From c417f127e973491b46f204e397f8152ba5d06254 Mon Sep 17 00:00:00 2001 From: Benedikt Peetz Date: Fri, 18 Oct 2024 19:27:16 +0200 Subject: refactor(hosts): Move all unmaintained hosts to the `_unmaintained` dir --- hosts/_unmaintained/isimud/command-line.html | 1491 +++++++++++++++++++++++ hosts/_unmaintained/isimud/default.nix | 44 + hosts/_unmaintained/isimud/hardware/default.nix | 24 + hosts/_unmaintained/isimud/networking.nix | 8 + hosts/_unmaintained/lahmu/default.nix | 24 + hosts/_unmaintained/lahmu/hardware/cpu.nix | 4 + hosts/_unmaintained/lahmu/hardware/default.nix | 33 + hosts/_unmaintained/lahmu/hardware/gpu.nix | 15 + hosts/_unmaintained/lahmu/networking.nix | 14 + hosts/_unmaintained/mammun/default.nix | 23 + hosts/_unmaintained/mammun/hardware/cpu.nix | 3 + hosts/_unmaintained/mammun/hardware/default.nix | 27 + hosts/_unmaintained/mammun/hardware/gpu.nix | 14 + hosts/_unmaintained/mammun/networking.nix | 16 + hosts/_unmaintained/marduk/default.nix | 14 + hosts/_unmaintained/marduk/hardware/default.nix | 19 + hosts/_unmaintained/marduk/networking.nix | 14 + hosts/isimud/command-line.html | 1491 ----------------------- hosts/isimud/default.nix | 44 - hosts/isimud/hardware/default.nix | 24 - hosts/isimud/networking.nix | 8 - hosts/lahmu/default.nix | 24 - hosts/lahmu/hardware/cpu.nix | 4 - hosts/lahmu/hardware/default.nix | 33 - hosts/lahmu/hardware/gpu.nix | 15 - hosts/lahmu/networking.nix | 14 - hosts/mammun/default.nix | 23 - hosts/mammun/hardware/cpu.nix | 3 - hosts/mammun/hardware/default.nix | 27 - hosts/mammun/hardware/gpu.nix | 14 - hosts/mammun/networking.nix | 16 - hosts/marduk/default.nix | 14 - hosts/marduk/hardware/default.nix | 19 - hosts/marduk/networking.nix | 14 - 34 files changed, 1787 insertions(+), 1787 deletions(-) create mode 100644 hosts/_unmaintained/isimud/command-line.html create mode 100644 hosts/_unmaintained/isimud/default.nix create mode 100644 hosts/_unmaintained/isimud/hardware/default.nix create mode 100644 hosts/_unmaintained/isimud/networking.nix create mode 100644 hosts/_unmaintained/lahmu/default.nix create mode 100644 hosts/_unmaintained/lahmu/hardware/cpu.nix create mode 100644 hosts/_unmaintained/lahmu/hardware/default.nix create mode 100644 hosts/_unmaintained/lahmu/hardware/gpu.nix create mode 100644 hosts/_unmaintained/lahmu/networking.nix create mode 100644 hosts/_unmaintained/mammun/default.nix create mode 100644 hosts/_unmaintained/mammun/hardware/cpu.nix create mode 100644 hosts/_unmaintained/mammun/hardware/default.nix create mode 100644 hosts/_unmaintained/mammun/hardware/gpu.nix create mode 100644 hosts/_unmaintained/mammun/networking.nix create mode 100644 hosts/_unmaintained/marduk/default.nix create mode 100644 hosts/_unmaintained/marduk/hardware/default.nix create mode 100644 hosts/_unmaintained/marduk/networking.nix delete mode 100644 hosts/isimud/command-line.html delete mode 100644 hosts/isimud/default.nix delete mode 100644 hosts/isimud/hardware/default.nix delete mode 100644 hosts/isimud/networking.nix delete mode 100644 hosts/lahmu/default.nix delete mode 100644 hosts/lahmu/hardware/cpu.nix delete mode 100644 hosts/lahmu/hardware/default.nix delete mode 100644 hosts/lahmu/hardware/gpu.nix delete mode 100644 hosts/lahmu/networking.nix delete mode 100644 hosts/mammun/default.nix delete mode 100644 hosts/mammun/hardware/cpu.nix delete mode 100644 hosts/mammun/hardware/default.nix delete mode 100644 hosts/mammun/hardware/gpu.nix delete mode 100644 hosts/mammun/networking.nix delete mode 100644 hosts/marduk/default.nix delete mode 100644 hosts/marduk/hardware/default.nix delete mode 100644 hosts/marduk/networking.nix (limited to 'hosts') diff --git a/hosts/_unmaintained/isimud/command-line.html b/hosts/_unmaintained/isimud/command-line.html new file mode 100644 index 00000000..4534001e --- /dev/null +++ b/hosts/_unmaintained/isimud/command-line.html @@ -0,0 +1,1491 @@ + + + + + + + + +OnlyKey Command-Line Utility | Docs + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+ +
+ + + +
+ + + + + + + +
+ + + + +
+
+

OnlyKey Command-Line Utility

+
+ + + +
+ + +
The OnlyKey Command-Line Utility is a command line interface to OnlyKey.
+ + + + + + + +
+ + + + +

onlykey-cli

+ +

OnlyKey-cli - A command line interface to the OnlyKey (Similar functionality to OnlyKey App) that can be used for configuration, scripting, and testing.

+ +

Installation

+ +

Windows Stand-Alone EXE

+

No install is required. Download and run the EXE to open OnlyKey CLI interactive mode or run directly from command line like this:

+
C:\ onlykey-cli.exe getlabels
+
+ +

Download here

+ +

Windows Install with dependencies

+

1) Python 3.8 and pip3 are required. To setup a Python environment on Windows we recommend Anaconda https://www.anaconda.com/download/#windows

+ +

2) From an administrator command prompt run:

+
pip3 install hidapi==0.9.0 onlykey
+
+ +

You should see a message showing where the executable is installed. This is usually c:\python39\scripts\onlykey-cli.exe

+ +

MacOS Install with dependencies

+

Python 3.8 and pip3 are required. To setup a Python environment on MacOS we recommend Anaconda https://www.anaconda.com/download/#macos

+
$ brew install libusb
+$ pip3 install onlykey
+
+ +

Linux/BSD Install with dependencies

+ +

In order for non-root users in Linux to be able to communicate with OnlyKey a udev rule must be created as described here.

+ +

Ubuntu Install with dependencies

+
$ sudo apt update && sudo apt upgrade
+$ sudo apt install python3-pip python3-tk libusb-1.0-0-dev libudev-dev
+$ pip3 install onlykey
+$ wget https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/49-onlykey.rules
+$ sudo cp 49-onlykey.rules /etc/udev/rules.d/
+$ sudo udevadm control --reload-rules && udevadm trigger
+
+ +

Debian Install with dependencies

+
$ sudo apt update && sudo apt upgrade
+$ sudo apt install python3-pip python3-tk libusb-1.0-0-dev libudev-dev
+$ pip3 install onlykey
+$ wget https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/49-onlykey.rules
+$ sudo cp 49-onlykey.rules /etc/udev/rules.d/
+$ sudo udevadm control --reload-rules && udevadm trigger
+
+ +

RedHat Install with dependencies

+
$ yum update
+$ yum install python3-pip python3-devel python3-tk libusb-devel libudev-devel \
+              gcc redhat-rpm-config
+$ pip3 install onlykey
+$ wget https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/49-onlykey.rules
+$ sudo cp 49-onlykey.rules /etc/udev/rules.d/
+$ sudo udevadm control --reload-rules && udevadm trigger
+
+ +

Fedora Install with dependencies

+
$ dnf install python3-pip python3-devel python3-tkinter libusb-devel libudev-devel \
+              gcc redhat-rpm-config
+$ pip3 install onlykey
+$ wget https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/49-onlykey.rules
+$ sudo cp 49-onlykey.rules /etc/udev/rules.d/
+$ sudo udevadm control --reload-rules && udevadm trigger
+
+ +

