diff --git a/flake.lock b/flake.lock index 3d507d7..8c19496 100644 --- a/flake.lock +++ b/flake.lock @@ -503,22 +503,6 @@ "type": "github" } }, - "flake-compat_4": { - "flake": false, - "locked": { - "lastModified": 1650374568, - "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "b4a34015c698c7793d592d66adbab377907a2be8", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, "flake-parts": { "inputs": { "nixpkgs-lib": [ @@ -594,24 +578,6 @@ "type": "github" } }, - "flake-utils-plus_2": { - "inputs": { - "flake-utils": "flake-utils_5" - }, - "locked": { - "lastModified": 1696331477, - "narHash": "sha256-YkbRa/1wQWdWkVJ01JvV+75KIdM37UErqKgTf0L54Fk=", - "owner": "gytis-ivaskevicius", - "repo": "flake-utils-plus", - "rev": "bfc53579db89de750b25b0c5e7af299e0c06d7d3", - "type": "github" - }, - "original": { - "owner": "gytis-ivaskevicius", - "repo": "flake-utils-plus", - "type": "github" - } - }, "flake-utils_2": { "inputs": { "systems": "systems_2" @@ -663,24 +629,6 @@ "type": "github" } }, - "flake-utils_5": { - "inputs": { - "systems": "systems_5" - }, - "locked": { - "lastModified": 1694529238, - "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, "flutter-tools": { "flake": false, "locked": { @@ -1339,41 +1287,6 @@ "type": "github" } }, - "nixpkgs_5": { - "locked": { - "lastModified": 1707091808, - "narHash": "sha256-LahKBAfGbY836gtpVNnWwBTIzN7yf/uYM/S0g393r0Y=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "9f2ee8c91ac42da3ae6c6a1d21555f283458247e", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-23.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixsgx-flake": { - "inputs": { - "nixpkgs": "nixpkgs_5", - "snowfall-lib": "snowfall-lib" - }, - "locked": { - "lastModified": 1709040449, - "narHash": "sha256-NDXSUI7GTCekniW52EBvi5PlzdQ37XkrIB1oH4GrUvM=", - "owner": "matter-labs", - "repo": "nixsgx", - "rev": "2b11fbc725fbab3fbaef13490decd3f93c43ae07", - "type": "github" - }, - "original": { - "owner": "matter-labs", - "repo": "nixsgx", - "type": "github" - } - }, "nmd": { "flake": false, "locked": { @@ -1977,8 +1890,7 @@ "lanzaboote": "lanzaboote", "neovim-flake": "neovim-flake", "nixpkgs": "nixpkgs_4", - "nixsgx-flake": "nixsgx-flake", - "snowfall-lib": "snowfall-lib_2", + "snowfall-lib": "snowfall-lib", "sops-nix": "sops-nix", "unstable": "unstable" } @@ -2087,29 +1999,6 @@ "inputs": { "flake-compat": "flake-compat_3", "flake-utils-plus": "flake-utils-plus", - "nixpkgs": [ - "nixsgx-flake", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1696432959, - "narHash": "sha256-oJQZv2MYyJaVyVJY5IeevzqpGvMGKu5pZcCCJvb+xjc=", - "owner": "snowfallorg", - "repo": "lib", - "rev": "92803a029b5314d4436a8d9311d8707b71d9f0b6", - "type": "github" - }, - "original": { - "owner": "snowfallorg", - "repo": "lib", - "type": "github" - } - }, - "snowfall-lib_2": { - "inputs": { - "flake-compat": "flake-compat_4", - "flake-utils-plus": "flake-utils-plus_2", "nixpkgs": [ "nixpkgs" ] @@ -2242,21 +2131,6 @@ "type": "github" } }, - "systems_5": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, "tabular": { "flake": false, "locked": { diff --git a/flake.nix b/flake.nix index b2d1499..5386a2b 100644 --- a/flake.nix +++ b/flake.nix @@ -28,11 +28,6 @@ sops-nix.url = "github:Mic92/sops-nix"; sops-nix.inputs.nixpkgs.follows = "nixpkgs"; - - nixsgx-flake = { - url = "github:matter-labs/nixsgx"; - # inputs.nixpkgs.follows = "nixpkgs"; - }; }; outputs = inputs: @@ -87,10 +82,6 @@ disko.nixosModules.disko ]; - overlays = with inputs; [ - nixsgx-flake.overlays.default - ]; - outputs-builder = channels: { formatter = channels.nixpkgs.nixpkgs-fmt; defaultApp = lib.flake-utils-plus.mkApp { drv = channels.nixpkgs.home-manager; }; diff --git a/modules/nixos/nix-ld/default.nix b/modules/nixos/nix-ld/default.nix deleted file mode 100644 index 331ddef..0000000 --- a/modules/nixos/nix-ld/default.nix +++ /dev/null @@ -1,134 +0,0 @@ -{ options, config, lib, pkgs, ... }: - -with lib; -with lib.plusultra; -let