diff --git a/modules/nixos/services/base/default.nix b/modules/nixos/services/base/default.nix new file mode 100644 index 0000000..1bc7292 --- /dev/null +++ b/modules/nixos/services/base/default.nix @@ -0,0 +1,120 @@ +{ options, config, lib, pkgs, ... }: + +with lib; +with lib.plusultra; +let cfg = config.plusultra.base; +in +{ + options.plusultra.base = with types; { + enable = mkBoolOpt false "Whether or not to enable the base config."; + }; + + config = mkIf cfg.enable { + # Configure console keymap + console.keyMap = "us"; + i18n.extraLocaleSettings = { + LC_MESSAGES = "en_US.UTF-8"; + LC_TIME = "de_DE.UTF-8"; + }; + + environment = { + sessionVariables = { PATH = "$HOME/bin:$HOME/.cargo/bin"; }; + systemPackages = with pkgs; [ + age + bash + cachix + cifs-utils + clevis + delta + efibootmgr + git + git-delete-merged-branches + home-manager + htop + mosh + nixpkgs-fmt + openssl + restic + rrsync + sbctl + sops + strace + tmux + tpm2-pkcs11 + tpm2-pkcs11.out + tpm2-tools + vim + virt-manager + wget + ]; + shells = [ pkgs.fish pkgs.bash ]; + }; + + hardware = { + cpu = { + amd.updateMicrocode = lib.mkDefault true; + intel.updateMicrocode = lib.mkDefault true; + }; + enableRedistributableFirmware = lib.mkDefault true; + enableAllFirmware = true; + }; + + programs = { + dconf.enable = true; + bash = { + ## shellInit = '' + interactiveShellInit = '' + bind '"\e[A": history-search-backward' + bind '"\e[B": history-search-forward' + ''; + }; + starship.enable = true; + mosh.enable = true; + vim.defaultEditor = true; + fish.enable = true; + }; + + # powerManagement.cpuFreqGovernor = "ondemand"; + + services = { + dbus.implementation = "broker"; + dbus.packages = [ pkgs.gcr ]; + fwupd.enable = true; + openssh = { + enable = true; + settings.PermitRootLogin = "prohibit-password"; + settings.X11Forwarding = true; + }; + }; + + security = { + tpm2.enable = lib.mkDefault true; + tpm2.abrmd.enable = lib.mkDefault true; + sudo = { + enable = true; + wheelNeedsPassword = false; + }; + }; + + system.stateVersion = "23.11"; + + time.timeZone = "Europe/Berlin"; + + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNsmP15vH8BVKo7bdvIiiEjiQboPGcRPqJK0+bH4jKD harald@lenovo.fritz.box" + "sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBACLgT81iB1iWWVuXq6PdQ5GAAGhaZhSKnveQCvcNnAOZ5WKH80bZShKHyAYzrzbp8IGwLWJcZQ7TqRK+qZdfagAAAAEc3NoOg== harald@hoyer.xyz" + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDsb/Tr69YN5MQLweWPuJaRGm+h2kOyxfD6sqKEDTIwoAAAABHNzaDo= harald@fedora.fritz.box" + ]; + + boot = { + tmp.cleanOnBoot = true; + loader = { + systemd-boot.enable = false; + efi.canTouchEfiVariables = true; + timeout = 2; + }; + initrd.systemd.enable = lib.mkDefault true; + kernelPackages = lib.mkOverride 0 pkgs.linuxPackages_latest; + }; + }; +} diff --git a/modules/nixos/services/podman/default.nix b/modules/nixos/services/podman/default.nix new file mode 100644 index 0000000..836eae8 --- /dev/null +++ b/modules/nixos/services/podman/default.nix @@ -0,0 +1,25 @@ +{ options, config, lib, pkgs, ... }: + +with lib; +with lib.plusultra; +let cfg = config.plusultra.podman; +in +{ + options.plusultra.podman = with types; { + enable = mkBoolOpt false "Whether or not to enable podman."; + }; + + config = mkIf cfg.enable { + virtualisation = { + podman = { + enable = true; + + # Create a `docker` alias for podman, to use it as a drop-in replacement + dockerCompat = true; + + # For Nixos version > 22.11 + defaultNetwork.settings = { dns_enabled = true; }; + }; + }; + }; +} diff --git a/modules/nixos/services/secureboot/default.nix b/modules/nixos/services/secureboot/default.nix new file mode 100644 index 0000000..e76b4d0 --- /dev/null +++ b/modules/nixos/services/secureboot/default.nix @@ -0,0 +1,21 @@ +{ options, config, lib, pkgs, ... }: + +with lib; +with lib.plusultra; +let cfg = config.plusultra.secureboot; +in +{ + options.plusultra.secureboot = with types; { + enable = mkBoolOpt false "Whether or not to enable secureboot."; + }; + + config = mkIf cfg.enable { + boot = { + lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + }; + loader.systemd-boot.enable = lib.mkForce false; + }; + }; +} diff --git a/modules/nixos/sgx/pccs/default.nix b/modules/nixos/sgx/pccs/default.nix index 8e71f95..5cd540a 100644 --- a/modules/nixos/sgx/pccs/default.nix +++ b/modules/nixos/sgx/pccs/default.nix @@ -2,7 +2,9 @@ with lib; with lib.plusultra; -let cfg = config.plusultra.pccs; +let + cfg = config.plusultra.pccs; + cfg_podman = config.plusultra.podman; in { options.plusultra.pccs = with types; { @@ -16,20 +18,20 @@ in }; config = mkIf cfg.enable { - assertions = [{ - assertion = cfg.secret != null; - message = "path to the pccs secret file is required when pccs is enabled"; - }]; + assertions = [ + { + assertion = cfg.secret != null; + message = "path to the pccs secret file is required when pccs is enabled"; + } + { + assertion = cfg_podman.enable; + message = "podman must be enabled when pccs is enabled"; + } + ]; - virtualisation = { - podman = { - enable = true; - - # Create a `docker` alias for podman, to use it as a drop-in replacement - dockerCompat = true; - - # For Nixos version > 22.11 - defaultNetwork.settings = { dns_enabled = true; }; + plusultra = { + nix.extra-substituters = { + "https://nixsgx.cachix.org".key = "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE="; }; }; diff --git a/systems/x86_64-linux/sgx/default.nix b/systems/x86_64-linux/sgx/default.nix index 0dab774..24f31e8 100644 --- a/systems/x86_64-linux/sgx/default.nix +++ b/systems/x86_64-linux/sgx/default.nix @@ -2,13 +2,19 @@ with lib; with lib.plusultra; { - imports = - [ - # Include the results of the hardware scan. - ./hardware-configuration.nix - ]; + imports = [ ./hardware-configuration.nix ]; - networking.hostName = "sgx"; # Define your hostname. + plusultra = { + base.enable = true; + gui.enable = false; + nix-ld.enable = true; + nix.enable = true; + nix.extra-substituters."https://nixsgx.cachix.org".key = "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE="; + pccs.enable = true; + pccs.secret = config.sops.secrets.pccs.path; + podman.enable = true; + secureboot.enable = true; + }; system.autoUpgrade = { enable = true; @@ -23,6 +29,11 @@ with lib.plusultra; flake = "git+https://git.hoyer.xyz/harald/nixcfg#sgx"; }; + networking.hostName = "sgx"; # Define your hostname. + + security.tpm2.enable = false; + security.tpm2.abrmd.enable = false; + sops.secrets.pccs = { sopsFile = ../../../.secrets/sgx/pccs.yaml; # bring your own password file }; @@ -31,137 +42,7 @@ with lib.plusultra; services.aesmd.enable = true; - plusultra = { - pccs.enable = true; - pccs.secret = config.sops.secrets.pccs.path; - gui.enable = false; - nix-ld.enable = true; - nix.enable = true; - nix.extra-substituters = { - "https://nixsgx.cachix.org".key = "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE="; - }; - }; - - boot = { - lanzaboote = { - enable = true; - pkiBundle = "/etc/secureboot"; - }; - tmp.cleanOnBoot = true; - loader = { - systemd-boot.enable = false; - efi.canTouchEfiVariables = true; - timeout = 2; - }; - initrd.systemd.enable = true; - kernelPackages = lib.mkOverride 0 pkgs.linuxPackages_latest; - }; - - - # Configure console keymap - console.keyMap = "us"; - i18n.extraLocaleSettings = { - LC_MESSAGES = "en_US.UTF-8"; - LC_TIME = "de_DE.UTF-8"; - }; - - environment = { - sessionVariables = { PATH = "$HOME/bin:$HOME/.cargo/bin"; }; - systemPackages = with pkgs; [ - age - bash - cachix - cifs-utils - clevis - delta - efibootmgr - git - git-delete-merged-branches - home-manager - htop - mosh - nixpkgs-fmt - openssl - restic - rrsync - sbctl - sops - strace - tmux - tpm2-pkcs11 - tpm2-pkcs11.out - tpm2-tools - vim - virt-manager - wget - ]; - shells = [ pkgs.fish pkgs.bash ]; - }; - - hardware = { - cpu = { - amd.updateMicrocode = lib.mkDefault true; - intel.updateMicrocode = lib.mkDefault true; - }; - enableRedistributableFirmware = lib.mkDefault true; - enableAllFirmware = true; - }; - - programs = { - dconf.enable = true; - bash = { - ## shellInit = '' - interactiveShellInit = '' - bind '"\e[A": history-search-backward' - bind '"\e[B": history-search-forward' - ''; - }; - starship.enable = true; - mosh.enable = true; - vim.defaultEditor = true; - fish.enable = true; - }; - powerManagement.cpuFreqGovernor = "ondemand"; - services = { - dbus.implementation = "broker"; - dbus.packages = [ pkgs.gcr ]; - fwupd.enable = true; - openssh = { - enable = true; - settings.PermitRootLogin = "prohibit-password"; - settings.X11Forwarding = true; - }; - }; - - security = { - sudo = { - enable = true; - wheelNeedsPassword = false; - }; - }; - system.stateVersion = "23.11"; - - time.timeZone = "Europe/Berlin"; - - users.users.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNsmP15vH8BVKo7bdvIiiEjiQboPGcRPqJK0+bH4jKD harald@lenovo.fritz.box" - "sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBACLgT81iB1iWWVuXq6PdQ5GAAGhaZhSKnveQCvcNnAOZ5WKH80bZShKHyAYzrzbp8IGwLWJcZQ7TqRK+qZdfagAAAAEc3NoOg== harald@hoyer.xyz" - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDsb/Tr69YN5MQLweWPuJaRGm+h2kOyxfD6sqKEDTIwoAAAABHNzaDo= harald@fedora.fritz.box" - ]; - - virtualisation = { - podman = { - enable = true; - - # Create a `docker` alias for podman, to use it as a drop-in replacement - dockerCompat = true; - - # For Nixos version > 22.11 - defaultNetwork.settings = { dns_enabled = true; }; - }; - }; - } diff --git a/systems/x86_64-linux/x1/default.nix b/systems/x86_64-linux/x1/default.nix index 6806066..a63875f 100644 --- a/systems/x86_64-linux/x1/default.nix +++ b/systems/x86_64-linux/x1/default.nix @@ -2,11 +2,17 @@ with lib; with lib.plusultra; { - imports = - [ - # Include the results of the hardware scan. - ./hardware-configuration.nix - ]; + imports = [ ./hardware-configuration.nix ]; + + plusultra = { + base.enable = true; + gui.enable = true; + nix-ld.enable = true; + nix.enable = true; + nix.extra-substituters."https://nixsgx.cachix.org".key = "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE="; + podman.enable = true; + secureboot.enable = true; + }; system.autoUpgrade = { enable = true; @@ -21,136 +27,5 @@ with lib.plusultra; flake = "git+https://git.hoyer.xyz/harald/nixcfg#x1"; }; - plusultra = { - gui.enable = true; - nix-ld.enable = true; - nix.enable = true; - nix.extra-substituters = { - "https://nixsgx.cachix.org".key = "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE="; - }; - }; - - boot = { - lanzaboote = { - enable = true; - pkiBundle = "/etc/secureboot"; - }; - tmp.cleanOnBoot = true; - loader = { - systemd-boot.enable = false; - efi.canTouchEfiVariables = true; - timeout = 2; - }; - initrd.systemd.enable = true; - kernelPackages = lib.mkOverride 0 pkgs.linuxPackages_latest; - }; - - - # Configure console keymap - console.keyMap = "us"; - i18n.extraLocaleSettings = { - LC_MESSAGES = "en_US.UTF-8"; - LC_TIME = "de_DE.UTF-8"; - }; - - environment = { - sessionVariables = { PATH = "$HOME/bin:$HOME/.cargo/bin"; }; - systemPackages = with pkgs; [ - age - bash - cachix - cifs-utils - clevis - delta - efibootmgr - git - git-delete-merged-branches - home-manager - htop - mosh - nixpkgs-fmt - openssl - restic - rrsync - sbctl - sops - strace - tmux - tpm2-pkcs11 - tpm2-pkcs11.out - tpm2-tools - vim - virt-manager - wget - ]; - shells = [ pkgs.fish pkgs.bash ]; - }; - - hardware = { - cpu = { - amd.updateMicrocode = lib.mkDefault true; - intel.updateMicrocode = lib.mkDefault true; - }; - enableRedistributableFirmware = lib.mkDefault true; - enableAllFirmware = true; - }; - - programs = { - dconf.enable = true; - bash = { - ## shellInit = '' - interactiveShellInit = '' - bind '"\e[A": history-search-backward' - bind '"\e[B": history-search-forward' - ''; - }; - starship.enable = true; - mosh.enable = true; - vim.defaultEditor = true; - fish.enable = true; - }; - - # powerManagement.cpuFreqGovernor = "ondemand"; - - services = { - dbus.implementation = "broker"; - dbus.packages = [ pkgs.gcr ]; - fwupd.enable = true; - openssh = { - enable = true; - settings.PermitRootLogin = "prohibit-password"; - settings.X11Forwarding = true; - }; - }; - - security = { - tpm2.enable = lib.mkDefault true; - tpm2.abrmd.enable = lib.mkDefault true; - sudo = { - enable = true; - wheelNeedsPassword = false; - }; - }; - system.stateVersion = "23.11"; - - time.timeZone = "Europe/Berlin"; - - users.users.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNsmP15vH8BVKo7bdvIiiEjiQboPGcRPqJK0+bH4jKD harald@lenovo.fritz.box" - "sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBACLgT81iB1iWWVuXq6PdQ5GAAGhaZhSKnveQCvcNnAOZ5WKH80bZShKHyAYzrzbp8IGwLWJcZQ7TqRK+qZdfagAAAAEc3NoOg== harald@hoyer.xyz" - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDsb/Tr69YN5MQLweWPuJaRGm+h2kOyxfD6sqKEDTIwoAAAABHNzaDo= harald@fedora.fritz.box" - ]; - - virtualisation = { - podman = { - enable = true; - - # Create a `docker` alias for podman, to use it as a drop-in replacement - dockerCompat = true; - - # For Nixos version > 22.11 - defaultNetwork.settings = { dns_enabled = true; }; - }; - }; }