OpenSUSE Install with dependencies

+
$ zypper install python3-pip python3-devel python3-tk libusb-1_0-devel libudev-devel
+$ pip3 install onlykey
+$ wget https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/49-onlykey.rules
+$ sudo cp 49-onlykey.rules /etc/udev/rules.d/
+$ sudo udevadm control --reload-rules && udevadm trigger
+
+ +

Arch Linux Install with dependencies

+
$ sudo pacman -Sy git python3-setuptools python3 libusb python3-pip
+$ pip3 install onlykey
+$ wget https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/49-onlykey.rules
+$ sudo cp 49-onlykey.rules /etc/udev/rules.d/
+$ sudo udevadm control --reload-rules && udevadm trigger
+
+ +

FreeBSD Install with dependencies

+ +

See forum thread here

+ +

QuickStart

+ +

Usage: onlykey-cli [OPTIONS]

+ +

Setup Options

+ +

init

+

A command line tool for setting PIN on OnlyKey (Initial Configuration)

+ +

General Options

+ +

version

+

Displays the version of the app

+ +

fwversion

+

Displays the version of the OnlyKey firmware

+ +

wink

+

OnlyKey flashes blue (winks), may be used for visual confirmation of connectivity

+ +

getlabels

+

Returns slot labels

+ +

settime

+

A command for setting time on OnlyKey, time is needed for TOTP (Google Authenticator)

+ +

getkeylabels

+

Returns key labels for RSA keys 1-4 and ECC keys 1-16

+ +

rng [type]

+

Access OnlyKey TRNG to generate random numbers:

+
    +
  • [type] must be one of the following: +
      +
    • hexbytes - Output hex encoded random bytes. Default 8 bytes; Maximum 255 bytes. Specify number of bytes to return with –count i.e. 'onlykey-cli rng hexbytes --count 32'
      • +
    • feedkernel - Feed random bytes to /dev/random.
      • +
    +
    • +
+ +

OnlyKey Preferences Options

+ +

idletimeout [num]

+

OnlyKey locks after ideletimeout is reached (1 – 255 minutes; default = 30; 0 to disable). More info

+ +

wipemode [num]

+

Configure how the OnlyKey responds to +a factory reset. WARNING - Setting to Full Wipe mode cannot be changed. +1 = Sensitive Data Only (default); 2 = Full Wipe (recommended for plausible deniability users) Entire device is wiped. Firmware must be reloaded. More info

+ +

keylayout [num]

+

Set keyboard layout

+
    +
  • 1 - USA_ENGLISH (Default)
    • +
  • 2 - CANADIAN_FRENCH
    • +
  • 3 - CANADIAN_MULTILINGUAL
    • +
  • 4 - DANISH
    • +
  • 5 - FINNISH
    • +
  • 6 - FRENCH
    • +
  • 7 - FRENCH_BELGIAN
    • +
  • 8 - FRENCH_SWISS
    • +
  • 9 - GERMAN
    • +
  • 10 - GERMAN_MAC
    • +
  • 11 - GERMAN_SWISS
    • +
  • 12 - ICELANDIC
    • +
  • 13 - IRISH
    • +
  • 14 - ITALIAN
    • +
  • 15 - NORWEGIAN
    • +
  • 16 - PORTUGUESE
    • +
  • 17 - PORTUGUESE_BRAZILIAN
    • +
  • 18 - SPANISH
    • +
  • 19 - SPANISH_LATIN_AMERICA
    • +
  • 20 - SWEDISH
    • +
  • 21 - TURKISH
    • +
  • 22 - UNITED_KINGDOM
    • +
  • 23 - US_INTERNATIONAL
    • +
  • 24 - CZECH
    • +
  • 25 - SERBIAN_LATIN_ONLY
    • +
  • 26 - HUNGARIAN
    • +
  • 27 - DANISH MAC
    • +
  • 28 - US_DVORAK
    • +
+ +

More info

+ +

keytypespeed [num]

+

1 = slowest; 10 = fastest [7 = default] +More info

+ +

ledbrightness [num]

+

1 = dimmest; 10 = brightest [8 = default] +More info

+ +

touchsense [num]

+

Change the OnlyKey’s button touch sensitivity. +WARNING: Setting button’s touch sensitivity lower than 5 is not recommended as this could result in inadvertent button press. +2 = highest sensitivity; 100 = lowest sensitivity [12 = default]

+ +

2ndprofilemode [num]

+

Set during init (Initial Configuration) to set 2nd profile type 1 = standard (default); 2 = plausible deniability

+ +

storedkeymode [num]

+

Enable or disable challenge for stored keys (SSH/PGP) +0 = Challenge Code Required (default); 1 = Button Press Required +More info

+ +

derivedkeymode [num]

+

Enable or disable challenge for stored keys (SSH/PGP) +0 = Challenge Code Required (default); 1 = Button Press Required +More info

+ +

hmackeymode [num]

+

Enable or disable button press for HMAC challenge-response +0 = Button Press Required (default); 1 = Button Press Not Required. +More info

+ +

backupkeymode [num]

+

1 = Lock backup key so this may not be changed on device +WARNING - Once set to “Locked” this cannot be changed unless a factory reset occurs. +More info

+ +

sysadminmode

+

Enable or disable challenge for stored keys (SSH/PGP) +0 = Challenge Code Required (default); 1 = Button Press Required +More info

+ +

lockbutton

+

Enable or disable challenge for stored keys (SSH/PGP) +0 = Challenge Code Required (default); 1 = Button Press Required +More info

+ +

Slot Config Options

+ +

setslot [id] [type] [value]

+
    +
  • [id] must be slot number 1a - 6b for OnlyKey or 1-24 for OnlyKey DUO
    • +
  • [type] must be one of the following: +
      +
    • label - set slots (1a - 6b) to have a descriptive label i.e. My Google Acct
      • +
    • url - URL to login page
      • +
    • delay1 - set a 0 - 9 second delay
      • +
    • addchar1 - Additional character before username 1 for TAB, 0 to clear
      • +
    • username - Username to login
      • +
    • addchar2 - Additional character after username 1 for TAB, 2 for RETURN
      • +
    • delay2 - set a 0 - 9 second delay
      • +
    • password - Password to login
      • +
    • addchar3 - Additional character after password 1 for TAB, 2 for RETURN
      • +
    • delay3 - set a 0 - 9 second delay
      • +
    • addchar4 - Additional character before OTP 1 for TAB
      • +
    • 2fa - type of two factor authentication +
        +
      • g - Google Authenticator
        • +
      • y - Yubico OTP
        • +
      • u - U2F
        • +
      +
      • +
    • totpkey - Google Authenticator key
      • +
    • addchar5 - Additional character after OTP 2 for RETURN
      • +
    +
    • +
+ +

wipeslot [id]

+
    +
  • [id] must be slot number 1a - 6b for OnlyKey or 1-24 for OnlyKey DUO
    • +
+ +

Key Config Options

+ +

setkey [key slot] [type] [features] [hex key]

+

Sets raw private keys and key labels, to set PEM format keys use the OnlyKey App

+
    +
  • [key slot] must be key number RSA1 - RSA4, ECC1 - ECC16, HMAC1 - HMAC2
    • +
  • [type] must be one of the following: +
      +
    • label - set to have a descriptive key label i.e. My GPG signing key
      • +
    • x - X25519 Key Type (32 bytes)
      • +
    • n - NIST256P1 Key Type (32 bytes)
      • +
    • s - SECP256K1 Key Type (32 bytes)
      • +
    • 2 - RSA Key Type 2048bits (256 bytes)
      • +
    • 4 - RSA Key Type 4096bits (512 bytes)
      • +
    • h - HMAC Key Type (20 bytes)
      • +
    +
    • +
  • [features] must be one of the following: +
      +
    • s - Use for signing
      • +
    • d - Use for decryption
      • +
    • b - Use for encryption/decryption of backups
      • +
    +
    • +
  • For setting keys see examples here.
    • +
+ +

genkey [key slot] [type] [features]

+

Generates random private key on device

+
    +
  • [key slot] must be key number ECC1 - ECC16 (only ECC keys supported)
    • +
  • [type] must be one of the following: +
      +
    • x - X25519 Key Type (32 bytes)
      • +
    • n - NIST256P1 Key Type (32 bytes)
      • +
    • s - SECP256K1 Key Type (32 bytes)
      • +
    +
    • +
  • [features] must be one of the following: +
      +
    • s - Use for signing
      • +
    • d - Use for decryption
      • +
    • b - Use for encryption/decryption of backups
      • +
    +
    • +
  • For generating key see example here.
    • +
+ +

wipekey [key id]

+

Erases key stored at [key id]

+
    +
  • [key id] must be key number RSA1 - RSA4, ECC1 - ECC16, HMAC1 - HMAC2
    • +
+ +

FIDO2 Config Options

+ +

ping

+

Sends a FIDO2 transaction to the device, which immediately echoes the same data back. This command is defined to be a uniform function for debugging, latency and performance measurements (CTAPHID_PING).