cfg = config.plusultra.nix-ld; -in -{ - options.plusultra.nix-ld = with types; { - enable = mkBoolOpt false "Whether or not to enable nix-ld."; - }; - - config = mkIf cfg.enable { - - programs.nix-ld.enable = true; - - # Sets up all the libraries to load - programs.nix-ld.libraries = with pkgs; [ - SDL - SDL2 - SDL2_image - SDL2_mixer - SDL2_ttf - SDL_image - SDL_mixer - SDL_ttf - alsa-lib - at-spi2-atk - at-spi2-core - atk - bzip2 - cairo - cups - curlWithGnuTls - dbus - dbus-glib - desktop-file-utils - e2fsprogs - expat - flac - fontconfig - freeglut - freetype - fribidi - fuse - fuse3 - gdk-pixbuf - glew110 - glib - gmp - gst_all_1.gst-plugins-base - gst_all_1.gst-plugins-ugly - gst_all_1.gstreamer - gtk2 - harfbuzz - icu - keyutils.lib - libGL - libGLU - libappindicator-gtk2 - libcaca - libcanberra - libcap - libclang.lib - libdbusmenu - libdrm - libgcrypt - libgpg-error - libidn - libjack2 - libjpeg - libmikmod - libogg - libpng12 - libpulseaudio - librsvg - libsamplerate - libthai - libtheora - libtiff - libudev0-shim - libusb1 - libuuid - libvdpau - libvorbis - libvpx - libxcrypt-legacy - libxkbcommon - libxml2 - mesa - nspr - nss - openssl - p11-kit - pango - pixman - python3 - speex - stdenv.cc.cc - tbb - udev - vulkan-loader - wayland - xorg.libICE - xorg.libSM - xorg.libX11 - xorg.libXScrnSaver - xorg.libXcomposite - xorg.libXcursor - xorg.libXdamage - xorg.libXext - xorg.libXfixes - xorg.libXft - xorg.libXi - xorg.libXinerama - xorg.libXmu - xorg.libXrandr - xorg.libXrender - xorg.libXt - xorg.libXtst - xorg.libXxf86vm - xorg.libpciaccess - xorg.libxcb - xorg.xcbutil - xorg.xcbutilimage - xorg.xcbutilkeysyms - xorg.xcbutilrenderutil - xorg.xcbutilwm - xorg.xkeyboardconfig - xz - zlib - ]; - - }; -} diff --git a/modules/nixos/services/base/default.nix b/modules/nixos/services/base/default.nix deleted file mode 100644 index 1bc7292..0000000 --- a/modules/nixos/services/base/default.nix +++ /dev/null @@ -1,120 +0,0 @@ -{ options, config, lib, pkgs, ... }: - -with lib; -with lib.plusultra; -let cfg = config.plusultra.base; -in -{ - options.plusultra.base = with types; { - enable = mkBoolOpt false "Whether or not to enable the base config."; - }; - - config = mkIf cfg.enable { - # Configure console keymap - console.keyMap = "us"; - i18n.extraLocaleSettings = { - LC_MESSAGES = "en_US.UTF-8"; - LC_TIME = "de_DE.UTF-8"; - }; - - environment = { - sessionVariables = { PATH = "$HOME/bin:$HOME/.cargo/bin"; }; - systemPackages = with pkgs; [ - age - bash - cachix - cifs-utils - clevis - delta - efibootmgr - git - git-delete-merged-branches - home-manager - htop - mosh - nixpkgs-fmt - openssl - restic - rrsync - sbctl - sops - strace - tmux - tpm2-pkcs11 - tpm2-pkcs11.out - tpm2-tools - vim - virt-manager - wget - ]; - shells = [ pkgs.fish pkgs.bash ]; - }; - - hardware = { - cpu = { - amd.updateMicrocode = lib.mkDefault true; - intel.updateMicrocode = lib.mkDefault true; - }; - enableRedistributableFirmware = lib.mkDefault true; - enableAllFirmware = true; - }; - - programs = { - dconf.enable = true; - bash = { - ## shellInit = '' - interactiveShellInit = '' - bind '"\e[A": history-search-backward' - bind '"\e[B": history-search-forward' - ''; - }; - starship.enable = true; - mosh.enable = true; - vim.defaultEditor = true; - fish.enable = true; - }; - - # powerManagement.cpuFreqGovernor = "ondemand"; - - services = { - dbus.implementation = "broker"; - dbus.packages = [ pkgs.gcr ]; - fwupd.enable = true; - openssh = { - enable = true; - settings.PermitRootLogin = "prohibit-password"; - settings.X11Forwarding = true; - }; - }; - - security = { - tpm2.enable = lib.mkDefault true; - tpm2.abrmd.enable = lib.mkDefault true; - sudo = { - enable = true; - wheelNeedsPassword = false; - }; - }; - - system.stateVersion = "23.11"; - - time.timeZone = "Europe/Berlin"; - - users.users.