NixOS Live Image: convert to a flake

Now `nixpkgs` will be pointing to a specific release, which has a much
smaller chance to unexpectedly break. Currently 23.11. The next one will
be 24.05, 24.11, etc.

NixOS *releases* receive security updates, but packages are upgraded
conservatively, thus don't generally break. As a result, we should need
to worry about NixOS upgrades every 6-12 months. The upgrade means "bump
the version number and try to build it". If it breaks, it will generally
break only then. Less reactive, more proactive surprises.

`flake.nix` was written by @thomaseizinger in
https://github.com/drduh/YubiKey-Guide/issues/406. Changes from the
original:
- change Gnome to xfce. Now it loads with 384MB of RAM and works well
  with the simplest graphics (hello qemu).
- less nasty workaround for hopenpgp-tools. Fixed upstream
  (https://github.com/NixOS/nixpkgs/pull/279117).
- do not default `copytoram`, user can select this option in the
  bootloader.

Here is how to test it:

```
$ nix run .#nixosConfigurations.yubikeyLive.x86_64-linux.config.system.build.vm
```

*Note for the maintainer*: it would be great if you could occasionally
run `nix flake update --commit-lock-file`, *especially* after updating
github.com/drduh/config.git.

Fixes #406

Co-authored-by: Thomas Eizinger <thomas@eizinger.io>

1 files changed, 21 insertions, 208 deletions

diff --git a/README.md b/README.md
index e79930f..d451707 100644
--- a/README.md
+++ b/README.md
@@ -289,219 +289,32 @@ $ sudo yum install -y gnupg2 pinentry-curses pcsc-lite pcsc-lite-libs gnupg2-smi
 
