = {
+									name = "swap";
+									type = "luks";
+
+									settings.allowDiscards = true;
+
+									passwordFile = config.age.secrets.ignucius-disks-password.path;
+
+									initrdUnlock = true; # Add a boot.initrd.luks.devices entry for the specified disk
+
+									extraFormatArgs = [
+										"--use-random" # use true random data from /dev/random, will block until enough entropy is available
+										"--label=CRYPT_SWAP"
+									];
+
+									extraOpenArgs = [
+										"--timeout 10"
+									];
+
+									content = {
+										# FIXME-QA(Krey): Add label 'SWAP'
+										type = "swap";
+										resumeDevice = true; # resume from hiberation from this device
+
+										extraArgs = [
+											"--label SWAP"
+										];
+									};
+								};
+							};
+						};
+					};
+				};
+			};
+		};
+	} else {
+		age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; # Change the identity path to use our disko path
+
+		disk = {
+			system = {
+				device = diskoDevice;
+				type = "disk";
+				imageSize = "50G"; # Size of the generated image
+				content = {
+					type = "gpt";
+					partitions = {
+
+						boot = {
+							priority = 1; # Needs to be first partition
+							type = "EF00"; # EFI System Partition/
+							size = "512M";
+							content = {
+								type = "filesystem";
+								format = "vfat"; # FAT32
+								mountpoint = "/boot";
+							};
+						};
+
+						store = {
+							priority = 3;
+							size = "100%";
+							content = {
+								name = "store";
+								type = "luks";
+								settings.allowDiscards = true;
+
+								passwordFile = config.age.secrets.ignucius-disks-password.path;
+
+								initrdUnlock = true; # Add a boot.initrd.luks.devices entry for the specified disk
+
+								extraFormatArgs = [
+									"--use-random" # use true random data from /dev/random, will block until enough entropy is available
+									"--label=CRYPT_NIX"
+								];
+
+								extraOpenArgs = [
+									"--timeout 10"
+								];
+
+								content = {
+									type = "btrfs";
+									extraArgs = [ "--label NIX_STORE" ];
+									subvolumes = {
+											"@nix" = {
+												mountpoint = "/nix";
+												mountOptions = [ "compress=lzo" "noatime" ];
+											};
+											"@system-persist" = {
+												mountpoint = "/nix/persist/system";
+												mountOptions = [ "compress=lzo" "noatime" ];
+											};
+											"@user-persist" = {
+												mountpoint = "/nix/persist/users";
+												mountOptions = [ "compress=lzo" "noatime" ];
+											};
+										};
+								};
+							};
+						};
+
+						swap = {
+							priority = 2;
+							size = "30G";
+							content = {
+								name = "swap";
+								type = "luks";
+
+								settings.allowDiscards = true;
+
+								passwordFile = config.age.secrets.ignucius-disks-password.path;
+
+								initrdUnlock = true; # Add a boot.initrd.luks.devices entry for the specified disk
+
+								extraFormatArgs = [
+									"--use-random" # use true random data from /dev/random, will block until enough entropy is available
+									"--label=CRYPT_SWAP"
+								];
+
+								extraOpenArgs = [
+									"--timeout 10"
+								];
+
+								content = {
+									# FIXME-QA(Krey): Add label 'SWAP'
+									type = "swap";
+									resumeDevice = true; # resume from hiberation from this device
+
+									extraArgs = [
+										"--label SWAP"
+									];
+								};
+							};
+						};
+					};
+				};
+			};
+		};
+	})
+]

src/nixos/machines/ignucius/config/firmware.nix

@@ -0,0 +1,8 @@
+{ ... }:
+
+# Firmware management of IGNUCIUS
+
+{
+	# NOTE(Krey): Hardened device, do not load any kind of 3rd party firmware that is not explicitly declared
+	services.fwupd.enable = false; # Use FWUP daemon to keep firmware files up-to-date
+}

src/nixos/machines/ignucius/config/hardware-acceleration.nix

@@ -0,0 +1,19 @@
+{ config, lib, ... }:
+
+# Hardware-acceleration management of IGNUCIUS
+
+{
+	"24.05" = {
+		# The option was renamed on `hardware.graphics` in NixOS 24.11+
+		hardware.opengl = {
+			enable = true;
+			driSupport = true;
+			driSupport32Bit = true;
+		};
+	};
+
+	"24.11" = {
+		hardware.graphics.enable = true;
+		hardware.graphics.enable32Bit = true;
+	};
+}."${lib.trivial.release}" or (throw "Release is not implemented: ${lib.trivial.release}")

