rouven.seifert/nixos-config
1
1
Fork 0
mirror of https://git.sr.ht/~rouven/nixos-config synced 2024-11-15 05:13:10 +01:00
Code Issues Packages Projects Releases Wiki Activity

configured secureboot

Browse source
This commit is contained in:
Rouven Seifert 2023-05-31 13:23:49 +02:00
parent ea825be67f
commit a9442f038d
Signed by: rouven.seifert
GPG key ID: B95E8FE6B11C4D09
6 changed files with 249 additions and 76 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

228
flake.lock
View file

@ -32,7 +32,56 @@
"type": "gitlab" "type": "gitlab"
} }
}, },
"crane": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"rust-overlay": [
"lanzaboote",
"rust-overlay"
]
},
"locked": {
"lastModified": 1683505101,
"narHash": "sha256-VBU64Jfu2V4sUR5+tuQS9erBRAe/QEYUxdVMcJGMZZs=",
"owner": "ipetkov",
"repo": "crane",
"rev": "7b5bd9e5acb2bb0cfba2d65f34d8568a894cdb6c",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"flake-compat": { "flake-compat": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1668681692, "lastModified": 1668681692,
@ -48,6 +97,67 @@
"type": "github" "type": "github"
} }
}, },
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1683560683,
"narHash": "sha256-XAygPMN5Xnk/W2c1aW0jyEa6lfMDZWlQgiNtmHXytPc=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "006c75898cf814ef9497252b022e91c946ba8e17",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1681202837,
"narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "cfacdce06f30d2b68473a46042957675eebb3401",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"pre-commit-hooks-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1660459072,
"narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -145,6 +255,32 @@
"type": "github" "type": "github"
} }
}, },
"lanzaboote": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
],
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1685349926,
"narHash": "sha256-c1rKI1glJWdJIPefp9aiyhAkEZ4Sc6Rh/J5VumEXu1M=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "2e62c11babeead4b26efbb7f2cd4488baaa2e897",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "lanzaboote",
"type": "github"
}
},
"nix-colors": { "nix-colors": {
"inputs": { "inputs": {
"base16-schemes": "base16-schemes", "base16-schemes": "base16-schemes",
@ -245,6 +381,22 @@
} }
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": {
"lastModified": 1678872516,
"narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-22.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable_2": {
"locked": { "locked": {
"lastModified": 1685215858, "lastModified": 1685215858,
"narHash": "sha256-IRMFoDXA6cYx3ifVw3B2JcC4JrjT5v7tRAx2vro2Ffs=", "narHash": "sha256-IRMFoDXA6cYx3ifVw3B2JcC4JrjT5v7tRAx2vro2Ffs=",
@ -275,6 +427,37 @@
"type": "indirect" "type": "indirect"
} }
}, },
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"gitignore": "gitignore",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1682596858,
"narHash": "sha256-Hf9XVpqaGqe/4oDGr30W8HlsWvJXtMsEPHDqHZA6dDg=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "fb58866e20af98779017134319b5663b8215d912",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"purge": { "purge": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -300,6 +483,7 @@
"home-manager": "home-manager", "home-manager": "home-manager",
"hyprland": "hyprland", "hyprland": "hyprland",
"impermanence": "impermanence", "impermanence": "impermanence",
"lanzaboote": "lanzaboote",
"nix-colors": "nix-colors", "nix-colors": "nix-colors",
"nix-index-database": "nix-index-database", "nix-index-database": "nix-index-database",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
@ -310,10 +494,35 @@
"trucksimulatorbot": "trucksimulatorbot" "trucksimulatorbot": "trucksimulatorbot"
} }
}, },
"rust-overlay": {
"inputs": {
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1684030847,
"narHash": "sha256-z4tOxaN9Cl8C80u6wyZBpPt9A9MbL21fZ3zdB/vG+AU=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "aa1480f16bec7dda3c62b8cdb184c7e823331ba2",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"simple-nixos-mailserver": { "simple-nixos-mailserver": {
"inputs": { "inputs": {
"blobs": "blobs", "blobs": "blobs",
"flake-compat": "flake-compat", "flake-compat": "flake-compat_2",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
@ -339,7 +548,7 @@
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable_2"
}, },
"locked": { "locked": {
"lastModified": 1685434555, "lastModified": 1685434555,
@ -354,6 +563,21 @@
"type": "indirect" "type": "indirect"
} }
}, },
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"trucksimulatorbot": { "trucksimulatorbot": {
"inputs": { "inputs": {
"images": "images", "images": "images",