+ +

set-pin

+

Set new FIDO PIN, this is the PIN entered via keyboard and used for FIDO2 register/login (not the OnlyKey PIN entered on device).

+ +

change-pin

+

Change FIDO PIN, this is the PIN entered via keyboard and used for FIDO2 register/login (not the OnlyKey PIN entered on device, to change that PIN use the OnlyKey Desktop App).

+ +

credential [operation] [credential ID]

+
    +
  • [operation] must be one of the following: +
      +
    • info - Display number of existing resident keys and remaining space.
      • +
    • ls - List resident keys.
      • +
    • rm [credential ID] - Remove resident keys, example here.
      • +
    +
    • +
+ +

reset

+

Reset wipes all FIDO U2F and FIDO2 credentials!!! It is highly recommended to backup device prior to reset.

+ +

Running Command Options

+ +

You can run commands in two ways:

+ +

1) Directly in terminal

+ +

Like this:

+ +
$ onlykey-cli getlabels
+
+Slot 1a:
+Slot 1b:
+
+Slot 2a:
+Slot 2b:
+
+Slot 3a:
+Slot 3b:
+
+Slot 4a:
+Slot 4b:
+
+Slot 5a:
+Slot 5b:
+
+Slot 6a:
+Slot 6b:
+
+$ onlykey-cli setslot 1a label ok
+Successfully set Label
+$ onlykey-cli getlabels
+
+Slot 1a: ok
+Slot 1b:
+
+Slot 2a:
+Slot 2b:
+
+Slot 3a:
+Slot 3b:
+
+Slot 4a:
+Slot 4b:
+
+Slot 5a:
+Slot 5b:
+
+Slot 6a:
+Slot 6b:
+
+
+ +

2) Interactive Mode

+ +

Or you can run commands in an interactive shell like this:

+ +
$ onlykey-cli
+OnlyKey CLI v1.2.8
+Press the right arrow to insert the suggestion.
+Press Control-C to retry. Control-D to exit.
+
+OnlyKey> getlabels
+
+Slot 1a:
+Slot 1b:
+
+Slot 2a:
+Slot 2b:
+
+Slot 3a:
+Slot 3b:
+
+Slot 4a:
+Slot 4b:
+
+Slot 5a:
+Slot 5b:
+
+Slot 6a:
+Slot 6b:
+
+OnlyKey> setslot 1a label ok
+
+Successfully set Label
+
+OnlyKey> getlabels
+
+Slot 1a: ok
+Slot 1b:
+
+Slot 2a:
+Slot 2b:
+
+Slot 3a:
+Slot 3b:
+
+Slot 4a:
+Slot 4b:
+
+Slot 5a:
+Slot 5b:
+
+Slot 6a:
+Slot 6b:
+
+OnlyKey> setslot 1a url accounts.google.com
+
+Successfully set URL
+
+OnlyKey> setslot 1a addchar1 2
+
+Successfully set Character1
+
+OnlyKey> setslot 1a delay1 2
+
+Successfully set Delay1
+
+OnlyKey> setslot 1a username onlykey.1234
+
+Successfully set Username
+
+OnlyKey> setslot 1a addchar2 2
+
+Successfully set Character2
+
+OnlyKey> setslot 1a delay2 2
+
+Successfully set Delay2
+
+OnlyKey> setslot 1a password
+
+Type Control-T to toggle password visible.
+Password: *********
+Successfully set Password
+
+OnlyKey> setslot 1a addchar3 2
+
+Successfully set Character3
+
+OnlyKey> setslot 1a delay3 2
+
+Successfully set Delay3
+
+OnlyKey> setslot 1a 2fa g
+
+Successfully set 2FA Type
+
+OnlyKey> setslot 1a totpkey
+
+Type Control-T to toggle password visible.
+Password: ********************************
+Successfully set TOTP Key
+
+OnlyKey> setslot 1a addchar4 2
+
+Successfully set Character4
+
+OnlyKey>
+
+Bye!
+
+ +

Examples

+ +

Writing Private Keys and Passwords

+ +

Keys/passwords are masked when entered and should only be set from interactive mode and not directly from terminal. Entering directly from terminal is not secure as command history is stored.

+ +

Setkey Examples

+ +

To set key a device must first be put into config mode.

+ +

Set HMAC key 1 to a custom value

+ +

$ onlykey-cli

+ +

OnlyKey> setkey HMAC1 h

+ +

Type Control-T to toggle password visible. +Password/Key: **************

+ +

Successfully set ECC Key

+ +

HMAC key must be 20 bytes, h is HMAC type

+ +

Set HMAC key 2 to a custom value

+ +

$ onlykey-cli

+ +

OnlyKey> setkey HMAC2 h

+ +

Type Control-T to toggle password visible. +Password/Key: **************

+ +

Successfully set ECC Key

+ +

HMAC key must be 20 bytes, h is HMAC type

+ +

Set ECC key in slot ECC1 to a custom value (Slots ECC1-ECC16 are available for ECC keys. Supported ECC curves X25519(x), NIST256P1(n), SECP256K1(s))

+ +

$ onlykey-cli

+ +

OnlyKey> setkey ECC1 x

+ +

Type Control-T to toggle password visible. +Password/Key: *********************

+ +

Successfully set ECC Key

+ +

ECC key must be 32 bytes, x is X25519 type

+ +

Genkey Examples

+ +

To set key a device must first be put into config mode.

+ +

Generate ECC key in slot ECC1 to a custom value (Slots ECC1-ECC16 are available for ECC keys. Supported ECC curves X25519(x), NIST256P1(n), SECP256K1(s))

+ +

$ onlykey-cli

+ +

OnlyKey> genkey ECC1 x

+ +

Successfully set ECC Key

+ +

Scripting Example

+ +

Set time on OnlyKey (required for TOTP)

+ +

$ onlykey-cli settime

+ +

This can be added to scripts such as the UDEV rule to automatically set time when device is inserted into USB port. See example here

+ +

Scripted provisioning of an OnlyKey slots and keys can be done by creating a script that sets multiple values on OnlyKey

+ +

List and Remove FIDO2 Resident Key

+ +

List current resident keys:

+ +
onlykey-cli credential ls
+
+

+ +

Remove a resident key by credential ID

+ +
onlykey-cli credential rm eu7LPIjTNwIJt2Ws9LWJlXkiNKaueSEEGteZM2MT/lZtEuYo49V6deCiIRMb6EDC29XG13nBL60+Yx+6hxSUYS1uxX9+AA==
+
+ +

Once removed, list current resident keys to verify:

+ +

+ +

Source

+ +

OnlyKey CLI on Github

+ + + +
+ + Tags: + + + + + + + + + +
+ + + + + + + Edit me + + + +
+ +
+ +
+
+
+ ©2023 CryptoTrust. All rights reserved.
+Page last updated: Jan, 19, 2022
Site last generated: Jun 7, 2023
+