src/nixos/machines/ignucius/config/initrd.nix

@@ -0,0 +1,21 @@
+{ ... }:
+
+{
+	# InitRD Kernel Modules
+	boot.initrd.availableKernelModules = [
+		# Auto-Generated
+		"xhci_pci"
+		# FIXME(Krey): Not Found in Hardened Kernel!
+		# "ehci_pc"
+		"ahci"
+		"usb_storage" # Needed to find the USB device during initrd stage
+		"sd_mod"
+		"sdhci_pci"
+	];
+	boot.initrd.kernelModules = [ ];
+
+	boot.initrd.includeDefaultModules = true; # Has to be set to true to be able to input decrypting password
+
+	# FIXME(Krey): We are expecting to use the systemd initrd, but it currently has issues (https://github.com/NixOS/nixpkgs/issues/245089#issuecomment-1646966283)
+	boot.initrd.systemd.enable = false;
+}

src/nixos/machines/ignucius/config/kernel.nix

@@ -0,0 +1,9 @@
+{ ... }:
+
+# Kernel Management of IGNUCIUS
+
+{
+	boot.kernelModules = [
+		"kvm-intel" # Use KVM
+	];
+}

src/nixos/machines/ignucius/config/networking.nix

@@ -0,0 +1,15 @@
+{ lib, ... }:
+
+# Networking Management of IGNUCIUS
+
+let
+	inherit (lib) mkForce;
+in {
+	# FIXME-QA(Krey): Set to false by `/nixos/modules/services/networking/networkmanager.nix`, better management needed
+	networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
+	# networking.interfaces.wwp0s29u1u4i6.useDHCP = lib.mkDefault true;
+
+	# Always use network manager for convinience
+	# FIXME-QA(Krey): Set to false by `/nixos/modules/services/networking/networkmanager.nix`, better management needed
+	networking.networkmanager.enable = mkForce true;
+}

src/nixos/machines/ignucius/config/security.nix

@@ -0,0 +1,38 @@
+{ lib, config, pkgs, ... }:
+
+#! # Security management of IGNUCIUS
+#! System has a vulnerable CPU (...) that needs management to be suitable for high-security mission-critical environment
+#!
+#! ## Management of TSX Asynchronous Abort
+#! TAA (CVE-2019-11135) is a hardware vulnerability that allows unprivileged speculative access to data which is available in various CPU internal buffers by using asynchronous aborts within an Intel TSX transactional region, refer to https://docs.kernel.org/admin-guide/hw-vuln/tsx_async_abort.html for more info.
+#!
+#! The management of this problem is done in upstream linux and allows administrators to adjust the way that the management is enforced, for our infrastructure it's expected to enforce full mitigation to comply with paranoid setup.
+
+let
+	inherit (lib) mkMerge mkForce mkDefault mkIf;
+in {
+	config = mkMerge [
+		{
+			security.allowSimultaneousMultithreading = mkForce false; # Disable Simultaneous Multi-Threading as on this system it exposes unwanted attack vectors
+
+			# Kernel
+				boot.kernelPackages = mkForce pkgs.linuxPackages_hardened; # Always use the Hardened Kernel
+
+				boot.kernelParams = mkForce [
+					"tsx=auto" # Let Linux Developers determine if the mitigation is needed
+					"tsx_async_abort=full,nosmt" # Enforce Full Mitigation if the management is needed
+					"mds=off" # Paranoid enforcement, shouldn't be needed..
+				];
+
+			# Necessary Evil to keep the CPU microcode up-to-date, such is all i686 and amd64 architecture systems
+			hardware.enableRedistributableFirmware = true;
+			hardware.cpu.intel.updateMicrocode = mkDefault config.hardware.enableRedistributableFirmware;
+		}
+
+		# Enforce to use the Tor Proxy
+		# (mkIf config.services.tor.enable {
+		# 	networking.proxy.default = mkDefault "socks5://127.0.0.1:9050";
+		# 	networking.proxy.noProxy = mkDefault "127.0.0.1,localhost";
+		# })
+	];
+}