From cfaef26e8718916adcc68fbfb63b15f2389b2cd2 Mon Sep 17 00:00:00 2001
From: Mike Vink <mike1994vink@gmail.com>
Date: Fri, 6 Oct 2023 23:10:55 +0200
Subject: move all the files

---
 drduh/installer             |   1 +
 drduh/signed.txt            |  20 ++++++
 drduh/yubikey-installer.nix | 171 ++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 192 insertions(+)
 create mode 120000 drduh/installer
 create mode 100644 drduh/signed.txt
 create mode 100644 drduh/yubikey-installer.nix

(limited to 'drduh')

diff --git a/drduh/installer b/drduh/installer
new file mode 120000
index 0000000..5743a7f
--- /dev/null
+++ b/drduh/installer
@@ -0,0 +1 @@
+/nix/store/bc1gji3lg1yqs4c8yazdfdgwj2aqb676-nixos-yubikey-22.11beta-297654.gfedcba-x86_64-linux.iso
\ No newline at end of file
diff --git a/drduh/signed.txt b/drduh/signed.txt
new file mode 100644
index 0000000..e5ee920
--- /dev/null
+++ b/drduh/signed.txt
@@ -0,0 +1,20 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+test message string
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEZEPiBfFrOLTcspamK6IYQ5k48SgFAmSjBIQACgkQK6IYQ5k4
+8ShT6Q/6AlvJQ4+7bNUTanYsm1i1coAwedVYhtys2IJEZ39U1mBp7s23NqntB8fB
+huZasAfK0uOyfD263/RxVLKit2iKQRd5SzdbNIlUCHW2M+a8ueJwe+rYanIz8zLD
+cr5ykWgB6RTgVRLZTK0R1Nk3j2ojlW3N9VmtiUnEAq7aSbzk0071edRvKSw4g6vJ
+E8BrbE8SuhreYVtceiyLUp8w1XKosSVafbD2hhNe+MPCgjVJwVs82f2PzEs8OOSP
+omQw/fLO51gnBx1Si0b37M5Ye+6Q9CAA9AY61+U3MumBQTKVpwL/XEvRgioXmBPY
+tvqkD4PON7SjxLKI33daVgitBDeoweZ93NwBHGQ9neWLjSVbkl4fzrjw3MU3dDc5
+w/RjqAiaTdFb/MJ/kgUdj6xAi81JRh/rcHFfwF16gqRiaqgJG1CQrCYGtq13O+Ik
+EtsCbQcgzhBQonrFgFNc881YABnXKpFnFR+Xuq1zRryxdyOyqFrQ8qV1WPIck00E
+6hd/qFUdnVDulf9jzRmDer5yo916g/8KXMsWP45XXvoEL/5weI5kalCJbQl6k/xu
+89RNwu4uJzWFKER1JAQvTC6vzI7D4f6OKc+uCyy5lNq0iuEx9xzDxdaHPaGAgYgv
+5tB6TPfiixnHayj2P5svcmZxTGxk7X5cJ8cUtcIBz9dLg2FasrU=
+=Xa80
+-----END PGP SIGNATURE-----
diff --git a/drduh/yubikey-installer.nix b/drduh/yubikey-installer.nix
new file mode 100644
index 0000000..7c8a428
--- /dev/null
+++ b/drduh/yubikey-installer.nix
@@ -0,0 +1,171 @@
+# yubikey-installer.nix
+let
+  configuration = { config, lib, pkgs, ... }:
+    with pkgs;
+    let
+      src = fetchGit "https://github.com/drduh/YubiKey-Guide";
+
+      guide = "${src}/README.md";
+
+      contrib = "${src}/contrib";
+
+      drduhConfig = fetchGit "https://github.com/drduh/config";
+
+      gpg-conf = "${drduhConfig}/gpg.conf";
+
+      xserverCfg = config.services.xserver;
+
+      pinentryFlavour = if xserverCfg.desktopManager.lxqt.enable || xserverCfg.desktopManager.plasma5.enable then
+        "qt"
+      else if xserverCfg.desktopManager.xfce.enable then
+        "gtk2"
+      else if xserverCfg.enable || config.programs.sway.enable then
+        "gnome3"
+      else
+        "curses";
+
+      # Instead of hard-coding the pinentry program, chose the appropriate one
+      # based on the environment of the image the user has chosen to build.
+      gpg-agent-conf = runCommand "gpg-agent.conf" {} ''
+        sed '/pinentry-program/d' ${drduhConfig}/gpg-agent.conf > $out
+        echo "pinentry-program ${pinentry.${pinentryFlavour}}/bin/pinentry" >> $out
+      '';
+
+      view-yubikey-guide = writeShellScriptBin "view-yubikey-guide" ''
+        viewer="$(type -P xdg-open || true)"
+        if [ -z "$viewer" ]; then
+          viewer="${glow}/bin/glow -p"
+        fi
+        exec $viewer "${guide}"
+      '';
+
+      shortcut = makeDesktopItem {
+        name = "yubikey-guide";
+        icon = "${yubikey-manager-qt}/share/ykman-gui/icons/ykman.png";
+        desktopName = "drduh's YubiKey Guide";
+        genericName = "Guide to using YubiKey for GPG and SSH";
+        comment = "Open the guide in a reader program";
+        categories = [ "Documentation" ];
+        exec = "${view-yubikey-guide}/bin/view-yubikey-guide";
+      };
+
+      yubikey-guide = symlinkJoin {
+        name = "yubikey-guide";
+        paths = [ view-yubikey-guide shortcut ];
+      };
+
