Commit b5bbf6f9 authored by Majiir Paktu's avatar Majiir Paktu
Browse files

nixos/plymouth-tpm2-totp: init

parent beef19b8

nixos/doc/manual/redirects.json

+15 −0
Original line number Diff line number Diff line 
{

  "module-boot-plymouth-tpm2-totp": [

    "index.html#module-boot-plymouth-tpm2-totp"

  ],

  "module-boot-plymouth-tpm2-totp-quick-start": [

    "index.html#module-boot-plymouth-tpm2-totp-quick-start"

  ],

  "module-boot-plymouth-tpm2-totp-quick-start-check": [

    "index.html#module-boot-plymouth-tpm2-totp-quick-start-check"

  ],

  "module-boot-plymouth-tpm2-totp-quick-start-configure": [

    "index.html#module-boot-plymouth-tpm2-totp-quick-start-configure"

  ],

  "module-boot-plymouth-tpm2-totp-quick-start-enable": [

    "index.html#module-boot-plymouth-tpm2-totp-quick-start-enable"

  ],

  "sec-override-nixos-test": [

    "index.html#sec-override-nixos-test"

  ],

nixos/doc/manual/release-notes/rl-2511.section.md

+2 −0
Original line number Diff line number Diff line
@@ -88,6 +88,8 @@ 


- The [Neat IP Address Planner](https://spritelink.github.io/NIPAP/) (NIPAP) can now be enabled through [services.nipap.enable](#opt-services.nipap.enable).



- [tpm2-totp](https://github.com/tpm2-software/tpm2-totp) can now be used to show a TOTP during boot using Plymouth. Available as [boot.plymouth.tpm2-totp](#opt-boot.plymouth.tpm2-totp.enable).



- [nix-store-veritysetup](https://github.com/nikstur/nix-store-veritysetup-generator), a systemd generator to unlock the Nix Store as a dm-verity protected block device. Available as [boot.initrd.nix-store-veritysetup](options.html#opt-boot.initrd.nix-store-veritysetup.enable).



- [SuiteNumérique Docs](https://github.com/suitenumerique/docs), a collaborative note taking, wiki and documentation web platform and alternative to Notion or Outline. Available as [services.lasuite-docs](#opt-services.lasuite-docs.enable).

nixos/modules/module-list.nix

+1 −0
Original line number Diff line number Diff line
@@ -1829,6 +1829,7 @@ 
  ./system/boot/modprobe.nix

  ./system/boot/networkd.nix

  ./system/boot/nix-store-veritysetup.nix

  ./system/boot/plymouth-tpm2-totp.nix

  ./system/boot/plymouth.nix

  ./system/boot/resolved.nix

  ./system/boot/shutdown.nix

nixos/modules/system/boot/plymouth-tpm2-totp.md

0 → 100644
+29 −0
Original line number Diff line number Diff line 
# tpm2-totp with Plymouth {#module-boot-plymouth-tpm2-totp}



[tpm2-totp](https://github.com/tpm2-software/tpm2-totp) attests the trustworthiness of a device against a human using time-based one-time passwords. This module uses a `tpm2-totp` configuration to display a TOTP at boot using Plymouth.



## Quick start {#module-boot-plymouth-tpm2-totp-quick-start}



### 1. Enable modules {#module-boot-plymouth-tpm2-totp-quick-start-enable}



```nix

{

  boot.plymouth.tpm2-totp.enable = true;



  # Plymouth and systemd initrd/stage-1 are required:

  boot.plymouth.enable = true;

  boot.initrd.systemd.enable = true;

}

```



Switch to the new configuration before proceeding to the next step.



### 2. Configure `tpm2-totp` {#module-boot-plymouth-tpm2-totp-quick-start-configure}



Generate a new TOTP secret and save the secret in your chosen authenticator app. See `man tpm2-totp` for commands and configuration examples.



More information, including security considerations, can be found in the `README.md` in the [tpm2-totp](https://github.com/tpm2-software/tpm2-totp) repository. Be sure to select the tag for the version of `tpm2-totp` you have installed.



### 3. Check configuration {#module-boot-plymouth-tpm2-totp-quick-start-check}



Reboot and you should see the TOTP appear on the Plymouth boot screen. The TOTP should match the code displayed in your authenticator app (or the code immediately before/after).

nixos/modules/system/boot/plymouth-tpm2-totp.nix

0 → 100644
+59 −0
Original line number Diff line number Diff line 
{

  config,

  lib,

  pkgs,

  ...

}:



let

  cfg = config.boot.plymouth.tpm2-totp;

in

{

  options.boot.plymouth.tpm2-totp = {

    enable = lib.mkEnableOption "tpm2-totp using Plymouth" // {

      description = "Whether to display a TOTP during boot using tpm2-totp and Plymouth.";

    };



    package = lib.mkPackageOption pkgs "tpm2-totp" { default = "tpm2-totp-with-plymouth"; };

  };



  meta = {

    maintainers = with lib.maintainers; [ majiir ];

    doc = ./plymouth-tpm2-totp.md;

  };



  config = lib.mkIf cfg.enable {

    assertions = [

      {

        assertion = config.boot.initrd.systemd.enable;

        message = "boot.plymouth.tpm2-totp is only supported with boot.initrd.systemd.";

      }

    ];



    environment.systemPackages = [

      cfg.package

    ];



    boot.initrd.systemd.storePaths = [

      "${cfg.package}/libexec/tpm2-totp/plymouth-tpm2-totp"

      "${cfg.package}/lib/libtpm2-totp.so.0"

      "${cfg.package}/lib/libtpm2-totp.so.0.0.0"

    ];



    # Based on https://github.com/tpm2-software/tpm2-totp/blob/9bcfdcbfdd42e0b2e1d7769852009608f889631c/dist/plymouth-tpm2-totp.service.in

    boot.initrd.systemd.services.plymouth-tpm2-totp = {

      description = "Display a TOTP during boot using Plymouth";

      requires = [ "plymouth-start.service" ];

      after = [

        "plymouth-start.service"

        "tpm2.target"

      ];

      wantedBy = [ "sysinit.target" ];

      unitConfig.DefaultDependencies = false;

      serviceConfig = {

        Type = "exec";

        ExecStart = "${cfg.package}/libexec/tpm2-totp/plymouth-tpm2-totp";

      };

    };

  };

}