Company logo

+
+
+
+ + +
+ +
+ +
+ +
+ + + + + + + + + + + diff --git a/hosts/_unmaintained/isimud/default.nix b/hosts/_unmaintained/isimud/default.nix new file mode 100644 index 00000000..5aa6ad3c --- /dev/null +++ b/hosts/_unmaintained/isimud/default.nix @@ -0,0 +1,44 @@ +{pkgs, ...}: { + imports = [ + ./hardware + ./networking.nix + ../../sys + ]; + + isoImage = { + contents = [ + { + source = ./command-line.html; + # TODO:: remove the implied dependency + target = "/home/soispha/cli.html"; + } + ]; + makeEfiBootable = true; + makeUsbBootable = true; + makeBiosBootable = true; + appendToMenuLabel = " Gpg-disk"; + }; + environment.systemPackages = [ + pkgs.onlykey + pkgs.onlykey-cli + pkgs.onlykey-agent + pkgs.cryptsetup + ]; + + soispha = { + secrets.enable = false; + impermanence.enable = false; + locale = { + enable = true; + keyMap = "dvorak"; + }; + fs.backup = { + enable = false; + }; + users = { + hashedPassword = "$y$jFT$YvneNBxEtbrysV2OMG0X30$eKHdzZxJkjD3pXuGOuqbnTaeym5.4ik6kxhE.rJxs3."; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/hosts/_unmaintained/isimud/hardware/default.nix b/hosts/_unmaintained/isimud/hardware/default.nix new file mode 100644 index 00000000..f55365b3 --- /dev/null +++ b/hosts/_unmaintained/isimud/hardware/default.nix @@ -0,0 +1,24 @@ +{ + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + hardware.cpu.amd.updateMicrocode = true; # Why not? + hardware.cpu.intel.updateMicrocode = true; # Why not? + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + + soispha.disks = { + enable = false; + }; + + boot = { + kernelModules = []; + kernelPackages = lib.mkDefault pkgs.linuxPackages_6_1; # use this kernel, as it's supported by zfs + }; +} diff --git a/hosts/_unmaintained/isimud/networking.nix b/hosts/_unmaintained/isimud/networking.nix new file mode 100644 index 00000000..58c84ee5 --- /dev/null +++ b/hosts/_unmaintained/isimud/networking.nix @@ -0,0 +1,8 @@ +{lib, ...}: { + # Disable networking + networking.useDHCP = lib.mkForce false; + networking.interfaces = lib.mkForce {}; + boot.blacklistedKernelModules = ["igb" "iwlwifi" "rtw89"]; + + networking.hostName = "isimud"; +} diff --git a/hosts/_unmaintained/lahmu/default.nix b/hosts/_unmaintained/lahmu/default.nix new file mode 100644 index 00000000..94d8b054 --- /dev/null +++ b/hosts/_unmaintained/lahmu/default.nix @@ -0,0 +1,24 @@ +{ + config, + lib, + nixpkgs, + home-manager, + ... +}: { + imports = [ + ./hardware + ./networking.nix + + ../../sys + ]; + + soispha = { + locale.enable = true; + users = { + # enable = true; + hashedPassword = "$y$jFT$qi3wS9njrMl2y55b3NOBI0$j40Qt6AAkMSfZ82KPhqMaUaPztWtPps1wOqaXaF/L.6"; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/hosts/_unmaintained/lahmu/hardware/cpu.nix b/hosts/_unmaintained/lahmu/hardware/cpu.nix new file mode 100644 index 00000000..2d7232cd --- /dev/null +++ b/hosts/_unmaintained/lahmu/hardware/cpu.nix @@ -0,0 +1,4 @@ +{config, ...}: { + powerManagement.cpuFreqGovernor = "powersave"; + hardware.cpu.amd.updateMicrocode = true; # Why not? +} diff --git a/hosts/_unmaintained/lahmu/hardware/default.nix b/hosts/_unmaintained/lahmu/hardware/default.nix new file mode 100644 index 00000000..bc7b1f96 --- /dev/null +++ b/hosts/_unmaintained/lahmu/hardware/default.nix @@ -0,0 +1,33 @@ +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") # TODO: is this necessary? + (modulesPath + "/profiles/qemu-guest.nix") + ./cpu.nix + ./gpu.nix + ]; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + + system.fileSystemLayouts = { + enable = true; + mainDisk = "/dev/disk/by-uuid/c0382dda-1f55-4209-967d-b8b22cb0f6e1"; + efiDisk = "/dev/disk/by-uuid/167D-2F0B"; + ssd = true; + swap = { + uuid = "c0382dda-1f55-4209-967d-b8b22cb0f6e1"; + resumeOffset = "140544"; + }; + }; + + boot = { + kernelModules = []; + + initrd.availableKernelModules = ["ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk"]; + }; +} diff --git a/hosts/_unmaintained/lahmu/hardware/gpu.nix b/hosts/_unmaintained/lahmu/hardware/gpu.nix new file mode 100644 index 00000000..88c9b88a --- /dev/null +++ b/hosts/_unmaintained/lahmu/hardware/gpu.nix @@ -0,0 +1,15 @@ +{ + config, + pkgs, + lib, + ... +}: { + # hardware.opengl.extraPackages = with pkgs; [ + # rocm-opencl-icd # open-cl + # amdvlk # or directly through mesa + # amd-media-driver # libva + # ]; + # + # # Force radv, TODO: is this logical? + # environment.variables.AMD_VULKAN_ICD = "RADV"; +} diff --git a/hosts/_unmaintained/lahmu/networking.nix b/hosts/_unmaintained/lahmu/networking.nix new file mode 100644 index 00000000..1ef69e7c --- /dev/null +++ b/hosts/_unmaintained/lahmu/networking.nix @@ -0,0 +1,14 @@ +{ + config, + lib, + ... +}: { + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true; + networking.hostName = "lahmu"; +} diff --git a/hosts/_unmaintained/mammun/default.nix b/hosts/_unmaintained/mammun/default.nix new file mode 100644 index 00000000..5c66d9fa --- /dev/null +++ b/hosts/_unmaintained/mammun/default.nix @@ -0,0 +1,23 @@ +{ + config, + lib, + nixpkgs, + home-manager, + pkgs, + ... +}: { + imports = [ + ./hardware + ./networking.nix + + ../../sys + ]; + soispha = { + locale.enable = true; + users = { + hashedPassword = "$y$jDT$O/42/7REOL50onRYcTV9R1$Ot3bPAh2raHmPN3yScP4wsJRtNqrMtTBzOq9oRJeRA0"; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/hosts/_unmaintained/mammun/hardware/cpu.nix b/hosts/_unmaintained/mammun/hardware/cpu.nix new file mode 100644 index 00000000..70eaff6f --- /dev/null +++ b/hosts/_unmaintained/mammun/hardware/cpu.nix @@ -0,0 +1,3 @@ +{...}: { + hardware.cpu.amd.updateMicrocode = true; # Why not? +} diff --git a/hosts/_unmaintained/mammun/hardware/default.nix b/hosts/_unmaintained/mammun/hardware/default.nix new file mode 100644 index 00000000..b1683d47 --- /dev/null +++ b/hosts/_unmaintained/mammun/hardware/default.nix @@ -0,0 +1,27 @@ +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ./cpu.nix + ./gpu.nix + ]; + + nixpkgs.hostPlatform = "x86_64-linux"; + + system.fileSystemLayouts = { + enable = true; + mainDisk = "/dev/disk/by-uuid/ac6c5efd-51a7-42e7-a8cd-668a350554b1"; + efiDisk = "/dev/disk/by-uuid/7931-40E5"; + }; + + boot = { + kernelModules = ["kvm-amd"]; + + initrd.availableKernelModules = ["xhci_pci" "ahci" "ehci_pci" "sd_mod" "sr_mod" "sdhci_pci"]; + }; +} diff --git a/hosts/_unmaintained/mammun/hardware/gpu.nix b/hosts/_unmaintained/mammun/hardware/gpu.nix new file mode 100644 index 00000000..939497db --- /dev/null +++ b/hosts/_unmaintained/mammun/hardware/gpu.nix @@ -0,0 +1,14 @@ +{pkgs, ...}: { + boot.initrd.kernelModules = ["amdgpu"]; + # for Southern Islands (SI ie. GCN 1) cards and for Sea Islands (CIK ie. GCN 2) cards + boot.kernelParams = ["radeon.si_support=0" "amdgpu.si_support=1" "radeon.cik_support=0" "amdgpu.cik_support=1"]; + + hardware.opengl.driSupport = true; + # For 32 bit applications + hardware.opengl.driSupport32Bit = true; + + hardware.opengl.extraPackages = with pkgs; [ + rocm-opencl-icd + rocm-opencl-runtime + ]; +} diff --git a/hosts/_unmaintained/mammun/networking.nix b/hosts/_unmaintained/mammun/networking.nix new file mode 100644 index 00000000..e243ebe0 --- /dev/null +++ b/hosts/_unmaintained/mammun/networking.nix @@ -0,0 +1,16 @@ +{ + config, + lib, + ... +}: { + networking = { + networkmanager = { + enable = true; + dns = "default"; + wifi = { + powersave = true; + }; + }; + hostName = "mammun"; + }; +} diff --git a/hosts/_unmaintained/marduk/default.nix b/hosts/_unmaintained/marduk/default.nix new file mode 100644 index 00000000..2379fcdf --- /dev/null +++ b/hosts/_unmaintained/marduk/default.nix @@ -0,0 +1,14 @@ +{lib, ...}: { + imports = [ + ./hardware + ./networking.nix + ]; + + console = { + keyMap = "dvorak"; + }; + # needed to override defaults + isoImage.isoName = lib.mkForce "nixos-iso"; + + system.stateVersion = "23.05"; +} diff --git a/hosts/_unmaintained/marduk/hardware/default.nix b/hosts/_unmaintained/marduk/hardware/default.nix new file mode 100644 index 00000000..4fed1d06 --- /dev/null +++ b/hosts/_unmaintained/marduk/hardware/default.nix @@ -0,0 +1,19 @@ +{ + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/cd-dvd/installation-cd-graphical-gnome.nix") + ]; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + + boot = { + kernelModules = ["rtw89"]; + # FIXME: The kernel version should probably be updated, considering that it's 6.1 <2024-03-23> + kernelPackages = pkgs.linuxPackages_6_1; # use this kernel, as it's supported by zfs + zfs.package = pkgs.zfs_unstable; # Default zfs is "broken" (to nixos) on the newest kernel + }; +} diff --git a/hosts/_unmaintained/marduk/networking.nix b/hosts/_unmaintained/marduk/networking.nix new file mode 100644 index 00000000..da8f3850 --- /dev/null +++ b/hosts/_unmaintained/marduk/networking.nix @@ -0,0 +1,14 @@ +{ + config, + lib, + ... +}: { + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true; + networking.hostName = "marduk"; +} diff --git a/hosts/isimud/command-line.html b/hosts/isimud/command-line.html deleted file mode 100644 index 4534001e..00000000 --- a/hosts/isimud/command-line.html +++ /dev/null @@ -1,1491 +0,0 @@ - - - - - - - - -OnlyKey Command-Line Utility | Docs - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
- -
- - - -
- - - - - - - -
- - - - -
-
-

