From a0dbd474a413a352929fa235deaa589306c600d2 Mon Sep 17 00:00:00 2001 From: Harald Hoyer Date: Wed, 6 Mar 2024 11:00:56 +0100 Subject: [PATCH] add sgx machine Signed-off-by: Harald Hoyer --- flake.nix | 4 + homes/x86_64-linux/harald@sgx/default.nix | 64 ++++ systems/x86_64-linux/sgx/default.nix | 276 ++++++++++++++++++ .../sgx/hardware-configuration.nix | 43 +++ 4 files changed, 387 insertions(+) create mode 100644 homes/x86_64-linux/harald@sgx/default.nix create mode 100644 systems/x86_64-linux/sgx/default.nix create mode 100644 systems/x86_64-linux/sgx/hardware-configuration.nix diff --git a/flake.nix b/flake.nix index 3fdf618..1d24835 100644 --- a/flake.nix +++ b/flake.nix @@ -60,6 +60,10 @@ neovim-flake.homeManagerModules.default ]; + homes.users."harald@sgx".modules = with inputs; [ + neovim-flake.homeManagerModules.default + ]; + homes.users."harald@mpro.fritz.box".modules = with inputs; [ neovim-flake.homeManagerModules.default ]; diff --git a/homes/x86_64-linux/harald@sgx/default.nix b/homes/x86_64-linux/harald@sgx/default.nix new file mode 100644 index 0000000..b56064c --- /dev/null +++ b/homes/x86_64-linux/harald@sgx/default.nix @@ -0,0 +1,64 @@ +{ config +, ... +}: +{ + home.sessionPath = [ "$HOME/bin" ]; + + plusultra = { + user = { + enable = true; + name = config.snowfallorg.user.name; + }; + cli-apps = { + bash.enable = true; + fish.enable = true; + neovim.enable = true; + bat.enable = true; + starship.enable = true; + home-manager.enable = true; + }; + tools = { + git.enable = true; + direnv.enable = true; + }; + }; + + fonts.fontconfig.enable = true; + + dconf.settings = { + # ... + "org/gnome/shell" = { + disable-user-extensions = false; + + # `gnome-extensions list` for a list + enabled-extensions = [ + "Vitals@CoreCoding.com" + "appindicatorsupport@rgcjonas.gmail.com" + "dash-to-panel@jderose9.github.com" + "hibernate-status@dromi" + ]; + + favorite-apps = [ + "org.gnome.Console.desktop" + "jetbrains-toolbox.desktop" + "org.mozilla.firefox.desktop" + "firefox.desktop" + "thunderbird.desktop" + "org.mozilla.Thunderbird.desktop" + "slack.desktop" + "keybase.desktop" + "spotify.desktop" + "org.gnome.Nautilus.desktop" + "virt-manager.desktop" + ]; + }; + "org/virt-manager/virt-manager/connections" = { + autoconnect = [ "qemu:///system" ]; + uris = [ "qemu:///system" ]; + }; + }; + + xdg.enable = true; + xdg.mime.enable = true; +} + diff --git a/systems/x86_64-linux/sgx/default.nix b/systems/x86_64-linux/sgx/default.nix new file mode 100644 index 0000000..7141861 --- /dev/null +++ b/systems/x86_64-linux/sgx/default.nix @@ -0,0 +1,276 @@ +{ pkgs, lib, ... }: +with lib; +with lib.plusultra; +{ + imports = + [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + networking.hostName = "sgx"; # Define your hostname. + + system.autoUpgrade = { + enable = true; + operation = "boot"; + allowReboot = false; + flags = [ + "--update-input" + "nixpkgs" + "--update-input" + "unstable" + ]; + flake = "git+https://git.hoyer.xyz/harald/nixcfg#sgx"; + }; + + plusultra.gui.enable = false; + plusultra.nix.enable = true; + plusultra.nix.extra-substituters = { + "https://nixsgx.cachix.org".key = "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE="; + }; + + boot = { + lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + }; + tmp.cleanOnBoot = true; + loader = { + systemd-boot.enable = false; + efi.canTouchEfiVariables = true; + timeout = 2; + }; + initrd.systemd.enable = true; + kernelPackages = lib.mkOverride 0 pkgs.linuxPackages_latest; + }; + + + # Configure console keymap + console.keyMap = "us"; + i18n.extraLocaleSettings = { + LC_MESSAGES = "en_US.UTF-8"; + LC_TIME = "de_DE.UTF-8"; + }; + + environment = { + sessionVariables = { PATH = "$HOME/bin:$HOME/.cargo/bin"; }; + systemPackages = with pkgs; [ + age + bash + cachix + cifs-utils + clevis + delta + efibootmgr + git + git-delete-merged-branches + home-manager + htop + mosh + nixpkgs-fmt + openssl + restic + rrsync + sbctl + sops + strace + tmux + tpm2-pkcs11 + tpm2-pkcs11.out + tpm2-tools + vim + virt-manager + wget + ]; + shells = [ pkgs.fish pkgs.bash ]; + }; + + hardware = { + cpu = { + amd.updateMicrocode = lib.mkDefault true; + intel.updateMicrocode = lib.mkDefault true; + }; + enableRedistributableFirmware = lib.mkDefault true; + enableAllFirmware = true; + }; + + programs = { + dconf.enable = true; + bash = { + ## shellInit = '' + interactiveShellInit = '' + bind '"\e[A": history-search-backward' + bind '"\e[B": history-search-forward' + ''; + }; + starship.enable = true; + mosh.enable = true; + vim.defaultEditor = true; + fish.enable = true; + }; + + powerManagement.cpuFreqGovernor = "ondemand"; + + services = { + dbus.implementation = "broker"; + dbus.packages = [ pkgs.gcr ]; + fail2ban.enable = false; + fwupd.enable = true; + openssh = { + enable = true; + settings.PermitRootLogin = "prohibit-password"; + settings.X11Forwarding = true; + }; + }; + + security = { + tpm2.enable = lib.mkDefault true; + tpm2.abrmd.enable = lib.mkDefault true; + sudo = { + enable = true; + wheelNeedsPassword = false; + }; + }; + + system.stateVersion = "23.11"; + + time.timeZone = "Europe/Berlin"; + + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNsmP15vH8BVKo7bdvIiiEjiQboPGcRPqJK0+bH4jKD harald@lenovo.fritz.box" + "sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBACLgT81iB1iWWVuXq6PdQ5GAAGhaZhSKnveQCvcNnAOZ5WKH80bZShKHyAYzrzbp8IGwLWJcZQ7TqRK+qZdfagAAAAEc3NoOg== harald@hoyer.xyz" + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDsb/Tr69YN5MQLweWPuJaRGm+h2kOyxfD6sqKEDTIwoAAAABHNzaDo= harald@fedora.fritz.box" + ]; + + virtualisation = { + podman = { + enable = true; + + # Create a `docker` alias for podman, to use it as a drop-in replacement + dockerCompat = true; + + # For Nixos version > 22.11 + defaultNetwork.settings = { dns_enabled = true; }; + }; + }; + + programs.nix-ld.enable = true; + + # Sets up all the libraries to load + programs.nix-ld.libraries = with pkgs; [ + SDL + SDL2 + SDL2_image + SDL2_mixer + SDL2_ttf + SDL_image + SDL_mixer + SDL_ttf + alsa-lib + at-spi2-atk + at-spi2-core + atk + bzip2 + cairo + cups + curlWithGnuTls + dbus + dbus-glib + desktop-file-utils + e2fsprogs + expat + flac + fontconfig + freeglut + freetype + fribidi + fuse + fuse3 + gdk-pixbuf + glew110 + glib + gmp + gst_all_1.gst-plugins-base + gst_all_1.gst-plugins-ugly + gst_all_1.gstreamer + gtk2 + harfbuzz + icu + keyutils.lib + libGL + libGLU + libappindicator-gtk2 + libcaca + libcanberra + libcap + libclang.lib + libdbusmenu + libdrm + libgcrypt + libgpg-error + libidn + libjack2 + libjpeg + libmikmod + libogg + libpng12 + libpulseaudio + librsvg + libsamplerate + libthai + libtheora + libtiff + libudev0-shim + libusb1 + libuuid + libvdpau + libvorbis + libvpx + libxcrypt-legacy + libxkbcommon + libxml2 + mesa + nspr + nss + openssl + p11-kit + pango + pixman + python3 + speex + stdenv.cc.cc + tbb + udev + vulkan-loader + wayland + xorg.libICE + xorg.libSM + xorg.libX11 + xorg.libXScrnSaver + xorg.libXcomposite + xorg.libXcursor + xorg.libXdamage + xorg.libXext + xorg.libXfixes + xorg.libXft + xorg.libXi + xorg.libXinerama + xorg.libXmu + xorg.libXrandr + xorg.libXrender + xorg.libXt + xorg.libXtst + xorg.libXxf86vm + xorg.libpciaccess + xorg.libxcb + xorg.xcbutil + xorg.xcbutilimage + xorg.xcbutilkeysyms + xorg.xcbutilrenderutil + xorg.xcbutilwm + xorg.xkeyboardconfig + xz + zlib + ]; + +} diff --git a/systems/x86_64-linux/sgx/hardware-configuration.nix b/systems/x86_64-linux/sgx/hardware-configuration.nix new file mode 100644 index 0000000..2775403 --- /dev/null +++ b/systems/x86_64-linux/sgx/hardware-configuration.nix @@ -0,0 +1,43 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "uas" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + boot.blacklistedKernelModules = [ "iwlwifi" "snd_hda_intel" "hdaudio" "btintel" "bluetooth" ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/7aa17b01-785e-41c6-9723-79195af906c6"; + fsType = "btrfs"; + options = [ "subvol=@" ]; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/C902-1AF5"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/72d061d7-ab18-47b9-beb1-1c465dda1be9"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true; + # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp1s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +}