Conversation
poelzi
force-pushed
the
main
branch
2 times, most recently
from
0259137 to
6ca3f0a
Compare
* add shamir-bip39 package * add minimized + hardened iso / vm image * add devshell
| # boot.kernelPackages = pkgs.linuxPackagesFor ( | ||
| # pkgs.linuxPackages_latest.kernel.override { | ||
| # ignoreConfigErrors = true; | ||
| # } | ||
| # ); |
| name = "minimize"; | ||
| patch = null; | ||
| extraConfig = '' | ||
| NET N |
| environment.sessionVariables = { | ||
| MALLOC_PERTURB_ = ''42''; | ||
| }; |
| Welcome to shamir-bip39 secure environment | ||
| This system has no network or persistent storage for security. | ||
|
|
||
| Split a secret: shamir-bip39 split -t 2 -n 3 --secret "your mnemonic here\" |
There was a problem hiding this comment.
Why is the backslash \ required in the string ”your mnemonic here\”? It doesn’t appear to break a line or perform any typical escaping function (I’m not familiar with Flakes).
| # Use bash as the shell but add our welcome message | ||
| users.users.root.shell = pkgs.bashInteractive; | ||
|
|
||
| # Add a welcome message via profile |
There was a problem hiding this comment.
(not important): Is there an easy way to load this message from file (or something similar) so that we can have the same in the readme of the repo? Or a way to ensure we don't forget to update it if we ever update the readme/cli?
There was a problem hiding this comment.
mmh or it doesn't actually matter since a number of settings are hardcoded in this file for security reasons anyway?
| description = "shamir-bip39 - Shamir's Secret Sharing for BIP-39 mnemonics"; | ||
|
|
||
| inputs = { | ||
| nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; |
There was a problem hiding this comment.
Is there no way to only use stable nixos in this case?
| before = [ "shutdown.target" ]; | ||
| serviceConfig = { | ||
| Type = "oneshot"; | ||
| RemainAfterExit = true; |
There was a problem hiding this comment.
Pull Request Overview
This PR introduces a nix flake to support generating a hardened and minimized ISO/VM image along with a devshell and adds the shamir-bip39 package. Key changes include:
- Excluding specific nix configuration files from typos checks via typos.toml.
- Adding instructions in README.md for building and deploying an optimized boot image.
- Introducing a Cargo.lock file to ensure deterministic builds.
Reviewed Changes
Copilot reviewed 5 out of 7 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| typos.toml | Added file exclusion configuration for nix configs in typos checks |
| README.md | New Boot Image section providing build instructions for generating the hardened/minimized ISO |
Files not reviewed (2)
- .editorconfig: Language not supported
- flake.nix: Language not supported
| ``` | ||
| And copy the resulting `result/iso/nixos-25.05.*-x86_64-linux.iso` to a USB drive. | ||
|
|
||
| This image uses a hardened linux kernel, is minimized (no network, no harddisk mounting, no unecesarry services, ... ) and clears memory after usage and reboot to minimize data leakage. |
There was a problem hiding this comment.
Typo found in 'unecesarry'. It should be corrected to 'unnecessary'.
| This image uses a hardened linux kernel, is minimized (no network, no harddisk mounting, no unecesarry services, ... ) and clears memory after usage and reboot to minimize data leakage. | |
| This image uses a hardened linux kernel, is minimized (no network, no harddisk mounting, no unnecessary services, ... ) and clears memory after usage and reboot to minimize data leakage. |
I had to add the Cargo.lock file, so the build process can become deterministic, which is important for a tool like this. AFAIK it does not make problems when using this package as a lib. It should be published on crates.io anyways