OnlyKey Command-Line Utility

-
- - - -
- - -
The OnlyKey Command-Line Utility is a command line interface to OnlyKey.
- - - - - - - -
- - - - -

onlykey-cli

- -

OnlyKey-cli - A command line interface to the OnlyKey (Similar functionality to OnlyKey App) that can be used for configuration, scripting, and testing.

- -

Installation

- -

Windows Stand-Alone EXE

-

No install is required. Download and run the EXE to open OnlyKey CLI interactive mode or run directly from command line like this:

-
C:\ onlykey-cli.exe getlabels
-
- -

Download here

- -

Windows Install with dependencies

-

1) Python 3.8 and pip3 are required. To setup a Python environment on Windows we recommend Anaconda https://www.anaconda.com/download/#windows

- -

2) From an administrator command prompt run:

-
pip3 install hidapi==0.9.0 onlykey
-
- -

You should see a message showing where the executable is installed. This is usually c:\python39\scripts\onlykey-cli.exe

- -

MacOS Install with dependencies

-

Python 3.8 and pip3 are required. To setup a Python environment on MacOS we recommend Anaconda https://www.anaconda.com/download/#macos

-
$ brew install libusb
-$ pip3 install onlykey
-
- -

Linux/BSD Install with dependencies

- -

In order for non-root users in Linux to be able to communicate with OnlyKey a udev rule must be created as described here.

- -

Ubuntu Install with dependencies

-
$ sudo apt update && sudo apt upgrade
-$ sudo apt install python3-pip python3-tk libusb-1.0-0-dev libudev-dev
-$ pip3 install onlykey
-$ wget https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/49-onlykey.rules
-$ sudo cp 49-onlykey.rules /etc/udev/rules.d/
-$ sudo udevadm control --reload-rules && udevadm trigger
-
- -

Debian Install with dependencies

-
$ sudo apt update && sudo apt upgrade
-$ sudo apt install python3-pip python3-tk libusb-1.0-0-dev libudev-dev
-$ pip3 install onlykey
-$ wget https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/49-onlykey.rules
-$ sudo cp 49-onlykey.rules /etc/udev/rules.d/
-$ sudo udevadm control --reload-rules && udevadm trigger
-
- -

RedHat Install with dependencies

-
$ yum update
-$ yum install python3-pip python3-devel python3-tk libusb-devel libudev-devel \
-              gcc redhat-rpm-config
-$ pip3 install onlykey
-$ wget https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/49-onlykey.rules
-$ sudo cp 49-onlykey.rules /etc/udev/rules.d/
-$ sudo udevadm control --reload-rules && udevadm trigger
-
- -

Fedora Install with dependencies

-
$ dnf install python3-pip python3-devel python3-tkinter libusb-devel libudev-devel \
-              gcc redhat-rpm-config
-$ pip3 install onlykey
-$ wget https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/49-onlykey.rules
-$ sudo cp 49-onlykey.rules /etc/udev/rules.d/
-$ sudo udevadm control --reload-rules && udevadm trigger
-
- -

OpenSUSE Install with dependencies

-
$ zypper install python3-pip python3-devel python3-tk libusb-1_0-devel libudev-devel
-$ pip3 install onlykey
-$ wget https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/49-onlykey.rules
-$ sudo cp 49-onlykey.rules /etc/udev/rules.d/
-$ sudo udevadm control --reload-rules && udevadm trigger
-
- -

Arch Linux Install with dependencies

-
$ sudo pacman -Sy git python3-setuptools python3 libusb python3-pip
-$ pip3 install onlykey
-$ wget https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/49-onlykey.rules
-$ sudo cp 49-onlykey.rules /etc/udev/rules.d/
-$ sudo udevadm control --reload-rules && udevadm trigger
-
- -

FreeBSD Install with dependencies

- -

See forum thread here

- -

QuickStart

- -

Usage: onlykey-cli [OPTIONS]

- -

Setup Options

- -

init

-

A command line tool for setting PIN on OnlyKey (Initial Configuration)

- -

General Options

- -

version

-

Displays the version of the app

- -

fwversion

-

Displays the version of the OnlyKey firmware

- -

wink

-

OnlyKey flashes blue (winks), may be used for visual confirmation of connectivity

- -

getlabels

-

Returns slot labels

- -

settime

-

A command for setting time on OnlyKey, time is needed for TOTP (Google Authenticator)

- -

getkeylabels

-

Returns key labels for RSA keys 1-4 and ECC keys 1-16

- -

rng [type]

-

Access OnlyKey TRNG to generate random numbers:

-
    -
  • [type] must be one of the following: -
      -
    • hexbytes - Output hex encoded random bytes. Default 8 bytes; Maximum 255 bytes. Specify number of bytes to return with –count i.e. 'onlykey-cli rng hexbytes --count 32'
      • -
    • feedkernel - Feed random bytes to /dev/random.
      • -
    -
    • -
- -

