From 99947c76dbc783fbc2e5d57cc3233260069bfe90 Mon Sep 17 00:00:00 2001 From: Sebastian Fleer Date: Wed, 18 Jun 2025 10:45:46 +0200 Subject: [PATCH 1/2] feat: switch to Plasma desktop environment --- iso.nix | 46 ++++++++++++++++++++++++++++++---------------- 1 file changed, 30 insertions(+), 16 deletions(-) diff --git a/iso.nix b/iso.nix index 0520f69..3e075df 100644 --- a/iso.nix +++ b/iso.nix @@ -32,6 +32,7 @@ let name = "yubikey-guide"; paths = [ viewYubikeyGuide shortcut ]; }; + session = "dbus-run-session -- startplasma-wayland"; in { isoImage = { @@ -54,20 +55,20 @@ in # Automatically log in at the virtual consoles. getty.autologinUser = "nixos"; # Comment out to run in a console for a smaller iso and less RAM. - xserver = { + desktopManager.plasma6.enable = true; + greetd = { enable = true; - desktopManager.xfce = { - enable = true; - enableScreensaver = false; - }; - displayManager = { - lightdm.enable = true; + settings = { + initial_session = { + command = "${session}"; + user = "nixos"; + }; + default_session = { + command = "${pkgs.greetd.greetd}/bin/agreety --cmd ${session}"; + user = "greeter"; + }; }; }; - displayManager.autoLogin = { - enable = true; - user = "nixos"; - }; }; programs = { @@ -100,9 +101,6 @@ in }; security = { - pam.services.lightdm.text = '' - auth sufficient pam_succeed_if.so user ingroup wheel - ''; sudo = { enable = true; wheelNeedsPassword = false; @@ -129,9 +127,12 @@ in yubikeyGuide cfssl + falkon git htop jq + nano + neovim okular flake.packages.${system}.openpgp-ca # openpgp-ca with famedly patches openpgp-card-tools @@ -141,7 +142,8 @@ in sequoia-sq ssss tmux - neovim + wayland-utils + wl-clipboard # Famedly OpenPGP Scripts flake.packages.${system}.fos-export @@ -153,6 +155,14 @@ in flake.packages.${system}.fos-working-directory ]; + environment.plasma6.excludePackages = with pkgs.kdePackages; [ + elisa + kdepim-runtime + krdp + oxygen + plasma-browser-integration + ]; + nixpkgs.config.allowBroken = true; # Disable networking so the system is air-gapped @@ -203,7 +213,11 @@ in virtualisation = { memorySize = 4096; cores = 4; - graphics = true; + qemu.options = [ + "-vga none" + "-device virtio-gpu" + "-usbdevice tablet" + ]; }; }; From bd84b61897f098abb9d386705cbb8dd101dc2ec8 Mon Sep 17 00:00:00 2001 From: Sebastian Fleer Date: Wed, 18 Jun 2025 14:32:56 +0200 Subject: [PATCH 2/2] update: nix flakes and adjust scripts to changed sq commands --- flake.lock | 33 ++++++++++++++++++--------------- fos-flash | 4 ++-- fos-generate | 5 ++++- iso.nix | 12 ++++++------ 4 files changed, 30 insertions(+), 24 deletions(-) diff --git a/flake.lock b/flake.lock index 04f4ade..b7a36ad 100644 --- a/flake.lock +++ b/flake.lock @@ -5,11 +5,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1730504689, - "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", + "lastModified": 1749398372, + "narHash": "sha256-tYBdgS56eXYaWVW3fsnPQ/nFlgWi/Z2Ymhyu21zVM98=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "506278e768c2a08bec68eb62932193e341f55c90", + "rev": "9305fe4e5c2a6fcf5ba6a3ff155720fbe4076569", "type": "github" }, "original": { @@ -20,11 +20,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1730768919, - "narHash": "sha256-8AKquNnnSaJRXZxc5YmF/WfmxiHX6MMZZasRP6RRQkE=", + "lastModified": 1750122687, + "narHash": "sha256-zcGClfkXh4pckf4aGOZ18GFv73n1xHbdMWl17cPLouE=", "owner": "nixos", "repo": "nixpkgs", - "rev": "a04d33c0c3f1a59a2c1cb0c6e34cd24500e5a1dc", + "rev": "c539ae8d21e49776966d714f82fba33b1fca78bc", "type": "github" }, "original": { @@ -36,14 +36,17 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1730504152, - "narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=", - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" + "lastModified": 1748740939, + "narHash": "sha256-rQaysilft1aVMwF14xIdGS3sj1yHlI6oKQNBRTF40cc=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "656a64127e9d791a334452c6b6606d17539476e2", + "type": "github" }, "original": { - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" } }, "root": { @@ -56,11 +59,11 @@ "yubikeyGuide": { "flake": false, "locked": { - "lastModified": 1730658116, - "narHash": "sha256-gmsr6uBQE9IG1+uK7mtIGXqrHeVG+Wf7uHc2zC4aWcY=", + "lastModified": 1750017933, + "narHash": "sha256-lj90IEekf3nVCTfGqLRLqsAocLzJJVEFW30e3oFVXuA=", "owner": "drduh", "repo": "YubiKey-Guide", - "rev": "dea24f4fa0b6a543788c51dde8dfaf77cf9cffca", + "rev": "428d8452142e1bf1667e5c7c87bb9325bbcae0a2", "type": "github" }, "original": { diff --git a/fos-flash b/fos-flash index 6c4ab7b..7a97d67 100755 --- a/fos-flash +++ b/fos-flash @@ -42,8 +42,8 @@ echo "12345678" >${fos_tmp_dir}/admin-pin-default diceware -l reinhold -n 4 | xargs -0 -I{} printf '%s' "{}" > "${fos_tmp_dir}/${localpart}-user-pin" diceware -l reinhold -n 6 | xargs -0 -I{} printf '%s' "{}" > "${fos_tmp_dir}/${localpart}-admin-pin" -sq encrypt --force --with-password-file "${fos_tmp_dir}/primary-secret" --output "${fos_working_dir}/archive/employee-keys/${localpart}@famedly.com/user-pin.asc" "${fos_tmp_dir}/${localpart}-user-pin" -sq encrypt --force --with-password-file "${fos_tmp_dir}/primary-secret" --output "${fos_working_dir}/archive/employee-keys/${localpart}@famedly.com/admin-pin.asc" "${fos_tmp_dir}/${localpart}-admin-pin" +sq encrypt --without-signature --with-password-file "${fos_tmp_dir}/primary-secret" --output "${fos_working_dir}/archive/employee-keys/${localpart}@famedly.com/user-pin.asc" "${fos_tmp_dir}/${localpart}-user-pin" +sq encrypt --without-signature --with-password-file "${fos_tmp_dir}/primary-secret" --output "${fos_working_dir}/archive/employee-keys/${localpart}@famedly.com/admin-pin.asc" "${fos_tmp_dir}/${localpart}-admin-pin" while read -rp "Insert the next yubikey, remove any previous ones. 'y' to flash the connected yubikey, 'n' for terminating. (Y/N): " confirm && [[ $confirm == [yY] || $confirm == [yY][eE][sS] ]]; do yes_or_no "Reset the inserted Yubikey before flashing?" && ykman openpgp reset -f diff --git a/fos-generate b/fos-generate index d09fa78..7de84c0 100755 --- a/fos-generate +++ b/fos-generate @@ -34,7 +34,10 @@ oca -d ${fos_tmp_dir}/famedly.oca user add \ mkdir "${fos_working_dir}/archive/employee-keys/${localpart}@famedly.com/" cp "${fos_key_file}" "${fos_working_dir}/archive/employee-keys/${localpart}@famedly.com/secret.asc" -sq toolbox extract-cert --output "${fos_working_dir}/archive/employee-keys/${localpart}@famedly.com/public.asc" "${fos_key_file}" + +sq key import "$fos_key_file" +key_fingerprint=$(sq inspect /tmp/fos/s.kim.asc | grep "Fingerprint" | xargs | cut -d " " -f2) +sq cert export --output "${fos_working_dir}/archive/employee-keys/${localpart}@famedly.com/public.asc" --cert-email "${localpart}@famedly.com" --trust-root "$key_fingerprint" cd "${fos_working_dir}/archive" diff --git a/iso.nix b/iso.nix index 3e075df..34a32fd 100644 --- a/iso.nix +++ b/iso.nix @@ -21,7 +21,7 @@ let ''; shortcut = pkgs.makeDesktopItem { name = "yubikey-guide"; - icon = "${pkgs.yubikey-manager-qt}/share/icons/hicolor/128x128/apps/ykman.png"; + icon = "${pkgs.yubioath-flutter}/share/pixmaps/com.yubico.yubioath.png"; desktopName = "drduh's YubiKey Guide"; genericName = "Guide to using YubiKey for GnuPG and SSH"; comment = "Open the guide in a reader program"; @@ -100,6 +100,8 @@ in root.initialHashedPassword = ""; }; + time.timeZone = "Europe/Berlin"; + security = { sudo = { enable = true; @@ -116,9 +118,7 @@ in # Yubico's official tools yubikey-manager - yubikey-manager-qt yubikey-personalization - yubikey-personalization-gui yubico-piv-tool yubioath-flutter @@ -127,14 +127,14 @@ in yubikeyGuide cfssl - falkon + flake.packages.${system}.openpgp-ca # openpgp-ca with famedly patches git htop jq + kdePackages.falkon + kdePackages.okular nano neovim - okular - flake.packages.${system}.openpgp-ca # openpgp-ca with famedly patches openpgp-card-tools pcsctools pwgen