 ## NixOS
 
-Generate an air-gapped NixOS LiveCD image with the given config:
-
-```nix
-# yubikey-installer.nix
-let
-  configuration = { config, lib, pkgs, ... }:
-    with pkgs;
-    let
-      src = fetchGit "https://github.com/drduh/YubiKey-Guide";
-
-      guide = "${src}/README.md";
-
-      contrib = "${src}/contrib";
-
-      drduhConfig = fetchGit "https://github.com/drduh/config";
-
-      gpg-conf = "${drduhConfig}/gpg.conf";
-
-      xserverCfg = config.services.xserver;
-
-      pinentryFlavour = if xserverCfg.desktopManager.lxqt.enable || xserverCfg.desktopManager.plasma5.enable then
-        "qt"
-      else if xserverCfg.desktopManager.xfce.enable then
-        "gtk2"
-      else if xserverCfg.enable || config.programs.sway.enable then
-        "gnome3"
-      else
-        "curses";
-
-      # Instead of hard-coding the pinentry program, chose the appropriate one
-      # based on the environment of the image the user has chosen to build.
-      gpg-agent-conf = runCommand "gpg-agent.conf" {} ''
-        sed '/pinentry-program/d' ${drduhConfig}/gpg-agent.conf > $out
-        echo "pinentry-program ${pinentry.${pinentryFlavour}}/bin/pinentry" >> $out
-      '';
-
-      view-yubikey-guide = writeShellScriptBin "view-yubikey-guide" ''
-        viewer="$(type -P xdg-open || true)"
-        if [ -z "$viewer" ]; then
-          viewer="${glow}/bin/glow -p"
-        fi
-        exec $viewer "${guide}"
-      '';
-
-      shortcut = makeDesktopItem {
-        name = "yubikey-guide";
-        icon = "${yubikey-manager-qt}/share/ykman-gui/icons/ykman.png";
-        desktopName = "drduh's YubiKey Guide";
-        genericName = "Guide to using YubiKey for GPG and SSH";
-        comment = "Open the guide in a reader program";
-        categories = [ "Documentation" ];
-        exec = "${view-yubikey-guide}/bin/view-yubikey-guide";
-      };
-
-      yubikey-guide = symlinkJoin {
-        name = "yubikey-guide";
-        paths = [ view-yubikey-guide shortcut ];
-      };
-
-    in {
-      nixpkgs.overlays = [
-        # hopenpgp-tools in nixpkgs 23.05 is out-of-date and has a broken build
-        (final: prev: {
-          haskellPackages = prev.haskellPackages.override {
-            overrides = hsFinal: hsPrev:
-              let
-                optparse-applicative =
-                  final.haskell.lib.overrideCabal hsPrev.optparse-applicative
-                  (oldAttrs: {
-                    version = "0.18.1.0";
-                    sha256 =
-                      "sha256-Y4EatP0m6Cm4hoNkMlqIvjrMeYGfW7UAWy3TuWHsxJE=";
-                    libraryHaskellDepends =
-                      (oldAttrs.libraryHaskellDepends or [ ])
-                      ++ (with hsFinal; [
-                        text
-                        prettyprinter
-                        prettyprinter-ansi-terminal
-                      ]);
-                  });
-                hopenpgp-tools =
-                  (final.haskell.lib.overrideCabal hsPrev.hopenpgp-tools
-                    (oldAttrs: {
-                      version = "0.23.8";
-                      sha256 =
-                        "sha256-FYvlVE0o/LOYk3a2rucAqm7tg5D/uNQRRrCu/wlDNAE=";
-                      broken = false;
-                    })).override { inherit optparse-applicative; };
-              in { inherit hopenpgp-tools; };
-          };
-        })
-      ];
-
-      isoImage.isoBaseName = lib.mkForce "nixos-yubikey";
-      # Uncomment this to disable compression and speed up image creation time
-      #isoImage.squashfsCompression = "gzip -Xcompression-level 1";
-
-      # Always copytoram so that, if the image is booted from, e.g., a
-      # USB stick, nothing is mistakenly written to persistent storage.
-      boot.kernelParams = [ "copytoram" ];
-      # Secure defaults
-      boot.tmp.cleanOnBoot = true;
-      boot.kernel.sysctl = { "kernel.unprivileged_bpf_disabled" = 1; };
-
-      services.pcscd.enable = true;
-      services.udev.packages = [ yubikey-personalization ];
-
-      programs = {
-        ssh.startAgent = false;
-        gnupg.agent = {
-          enable = true;
-          enableSSHSupport = true;
-        };
-      };
-
-      environment.systemPackages = [
-        # Tools for backing up keys
-        paperkey
-        pgpdump
-        parted
-        cryptsetup
-
-        # Yubico's official tools
-        yubikey-manager
-        yubikey-manager-qt
-        yubikey-personalization
-        yubikey-personalization-gui
-        yubico-piv-tool
-        yubioath-flutter
-
-        # Testing
-        ent
-        (haskell.lib.justStaticExecutables haskellPackages.hopenpgp-tools)
-
-        # Password generation tools
-        diceware
-        pwgen
-
-        # Miscellaneous tools that might be useful beyond the scope of the guide
-        cfssl
-        pcsctools
-
-        # This guide itself (run `view-yubikey-guide` on the terminal to open it
-        # in a non-graphical environment).
-        yubikey-guide
-      ];
-
-      # Disable networking so the system is air-gapped
-      # Comment all of these lines out if you'll need internet access
-      boot.initrd.network.enable = false;
-      networking.dhcpcd.enable = false;
-      networking.dhcpcd.allowInterfaces = [];
-      networking.interfaces = {};
-      networking.firewall.enable = true;
-      networking.useDHCP = false;
-      networking.useNetworkd = false;
-      networking.wireless.enable = false;
-      networking.networkmanager.enable = lib.mkForce false;
-
-      # Unset history so it's never stored
-      # Set GNUPGHOME to an ephemeral location and configure GPG with the
-      # guide's recommended settings.
-      environment.interactiveShellInit = ''
-        unset HISTFILE
-        export GNUPGHOME="/run/user/$(id -u)/gnupg"
-        if [ ! -d "$GNUPGHOME" ]; then
-          echo "Creating \$GNUPGHOME…"
-          install --verbose -m=0700 --directory="$GNUPGHOME"
-        fi
-        [ ! -f "$GNUPGHOME/gpg.conf" ] && cp --verbose ${gpg-conf} "$GNUPGHOME/gpg.conf"
-        [ ! -f "$GNUPGHOME/gpg-agent.conf" ] && cp --verbose ${gpg-agent-conf} "$GNUPGHOME/gpg-agent.conf"
-        echo "\$GNUPGHOME is \"$GNUPGHOME\""
-      '';
-
-      # Copy the contents of contrib to the home directory, add a shortcut to
-      # the guide on the desktop, and link to the whole repo in the documents
-      # folder.
-      system.activationScripts.yubikeyGuide = let
-        homeDir = "/home/nixos/";
-        desktopDir = homeDir + "Desktop/";
-        documentsDir = homeDir + "Documents/";
-      in ''
-        mkdir -p ${desktopDir} ${documentsDir}
-        chown nixos ${homeDir} ${desktopDir} ${documentsDir}
-
-        cp -R ${contrib}/* ${homeDir}
-        ln -sf ${yubikey-guide}/share/applications/yubikey-guide.desktop ${desktopDir}
-        ln -sfT ${src} ${documentsDir}/YubiKey-Guide
-      '';
-    };
-
-  nixos = import <nixpkgs/nixos/release.nix> {
-    inherit configuration;
-    supportedSystems = [ "x86_64-linux" ];
-  };
-
-  # Choose the one you like:
-  #nixos-yubikey = nixos.iso_minimal; # No graphical environment
-  #nixos-yubikey = nixos.iso_gnome;
-  nixos-yubikey = nixos.iso_plasma5;
-
-in {
-  inherit nixos-yubikey;
-}
+Generate an air-gapped NixOS LiveCD image:
+
+```console
+$ ref=$(git ls-remote https://github.com/drduh/Yubikey-Guide refs/heads/master | awk '{print $1}')
+$ nix build --experimental-features "nix-command flakes" github:drduh/YubiKey-Guide/$ref#nixosConfigurations.yubikeyLive.x86_64-linux.config.system.build.isoImage
 ```
 
-Build the installer and copy it to a USB drive.
+If you have this repository checked out:
+
+Recommended, but optional: update `nixpkgs` and `drduh/config`:
 
 ```console
-$ nix-build yubikey-installer.nix --out-link installer --attr nixos-yubikey
+$ nix flake update --commit-lock-file
+```
+
+Generate the ISO:
 
-$ sudo cp -v installer/iso/*.iso /dev/sdb; sync
-'installer/iso/nixos-yubikey-22.05beta-248980.gfedcba-x86_64-linux.iso' -> '/dev/sdb'
+```console
+$ nix build --experimental-features "nix-command flakes" .#nixosConfigurations.yubikeyLive.x86_64-linux.config.system.build.isoImage
+```
+
+Copy it to a USB drive:
+
+```console
+$ sudo cp -v result/iso/yubikeyLive.iso /dev/sdb; sync
+'result/iso/yubikeyLive.iso' -> '/dev/sdb'
 ```
 
 With this image, you won't need to manually create a [temporary working directory](#temporary-working-directory) or [harden the configuration](#harden-configuration), as it was done when creating the image.