OnlyKey Preferences Options

- -

idletimeout [num]

-

OnlyKey locks after ideletimeout is reached (1 – 255 minutes; default = 30; 0 to disable). More info

- -

wipemode [num]

-

Configure how the OnlyKey responds to -a factory reset. WARNING - Setting to Full Wipe mode cannot be changed. -1 = Sensitive Data Only (default); 2 = Full Wipe (recommended for plausible deniability users) Entire device is wiped. Firmware must be reloaded. More info

- -

keylayout [num]

-

Set keyboard layout

-
    -
  • 1 - USA_ENGLISH (Default)
    • -
  • 2 - CANADIAN_FRENCH
    • -
  • 3 - CANADIAN_MULTILINGUAL
    • -
  • 4 - DANISH
    • -
  • 5 - FINNISH
    • -
  • 6 - FRENCH
    • -
  • 7 - FRENCH_BELGIAN
    • -
  • 8 - FRENCH_SWISS
    • -
  • 9 - GERMAN
    • -
  • 10 - GERMAN_MAC
    • -
  • 11 - GERMAN_SWISS
    • -
  • 12 - ICELANDIC
    • -
  • 13 - IRISH
    • -
  • 14 - ITALIAN
    • -
  • 15 - NORWEGIAN
    • -
  • 16 - PORTUGUESE
    • -
  • 17 - PORTUGUESE_BRAZILIAN
    • -
  • 18 - SPANISH
    • -
  • 19 - SPANISH_LATIN_AMERICA
    • -
  • 20 - SWEDISH
    • -
  • 21 - TURKISH
    • -
  • 22 - UNITED_KINGDOM
    • -
  • 23 - US_INTERNATIONAL
    • -
  • 24 - CZECH
    • -
  • 25 - SERBIAN_LATIN_ONLY
    • -
  • 26 - HUNGARIAN
    • -
  • 27 - DANISH MAC
    • -
  • 28 - US_DVORAK
    • -
- -

More info

- -

keytypespeed [num]

-

1 = slowest; 10 = fastest [7 = default] -More info

- -

ledbrightness [num]

-

1 = dimmest; 10 = brightest [8 = default] -More info

- -

touchsense [num]

-

Change the OnlyKey’s button touch sensitivity. -WARNING: Setting button’s touch sensitivity lower than 5 is not recommended as this could result in inadvertent button press. -2 = highest sensitivity; 100 = lowest sensitivity [12 = default]

- -

2ndprofilemode [num]

-

Set during init (Initial Configuration) to set 2nd profile type 1 = standard (default); 2 = plausible deniability

- -

storedkeymode [num]

-

Enable or disable challenge for stored keys (SSH/PGP) -0 = Challenge Code Required (default); 1 = Button Press Required -More info

- -

derivedkeymode [num]

-

Enable or disable challenge for stored keys (SSH/PGP) -0 = Challenge Code Required (default); 1 = Button Press Required -More info

- -

hmackeymode [num]

-

Enable or disable button press for HMAC challenge-response -0 = Button Press Required (default); 1 = Button Press Not Required. -More info

- -

backupkeymode [num]

-

1 = Lock backup key so this may not be changed on device -WARNING - Once set to “Locked” this cannot be changed unless a factory reset occurs. -More info

- -

sysadminmode

-

Enable or disable challenge for stored keys (SSH/PGP) -0 = Challenge Code Required (default); 1 = Button Press Required -More info

- -

lockbutton

-

Enable or disable challenge for stored keys (SSH/PGP) -0 = Challenge Code Required (default); 1 = Button Press Required -More info

- -

Slot Config Options

- -

setslot [id] [type] [value]

-
    -
  • [id] must be slot number 1a - 6b for OnlyKey or 1-24 for OnlyKey DUO
    • -
  • [type] must be one of the following: -
      -
    • label - set slots (1a - 6b) to have a descriptive label i.e. My Google Acct
      • -
    • url - URL to login page
      • -
    • delay1 - set a 0 - 9 second delay
      • -
    • addchar1 - Additional character before username 1 for TAB, 0 to clear
      • -
    • username - Username to login
      • -
    • addchar2 - Additional character after username 1 for TAB, 2 for RETURN
      • -
    • delay2 - set a 0 - 9 second delay
      • -
    • password - Password to login
      • -
    • addchar3 - Additional character after password 1 for TAB, 2 for RETURN
      • -
    • delay3 - set a 0 - 9 second delay
      • -
    • addchar4 - Additional character before OTP 1 for TAB
      • -
    • 2fa - type of two factor authentication -
        -
      • g - Google Authenticator
        • -
      • y - Yubico OTP
        • -
      • u - U2F
        • -
      -
      • -
    • totpkey - Google Authenticator key
      • -
    • addchar5 - Additional character after OTP 2 for RETURN
      • -
    -
    • -
- -

wipeslot [id]

-
    -
  • [id] must be slot number 1a - 6b for OnlyKey or 1-24 for OnlyKey DUO
    • -
- -

Key Config Options

- -

setkey [key slot] [type] [features] [hex key]

-

Sets raw private keys and key labels, to set PEM format keys use the OnlyKey App

-
    -
  • [key slot] must be key number RSA1 - RSA4, ECC1 - ECC16, HMAC1 - HMAC2
    • -
  • [type] must be one of the following: -
      -
    • label - set to have a descriptive key label i.e. My GPG signing key
      • -
    • x - X25519 Key Type (32 bytes)
      • -
    • n - NIST256P1 Key Type (32 bytes)
      • -
    • s - SECP256K1 Key Type (32 bytes)
      • -
    • 2 - RSA Key Type 2048bits (256 bytes)
      • -
    • 4 - RSA Key Type 4096bits (512 bytes)
      • -
    • h - HMAC Key Type (20 bytes)
      • -
    -
    • -
  • [features] must be one of the following: -
      -
    • s - Use for signing
      • -
    • d - Use for decryption
      • -
    • b - Use for encryption/decryption of backups
      • -
    -
    • -
  • For setting keys see examples here.
    • -
- -

genkey [key slot] [type] [features]

-

Generates random private key on device

-
    -
  • [key slot] must be key number ECC1 - ECC16 (only ECC keys supported)
    • -
  • [type] must be one of the following: -
      -
    • x - X25519 Key Type (32 bytes)
      • -
    • n - NIST256P1 Key Type (32 bytes)
      • -
    • s - SECP256K1 Key Type (32 bytes)
      • -
    -
    • -
  • [features] must be one of the following: -
      -
    • s - Use for signing
      • -
    • d - Use for decryption
      • -
    • b - Use for encryption/decryption of backups
      • -
    -
    • -
  • For generating key see example here.
    • -
- -

wipekey [key id]

-

Erases key stored at [key id]

-
    -
  • [key id] must be key number RSA1 - RSA4, ECC1 - ECC16, HMAC1 - HMAC2
    • -
- -

FIDO2 Config Options

- -

ping

-

Sends a FIDO2 transaction to the device, which immediately echoes the same data back. This command is defined to be a uniform function for debugging, latency and performance measurements (CTAPHID_PING).

- -

set-pin

-

Set new FIDO PIN, this is the PIN entered via keyboard and used for FIDO2 register/login (not the OnlyKey PIN entered on device).

- -

change-pin

-

Change FIDO PIN, this is the PIN entered via keyboard and used for FIDO2 register/login (not the OnlyKey PIN entered on device, to change that PIN use the OnlyKey Desktop App).

- -

credential [operation] [credential ID]

-
    -
  • [operation] must be one of the following: -
      -
    • info - Display number of existing resident keys and remaining space.
      • -
    • ls - List resident keys.
      • -
    • rm [credential ID] - Remove resident keys, example here.
      • -
    -
    • -
- -

reset

-

Reset wipes all FIDO U2F and FIDO2 credentials!!! It is highly recommended to backup device prior to reset.