+    in {
+      nixpkgs.config = { allowBroken = true; };
+
+      isoImage.isoBaseName = lib.mkForce "nixos-yubikey";
+      # Uncomment this to disable compression and speed up image creation time
+      #isoImage.squashfsCompression = "gzip -Xcompression-level 1";
+
+      boot.kernelPackages = linuxPackages_latest;
+      # Always copytoram so that, if the image is booted from, e.g., a
+      # USB stick, nothing is mistakenly written to persistent storage.
+      boot.kernelParams = [ "copytoram" ];
+      # Secure defaults
+      boot.cleanTmpDir = true;
+      boot.kernel.sysctl = { "kernel.unprivileged_bpf_disabled" = 1; };
+
+      services.pcscd.enable = true;
+      services.udev.packages = [ yubikey-personalization ];
+
+      programs = {
+        ssh.startAgent = false;
+        gnupg.agent = {
+          enable = true;
+          enableSSHSupport = true;
+        };
+      };
+
+      environment.systemPackages = [
+        # Tools for backing up keys
+        paperkey
+        pgpdump
+        parted
+        cryptsetup
+
+        # Yubico's official tools
+        yubikey-manager
+        yubikey-manager-qt
+        yubikey-personalization
+        yubikey-personalization-gui
+        yubico-piv-tool
+        yubioath-desktop
+
+        # Testing
+        ent
+        (haskell.lib.justStaticExecutables haskellPackages.hopenpgp-tools)
+
+        # Password generation tools
+        diceware
+        pwgen
+
+        # Miscellaneous tools that might be useful beyond the scope of the guide
+        cfssl
+        pcsctools
+
+        # This guide itself (run `view-yubikey-guide` on the terminal to open it
+        # in a non-graphical environment).
+        yubikey-guide
+      ];
+
+      # Disable networking so the system is air-gapped
+      # Comment all of these lines out if you'll need internet access
+      boot.initrd.network.enable = false;
+      networking.dhcpcd.enable = false;
+      networking.dhcpcd.allowInterfaces = [];
+      networking.interfaces = {};
+      networking.firewall.enable = true;
+      networking.useDHCP = false;
+      networking.useNetworkd = false;
+      networking.wireless.enable = false;
+      networking.networkmanager.enable = lib.mkForce false;
+
+      # Unset history so it's never stored
+      # Set GNUPGHOME to an ephemeral location and configure GPG with the
+      # guide's recommended settings.
+      environment.interactiveShellInit = ''
+        unset HISTFILE
+        export GNUPGHOME="/run/user/$(id -u)/gnupg"
+        if [ ! -d "$GNUPGHOME" ]; then
+          echo "Creating \$GNUPGHOME…"
+          install --verbose -m=0700 --directory="$GNUPGHOME"
+        fi
+        [ ! -f "$GNUPGHOME/gpg.conf" ] && cp --verbose ${gpg-conf} "$GNUPGHOME/gpg.conf"
+        [ ! -f "$GNUPGHOME/gpg-agent.conf" ] && cp --verbose ${gpg-agent-conf} "$GNUPGHOME/gpg-agent.conf"
+        echo "\$GNUPGHOME is \"$GNUPGHOME\""
+      '';
+
+      # Copy the contents of contrib to the home directory, add a shortcut to
+      # the guide on the desktop, and link to the whole repo in the documents
+      # folder.
+      system.activationScripts.yubikeyGuide = let
+        homeDir = "/home/nixos/";
+        desktopDir = homeDir + "Desktop/";
+        documentsDir = homeDir + "Documents/";
+      in ''
+        mkdir -p ${desktopDir} ${documentsDir}
+        chown nixos ${homeDir} ${desktopDir} ${documentsDir}
+
+        cp -R ${contrib}/* ${homeDir}
+        ln -sf ${yubikey-guide}/share/applications/yubikey-guide.desktop ${desktopDir}
+        ln -sfT ${src} ${documentsDir}/YubiKey-Guide
+      '';
+    };
+
+  nixos = import <nixpkgs/nixos/release.nix> {
+    inherit configuration;
+    supportedSystems = [ "x86_64-linux" ];
+  };
+
+  # Choose the one you like:
+  #nixos-yubikey = nixos.iso_minimal; # No graphical environment
+  #nixos-yubikey = nixos.iso_gnome;
+  nixos-yubikey = nixos.iso_plasma5;
+
+in {
+  inherit nixos-yubikey;
+}
-- 
cgit v1.2.3