9
flake.nix
View file

@ -32,6 +32,11 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
lanzaboote = {
url = "github:nix-community/lanzaboote";
inputs.nixpkgs.follows = "nixpkgs";
};
simple-nixos-mailserver = { simple-nixos-mailserver = {
url = "gitlab:simple-nixos-mailserver/nixos-mailserver"; url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
@ -49,6 +54,7 @@
, impermanence , impermanence
, nix-colors , nix-colors
, nixos-hardware , nixos-hardware
, lanzaboote
, purge , purge
, trucksimulatorbot , trucksimulatorbot
, simple-nixos-mailserver , simple-nixos-mailserver
@ -56,7 +62,6 @@
}@attrs: { }@attrs: {
packages.x86_64-linux.iso = self.nixosConfigurations.iso.config.system.build.isoImage; packages.x86_64-linux.iso = self.nixosConfigurations.iso.config.system.build.isoImage;
packages.x86_64-linux.jmri = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/jmri { }; packages.x86_64-linux.jmri = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/jmri { };
packages.x86_64-linux.circuitjs = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/circuitjs { };
hydraJobs = self.packages; hydraJobs = self.packages;
formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt; formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt;
nixosConfigurations = { nixosConfigurations = {
@ -72,6 +77,7 @@
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
nix-index-database.nixosModules.nix-index nix-index-database.nixosModules.nix-index
impermanence.nixosModules.impermanence impermanence.nixosModules.impermanence
lanzaboote.nixosModules.lanzaboote
{ {
home-manager.extraSpecialArgs = attrs; home-manager.extraSpecialArgs = attrs;
home-manager.users.rouven = { home-manager.users.rouven = {
@ -91,6 +97,7 @@
nixos-hardware.nixosModules.intel-nuc-8i7beh nixos-hardware.nixosModules.intel-nuc-8i7beh
nix-index-database.nixosModules.nix-index nix-index-database.nixosModules.nix-index
impermanence.nixosModules.impermanence impermanence.nixosModules.impermanence
lanzaboote.nixosModules.lanzaboote
./hosts/nuc ./hosts/nuc
./shared ./shared
sops-nix.nixosModules.sops sops-nix.nixosModules.sops

2
hosts/nuc/default.nix
View file

@ -30,6 +30,7 @@
directories = [ directories = [
"/etc/nixos" "/etc/nixos"
"/etc/ssh" "/etc/ssh"
"/etc/secureboot"
]; ];
files = [ files = [
"/etc/machine-id" "/etc/machine-id"
@ -53,6 +54,7 @@
htop-vim htop-vim
helix helix
lsof lsof
sbctl
]; ];
programs.git = { programs.git = {
enable = true; enable = true;