- -

Running Command Options

- -

You can run commands in two ways:

- -

1) Directly in terminal

- -

Like this:

- -
$ onlykey-cli getlabels
-
-Slot 1a:
-Slot 1b:
-
-Slot 2a:
-Slot 2b:
-
-Slot 3a:
-Slot 3b:
-
-Slot 4a:
-Slot 4b:
-
-Slot 5a:
-Slot 5b:
-
-Slot 6a:
-Slot 6b:
-
-$ onlykey-cli setslot 1a label ok
-Successfully set Label
-$ onlykey-cli getlabels
-
-Slot 1a: ok
-Slot 1b:
-
-Slot 2a:
-Slot 2b:
-
-Slot 3a:
-Slot 3b:
-
-Slot 4a:
-Slot 4b:
-
-Slot 5a:
-Slot 5b:
-
-Slot 6a:
-Slot 6b:
-
-
- -

2) Interactive Mode

- -

Or you can run commands in an interactive shell like this:

- -
$ onlykey-cli
-OnlyKey CLI v1.2.8
-Press the right arrow to insert the suggestion.
-Press Control-C to retry. Control-D to exit.
-
-OnlyKey> getlabels
-
-Slot 1a:
-Slot 1b:
-
-Slot 2a:
-Slot 2b:
-
-Slot 3a:
-Slot 3b:
-
-Slot 4a:
-Slot 4b:
-
-Slot 5a:
-Slot 5b:
-
-Slot 6a:
-Slot 6b:
-
-OnlyKey> setslot 1a label ok
-
-Successfully set Label
-
-OnlyKey> getlabels
-
-Slot 1a: ok
-Slot 1b:
-
-Slot 2a:
-Slot 2b:
-
-Slot 3a:
-Slot 3b:
-
-Slot 4a:
-Slot 4b:
-
-Slot 5a:
-Slot 5b:
-
-Slot 6a:
-Slot 6b:
-
-OnlyKey> setslot 1a url accounts.google.com
-
-Successfully set URL
-
-OnlyKey> setslot 1a addchar1 2
-
-Successfully set Character1
-
-OnlyKey> setslot 1a delay1 2
-
-Successfully set Delay1
-
-OnlyKey> setslot 1a username onlykey.1234
-
-Successfully set Username
-
-OnlyKey> setslot 1a addchar2 2
-
-Successfully set Character2
-
-OnlyKey> setslot 1a delay2 2
-
-Successfully set Delay2
-
-OnlyKey> setslot 1a password
-
-Type Control-T to toggle password visible.
-Password: *********
-Successfully set Password
-
-OnlyKey> setslot 1a addchar3 2
-
-Successfully set Character3
-
-OnlyKey> setslot 1a delay3 2
-
-Successfully set Delay3
-
-OnlyKey> setslot 1a 2fa g
-
-Successfully set 2FA Type
-
-OnlyKey> setslot 1a totpkey
-
-Type Control-T to toggle password visible.
-Password: ********************************
-Successfully set TOTP Key
-
-OnlyKey> setslot 1a addchar4 2
-
-Successfully set Character4
-
-OnlyKey>
-
-Bye!
-
- -

Examples

- -

Writing Private Keys and Passwords

- -

Keys/passwords are masked when entered and should only be set from interactive mode and not directly from terminal. Entering directly from terminal is not secure as command history is stored.

- -

Setkey Examples

- -

To set key a device must first be put into config mode.

- -

Set HMAC key 1 to a custom value

- -

$ onlykey-cli

- -

OnlyKey> setkey HMAC1 h

- -

Type Control-T to toggle password visible. -Password/Key: **************

- -

Successfully set ECC Key

- -

HMAC key must be 20 bytes, h is HMAC type

- -

Set HMAC key 2 to a custom value

- -

$ onlykey-cli

- -

OnlyKey> setkey HMAC2 h

- -

Type Control-T to toggle password visible. -Password/Key: **************

- -

Successfully set ECC Key

- -

HMAC key must be 20 bytes, h is HMAC type

- -

Set ECC key in slot ECC1 to a custom value (Slots ECC1-ECC16 are available for ECC keys. Supported ECC curves X25519(x), NIST256P1(n), SECP256K1(s))

- -

$ onlykey-cli

- -

OnlyKey> setkey ECC1 x

- -

Type Control-T to toggle password visible. -Password/Key: *********************

- -

Successfully set ECC Key

- -

ECC key must be 32 bytes, x is X25519 type

- -

Genkey Examples

- -

To set key a device must first be put into config mode.

- -

Generate ECC key in slot ECC1 to a custom value (Slots ECC1-ECC16 are available for ECC keys. Supported ECC curves X25519(x), NIST256P1(n), SECP256K1(s))

- -

$ onlykey-cli

- -

OnlyKey> genkey ECC1 x

- -

Successfully set ECC Key

- -

Scripting Example

- -

Set time on OnlyKey (required for TOTP)

- -

$ onlykey-cli settime

- -

This can be added to scripts such as the UDEV rule to automatically set time when device is inserted into USB port. See example here

- -

Scripted provisioning of an OnlyKey slots and keys can be done by creating a script that sets multiple values on OnlyKey

- -

List and Remove FIDO2 Resident Key

- -

List current resident keys:

- -
onlykey-cli credential ls
-
-

- -

Remove a resident key by credential ID

- -
onlykey-cli credential rm eu7LPIjTNwIJt2Ws9LWJlXkiNKaueSEEGteZM2MT/lZtEuYo49V6deCiIRMb6EDC29XG13nBL60+Yx+6hxSUYS1uxX9+AA==
-
- -

Once removed, list current resident keys to verify:

- -

- -

Source

- -

OnlyKey CLI on Github

- - - -
- - Tags: - - - - - - - - - -
- - - - - - - Edit me - - - -
- -
- -
-
-
- ©2023 CryptoTrust. All rights reserved.
-Page last updated: Jan, 19, 2022
Site last generated: Jun 7, 2023
-

