feat: nix flake

.gitignore

@@ -0,0 +1,2 @@
+result
+*.qcow2

flake.nix

@@ -0,0 +1,54 @@
+{
+  description = "famedly-openpgp-scripts (short fos)";
+
+  inputs = {
+    nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable";
+    flake-parts.url = "github:hercules-ci/flake-parts";
+  };
+
+  outputs = inputs@{ self, nixpkgs, flake-parts, ... }:
+
+    flake-parts.lib.mkFlake { inherit inputs; } {
+
+      imports = [ ];
+
+      systems = [
+        "x86_64-linux"
+        "aarch64-linux"
+      ];
+
+      perSystem = { config, pkgs, ... }: {
+        formatter = pkgs.nixpkgs-fmt;
+        packages = {
+          fos-export = pkgs.writeShellScriptBin "fos-export" (builtins.readFile ./fos-export);
+          fos-mount = pkgs.writeShellScriptBin "fos-mount" (builtins.readFile ./fos-mount);
+          fos-new = pkgs.writeShellScriptBin "fos-new" (builtins.readFile ./fos-new);
+          fos-partitions = pkgs.writeShellScriptBin "fos-partitions" (builtins.readFile ./fos-partitions);
+          fos-sync = pkgs.writeShellScriptBin "fos-sync" (builtins.readFile ./fos-sync);
+          fos-working-directory = pkgs.writeShellScriptBin "fos-working-directory" (builtins.readFile ./fos-working-directory);
+        };
+      };
+
+      flake =
+        let
+          mkSystem = system:
+            nixpkgs.lib.nixosSystem {
+              inherit system;
+              modules = [
+                "${nixpkgs}/nixos/modules/profiles/all-hardware.nix"
+                "${nixpkgs}/nixos/modules/installer/cd-dvd/iso-image.nix"
+                ./iso.nix
+              ];
+              specialArgs = {
+                inherit inputs;
+                flake = self;
+              };
+
+            };
+        in
+        {
+          nixosConfigurations.fos-live = mkSystem "x86_64-linux";
+          nixosConfigurations.fos-live-aarch64 = mkSystem "aarch64-linux";
+        };
+    };
+}

iso.nix

@@ -0,0 +1,159 @@
+# Some parts of this have been copied from https://github.com/drduh/yubikey-guide
+# Original License:
+# Copyright (c) 2016 drduh
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+
+{ lib, pkgs, flake, ... }: {
+  isoImage = {
+    isoName = "fos.iso";
+    compressImage = true;
+
+    makeEfiBootable = true;
+    makeUsbBootable = true;
+  };
+
+  swapDevices = [ ];
+
+  boot = {
+    tmp.cleanOnBoot = true;
+    kernel.sysctl = { "kernel.unprivileged_bpf_disabled" = 1; };
+  };
+
+  services = {
+    pcscd.enable = true;
+    udev.packages = [ pkgs.yubikey-personalization ];
+    # Automatically log in at the virtual consoles.
+    getty.autologinUser = "nixos";
+    # Comment out to run in a console for a smaller iso and less RAM.
+    xserver = {
+      enable = true;
+      desktopManager.xfce = {
+        enable = true;
+        enableScreensaver = false;
+      };
+      displayManager = {
+        lightdm.enable = true;
+      };
+    };
+    displayManager.autoLogin = {
+      enable = true;
+      user = "nixos";
+    };
+  };
+
+  programs = {
+    ssh.startAgent = false;
+    gnupg.agent = {
+      enable = true;
+      enableSSHSupport = true;
+      pinentryPackage = pkgs.pinentry-curses;
+      settings = {
+        default-cache-ttl = 60;
+        max-cache-ttl = 120;
+      };
+    };
+  };
+
+  # Use less privileged nixos user
+  users.users = {
+    nixos = {
+      isNormalUser = true;
+      extraGroups = [ "wheel" "video" ];
+      initialHashedPassword = "";
+    };
+    root.initialHashedPassword = "";
+  };
+
+  security = {
+    pam.services.lightdm.text = ''
+      auth sufficient pam_succeed_if.so user ingroup wheel
+    '';
+    sudo = {
+      enable = true;
+      wheelNeedsPassword = false;
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    # Tools for backing up keys
+    paperkey
+    pgpdump
+    parted
+    cryptsetup
+
+    # Yubico's official tools
+    yubikey-manager
+    yubikey-manager-qt
+    yubikey-personalization
+    yubikey-personalization-gui
+    yubico-piv-tool
+    yubioath-flutter
+
+    cfssl
+    git
+    htop
+    jq
+    okular
+    openpgp-card-tools
+    pcsctools
+    pwgen
+    sequoia-sq
+    tmux
+
+    # Famedly OpenPGP Scripts
+    flake.packages.${system}.fos-export
+    flake.packages.${system}.fos-mount
+    flake.packages.${system}.fos-new
+    flake.packages.${system}.fos-partitions
+    flake.packages.${system}.fos-sync
+    flake.packages.${system}.fos-working-directory
+  ];
+
+  nixpkgs.config.allowBroken = true;
+
+  # Disable networking so the system is air-gapped
+  # Comment all of these lines out if you'll need internet access
+  boot.initrd.network.enable = false;
+  networking = {
+    resolvconf.enable = false;
+    dhcpcd.enable = false;
+    dhcpcd.allowInterfaces = [ ];
+    interfaces = { };
+    firewall.enable = true;
+    useDHCP = false;
+    useNetworkd = false;
+    wireless.enable = false;
+    networkmanager.enable = lib.mkForce false;
+  };
+
+  # Unset history so it's never stored Set GNUPGHOME to an
+  # ephemeral location and configure GPG with the guide
+
+  environment.interactiveShellInit = ''
+    unset HISTFILE
+    export GNUPGHOME="/run/user/$(id -u)/gnupg"
+    if [ ! -d "$GNUPGHOME" ]; then
+      echo "Creating \$GNUPGHOME…"
+      install --verbose -m=0700 --directory="$GNUPGHOME"
+    fi
+    echo "\$GNUPGHOME is \"$GNUPGHOME\""
+  '';
+
+  virtualisation.vmVariant = {
+    # VM config for testing, don't handle any sensitive data when running this in a VM only.
+    virtualisation = {
+      memorySize = 8192;
+      cores = 6;
+      graphics = true;
+    };
+  };
+
+  system.stateVersion = "24.05";
+}