13
hosts/thinkpad/default.nix
View file

@ -12,7 +12,16 @@
# Use the systemd-boot EFI boot loader. # Use the systemd-boot EFI boot loader.
boot = { boot = {
loader.systemd-boot.enable = true; # Lanzaboote currently replaces the systemd-boot module.
# This setting is usually set to true in configuration.nix
# generated at installation time. So we force it to false
# for now.
loader.systemd-boot.enable = lib.mkForce false;
lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
configurationLimit = 10;
};
loader.systemd-boot.editor = false; loader.systemd-boot.editor = false;
loader.efi.canTouchEfiVariables = true; loader.efi.canTouchEfiVariables = true;
kernelPackages = pkgs.linuxPackages_latest; kernelPackages = pkgs.linuxPackages_latest;
@ -27,6 +36,7 @@
directories = [ directories = [
"/etc/nixos" # bind mounted from /nix/persist/system/etc/nixos to /etc/nixos "/etc/nixos" # bind mounted from /nix/persist/system/etc/nixos to /etc/nixos
"/etc/ssh" "/etc/ssh"
"/etc/secureboot"
]; ];
files = [ files = [
"/etc/machine-id" "/etc/machine-id"
@ -179,6 +189,7 @@
unzip unzip
virt-viewer # multi monitor for vms virt-viewer # multi monitor for vms
sbctl
]; ];
programs.java.enable = true; programs.java.enable = true;

72
pkgs/circuitjs/default.nix
View file

@ -1,72 +0,0 @@
{ stdenv, fetchurl, makeWrapper, wrapGAppsHook, lib, libX11, libXext, gtk3-x11, dbus, nspr, alsa-lib, glib, expat, gdk-pixbuf, mesa, xorg, nss, cups, ffmpeg, cairo, pango, atk, libdrm, ... }:
stdenv.mkDerivation rec {
pname = "circuitjs";
version = "2.8.0";
src = fetchurl {
url = "https://www.falstad.com/circuit/offline/circuitjs1-linux64.tgz";
hash = "sha256-dyIEuDA7FRwHCok41wcJAr8eqksJSOdChafPPh0Q3zM=";
};
nativeBuildInputs = [ makeWrapper wrapGAppsHook ];
sourceRoot = ".";
dontBuild = true;
dontStrip = true;
dontPatchELF = true;
libPath = lib.makeLibraryPath [
libX11
libXext
alsa-lib
xorg.libXi
xorg.libXrender
xorg.libXfixes
xorg.libXtst
xorg.libXcomposite
xorg.libXcursor
xorg.libXrandr
xorg.libXdamage
xorg.libxcb
xorg.libXScrnSaver
nss
ffmpeg.lib
cups
pango
cairo
nspr
atk
libdrm
glib
dbus
gtk3-x11
mesa
expat
gdk-pixbuf
];
# wrapProgramShell $out/opt/circuitjs1 \
# "''${gappsWrapperArgs[@]}" \
# --prefix LD_LIBRARY_PATH : ${libPath}:$out/lib \
installPhase = ''
mkdir -p $out/
cp -r circuitjs1 $out/opt
mkdir -p $out/lib
cp circuitjs1/lib* $out/lib
mkdir -p $out/bin
ln -sf $out/opt/circuitjs1 $out/bin/circuitjs1
patchelf \
--set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \
--set-rpath "${libPath}":$out/lib \
$out/bin/circuitjs1
'';
meta = with lib; {
# inherit homepage;
description = "Falstad circuit simulator";
sourceProvenance = with sourceTypes; [ binaryNativeCode ];
# license = licenses.unfree;
platforms = platforms.linux;
maintainers = [ maintainers.therealr5 ];
};
}

1
users/rouven/default.nix
View file

@ -3,6 +3,7 @@
imports = [ ./fixes.nix ]; imports = [ ./fixes.nix ];
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
users.users.rouven = { users.users.rouven = {
description = "Rouven Seifert";
isNormalUser = true; isNormalUser = true;
extraGroups = [ "wheel" "video" "libvirtd" ]; extraGroups = [ "wheel" "video" "libvirtd" ];
initialHashedPassword = "$6$X3XERQv28Nt1UUT5$MjdMBDuXyEwexkuKqmNFweez69q4enY5cjMXSbBxOc6Bq7Fhhp7OqmCm02k3OGjoZFXzPV9ZHuMSGKZOtwYIk1"; initialHashedPassword = "$6$X3XERQv28Nt1UUT5$MjdMBDuXyEwexkuKqmNFweez69q4enY5cjMXSbBxOc6Bq7Fhhp7OqmCm02k3OGjoZFXzPV9ZHuMSGKZOtwYIk1";