Company logo

-
-
-
- - -
- -
- -
- -
- - - - - - - - - - - diff --git a/hosts/isimud/default.nix b/hosts/isimud/default.nix deleted file mode 100644 index 5aa6ad3c..00000000 --- a/hosts/isimud/default.nix +++ /dev/null @@ -1,44 +0,0 @@ -{pkgs, ...}: { - imports = [ - ./hardware - ./networking.nix - ../../sys - ]; - - isoImage = { - contents = [ - { - source = ./command-line.html; - # TODO:: remove the implied dependency - target = "/home/soispha/cli.html"; - } - ]; - makeEfiBootable = true; - makeUsbBootable = true; - makeBiosBootable = true; - appendToMenuLabel = " Gpg-disk"; - }; - environment.systemPackages = [ - pkgs.onlykey - pkgs.onlykey-cli - pkgs.onlykey-agent - pkgs.cryptsetup - ]; - - soispha = { - secrets.enable = false; - impermanence.enable = false; - locale = { - enable = true; - keyMap = "dvorak"; - }; - fs.backup = { - enable = false; - }; - users = { - hashedPassword = "$y$jFT$YvneNBxEtbrysV2OMG0X30$eKHdzZxJkjD3pXuGOuqbnTaeym5.4ik6kxhE.rJxs3."; - }; - }; - - system.stateVersion = "23.05"; -} diff --git a/hosts/isimud/hardware/default.nix b/hosts/isimud/hardware/default.nix deleted file mode 100644 index f55365b3..00000000 --- a/hosts/isimud/hardware/default.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ - lib, - pkgs, - modulesPath, - ... -}: { - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") - ]; - - hardware.cpu.amd.updateMicrocode = true; # Why not? - hardware.cpu.intel.updateMicrocode = true; # Why not? - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - - soispha.disks = { - enable = false; - }; - - boot = { - kernelModules = []; - kernelPackages = lib.mkDefault pkgs.linuxPackages_6_1; # use this kernel, as it's supported by zfs - }; -} diff --git a/hosts/isimud/networking.nix b/hosts/isimud/networking.nix deleted file mode 100644 index 58c84ee5..00000000 --- a/hosts/isimud/networking.nix +++ /dev/null @@ -1,8 +0,0 @@ -{lib, ...}: { - # Disable networking - networking.useDHCP = lib.mkForce false; - networking.interfaces = lib.mkForce {}; - boot.blacklistedKernelModules = ["igb" "iwlwifi" "rtw89"]; - - networking.hostName = "isimud"; -} diff --git a/hosts/lahmu/default.nix b/hosts/lahmu/default.nix deleted file mode 100644 index 94d8b054..00000000 --- a/hosts/lahmu/default.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ - config, - lib, - nixpkgs, - home-manager, - ... -}: { - imports = [ - ./hardware - ./networking.nix - - ../../sys - ]; - - soispha = { - locale.enable = true; - users = { - # enable = true; - hashedPassword = "$y$jFT$qi3wS9njrMl2y55b3NOBI0$j40Qt6AAkMSfZ82KPhqMaUaPztWtPps1wOqaXaF/L.6"; - }; - }; - - system.stateVersion = "23.05"; -} diff --git a/hosts/lahmu/hardware/cpu.nix b/hosts/lahmu/hardware/cpu.nix deleted file mode 100644 index 2d7232cd..00000000 --- a/hosts/lahmu/hardware/cpu.nix +++ /dev/null @@ -1,4 +0,0 @@ -{config, ...}: { - powerManagement.cpuFreqGovernor = "powersave"; - hardware.cpu.amd.updateMicrocode = true; # Why not? -} diff --git a/hosts/lahmu/hardware/default.nix b/hosts/lahmu/hardware/default.nix deleted file mode 100644 index bc7b1f96..00000000 --- a/hosts/lahmu/hardware/default.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ - config, - lib, - pkgs, - modulesPath, - ... -}: { - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") # TODO: is this necessary? - (modulesPath + "/profiles/qemu-guest.nix") - ./cpu.nix - ./gpu.nix - ]; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - - system.fileSystemLayouts = { - enable = true; - mainDisk = "/dev/disk/by-uuid/c0382dda-1f55-4209-967d-b8b22cb0f6e1"; - efiDisk = "/dev/disk/by-uuid/167D-2F0B"; - ssd = true; - swap = { - uuid = "c0382dda-1f55-4209-967d-b8b22cb0f6e1"; - resumeOffset = "140544"; - }; - }; - - boot = { - kernelModules = []; - - initrd.availableKernelModules = ["ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk"]; - }; -} diff --git a/hosts/lahmu/hardware/gpu.nix b/hosts/lahmu/hardware/gpu.nix deleted file mode 100644 index 88c9b88a..00000000 --- a/hosts/lahmu/hardware/gpu.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ - config, - pkgs, - lib, - ... -}: { - # hardware.opengl.extraPackages = with pkgs; [ - # rocm-opencl-icd # open-cl - # amdvlk # or directly through mesa - # amd-media-driver # libva - # ]; - # - # # Force radv, TODO: is this logical? - # environment.variables.AMD_VULKAN_ICD = "RADV"; -} diff --git a/hosts/lahmu/networking.nix b/hosts/lahmu/networking.nix deleted file mode 100644 index 1ef69e7c..00000000 --- a/hosts/lahmu/networking.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ - config, - lib, - ... -}: { - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true; - # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true; - networking.hostName = "lahmu"; -} diff --git a/hosts/mammun/default.nix b/hosts/mammun/default.nix deleted file mode 100644 index 5c66d9fa..00000000 --- a/hosts/mammun/default.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ - config, - lib, - nixpkgs, - home-manager, - pkgs, - ... -}: { - imports = [ - ./hardware - ./networking.nix - - ../../sys - ]; - soispha = { - locale.enable = true; - users = { - hashedPassword = "$y$jDT$O/42/7REOL50onRYcTV9R1$Ot3bPAh2raHmPN3yScP4wsJRtNqrMtTBzOq9oRJeRA0"; - }; - }; - - system.stateVersion = "23.05"; -} diff --git a/hosts/mammun/hardware/cpu.nix b/hosts/mammun/hardware/cpu.nix deleted file mode 100644 index 70eaff6f..00000000 --- a/hosts/mammun/hardware/cpu.nix +++ /dev/null @@ -1,3 +0,0 @@ -{...}: { - hardware.cpu.amd.updateMicrocode = true; # Why not? -} diff --git a/hosts/mammun/hardware/default.nix b/hosts/mammun/hardware/default.nix deleted file mode 100644 index b1683d47..00000000 --- a/hosts/mammun/hardware/default.nix +++ /dev/null @@ -1,27 +0,0 @@ -{ - config, - lib, - pkgs, - modulesPath, - ... -}: { - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") - ./cpu.nix - ./gpu.nix - ]; - - nixpkgs.hostPlatform = "x86_64-linux"; - - system.fileSystemLayouts = { - enable = true; - mainDisk = "/dev/disk/by-uuid/ac6c5efd-51a7-42e7-a8cd-668a350554b1"; - efiDisk = "/dev/disk/by-uuid/7931-40E5"; - }; - - boot = { - kernelModules = ["kvm-amd"]; - - initrd.availableKernelModules = ["xhci_pci" "ahci" "ehci_pci" "sd_mod" "sr_mod" "sdhci_pci"]; - }; -} diff --git a/hosts/mammun/hardware/gpu.nix b/hosts/mammun/hardware/gpu.nix deleted file mode 100644 index 939497db..00000000 --- a/hosts/mammun/hardware/gpu.nix +++ /dev/null @@ -1,14 +0,0 @@ -{pkgs, ...}: { - boot.initrd.kernelModules = ["amdgpu"]; - # for Southern Islands (SI ie. GCN 1) cards and for Sea Islands (CIK ie. GCN 2) cards - boot.kernelParams = ["radeon.si_support=0" "amdgpu.si_support=1" "radeon.cik_support=0" "amdgpu.cik_support=1"]; - - hardware.opengl.driSupport = true; - # For 32 bit applications - hardware.opengl.driSupport32Bit = true; - - hardware.opengl.extraPackages = with pkgs; [ - rocm-opencl-icd - rocm-opencl-runtime - ]; -} diff --git a/hosts/mammun/networking.nix b/hosts/mammun/networking.nix deleted file mode 100644 index e243ebe0..00000000 --- a/hosts/mammun/networking.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ - config, - lib, - ... -}: { - networking = { - networkmanager = { - enable = true; - dns = "default"; - wifi = { - powersave = true; - }; - }; - hostName = "mammun"; - }; -} diff --git a/hosts/marduk/default.nix b/hosts/marduk/default.nix deleted file mode 100644 index 2379fcdf..00000000 --- a/hosts/marduk/default.nix +++ /dev/null @@ -1,14 +0,0 @@ -{lib, ...}: { - imports = [ - ./hardware - ./networking.nix - ]; - - console = { - keyMap = "dvorak"; - }; - # needed to override defaults - isoImage.isoName = lib.mkForce "nixos-iso"; - - system.stateVersion = "23.05"; -} diff --git a/hosts/marduk/hardware/default.nix b/hosts/marduk/hardware/default.nix deleted file mode 100644 index 4fed1d06..00000000 --- a/hosts/marduk/hardware/default.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ - lib, - pkgs, - modulesPath, - ... -}: { - imports = [ - (modulesPath + "/installer/cd-dvd/installation-cd-graphical-gnome.nix") - ]; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - - boot = { - kernelModules = ["rtw89"]; - # FIXME: The kernel version should probably be updated, considering that it's 6.1 <2024-03-23> - kernelPackages = pkgs.linuxPackages_6_1; # use this kernel, as it's supported by zfs - zfs.package = pkgs.zfs_unstable; # Default zfs is "broken" (to nixos) on the newest kernel - }; -} diff --git a/hosts/marduk/networking.nix b/hosts/marduk/networking.nix deleted file mode 100644 index da8f3850..00000000 --- a/hosts/marduk/networking.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ - config, - lib, - ... -}: { - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true; - # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true; - networking.hostName = "marduk"; -} -- cgit 1.4.1