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNsmP15vH8BVKo7bdvIiiEjiQboPGcRPqJK0+bH4jKD harald@lenovo.fritz.box" - "sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBACLgT81iB1iWWVuXq6PdQ5GAAGhaZhSKnveQCvcNnAOZ5WKH80bZShKHyAYzrzbp8IGwLWJcZQ7TqRK+qZdfagAAAAEc3NoOg== harald@hoyer.xyz" - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDsb/Tr69YN5MQLweWPuJaRGm+h2kOyxfD6sqKEDTIwoAAAABHNzaDo= harald@fedora.fritz.box" - ]; - - boot = { - tmp.cleanOnBoot = true; - loader = { - systemd-boot.enable = false; - efi.canTouchEfiVariables = true; - timeout = 2; - }; - initrd.systemd.enable = lib.mkDefault true; - kernelPackages = lib.mkOverride 0 pkgs.linuxPackages_latest; - }; - }; -} diff --git a/modules/nixos/services/podman/default.nix b/modules/nixos/services/podman/default.nix deleted file mode 100644 index 836eae8..0000000 --- a/modules/nixos/services/podman/default.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ options, config, lib, pkgs, ... }: - -with lib; -with lib.plusultra; -let cfg = config.plusultra.podman; -in -{ - options.plusultra.podman = with types; { - enable = mkBoolOpt false "Whether or not to enable podman."; - }; - - config = mkIf cfg.enable { - virtualisation = { - podman = { - enable = true; - - # Create a `docker` alias for podman, to use it as a drop-in replacement - dockerCompat = true; - - # For Nixos version > 22.11 - defaultNetwork.settings = { dns_enabled = true; }; - }; - }; - }; -} diff --git a/modules/nixos/services/secureboot/default.nix b/modules/nixos/services/secureboot/default.nix deleted file mode 100644 index e76b4d0..0000000 --- a/modules/nixos/services/secureboot/default.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ options, config, lib, pkgs, ... }: - -with lib; -with lib.plusultra; -let cfg = config.plusultra.secureboot; -in -{ - options.plusultra.secureboot = with types; { - enable = mkBoolOpt false "Whether or not to enable secureboot."; - }; - - config = mkIf cfg.enable { - boot = { - lanzaboote = { - enable = true; - pkiBundle = "/etc/secureboot"; - }; - loader.systemd-boot.enable = lib.mkForce false; - }; - }; -} diff --git a/modules/nixos/sgx/pccs/default.nix b/modules/nixos/sgx/pccs/default.nix deleted file mode 100644 index 5cd540a..0000000 --- a/modules/nixos/sgx/pccs/default.nix +++ /dev/null @@ -1,69 +0,0 @@ -{ options, config, lib, pkgs, ... }: - -with lib; -with lib.plusultra; -let - cfg = config.plusultra.pccs; - cfg_podman = config.plusultra.podman; -in -{ - options.plusultra.pccs = with types; { - enable = mkBoolOpt false "Whether or not to enable a SGX-DCAP."; - secret = mkOption { - type = with types; nullOr path; - default = null; - example = literalExpression "config.sops.secrets.pccs.path"; - description = lib.mdDoc "path to the pccs secret file"; - }; - }; - - config = mkIf cfg.enable { - assertions = [ - { - assertion = cfg.secret != null; - message = "path to the pccs secret file is required when pccs is enabled"; - } - { - assertion = cfg_podman.enable; - message = "podman must be enabled when pccs is enabled"; - } - ]; - - plusultra = { - nix.extra-substituters = { - "https://nixsgx.cachix.org".key = "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE="; - }; - }; - - virtualisation.oci-containers.backend = "podman"; - virtualisation.oci-containers.containers = { - # podman run --pull=always --name pccs -it --rm -v /dev/log:/dev/log --secret PCCS_CONFIG,type=mount -p 8081:8081 registry.gitlab.com/haraldh/pccs:pccs_1_19 - pccs = { - image = "docker.io/backslashhh/pccs:dcap_1_19"; - autoStart = true; - ports = [ "8081:8081" ]; - extraOptions = [ - "--volume=/dev/log:/dev/log" - "--secret=PCCS_CONFIG,type=mount" - ]; - }; - }; - - systemd.services.pccs-secret = - { - description = "Inject pccs secret"; - wantedBy = [ "multi-user.target" ]; - before = [ "podman-pccs.service" ]; - - serviceConfig = { - EnvironmentFile = cfg.secret; - ExecStart = '' - -${pkgs.podman}/bin/podman secret create --env PCCS_CONFIG PCCS_CONFIG - ''; - RemainAfterExit = true; - }; - }; - - - }; -} diff --git a/overlays/jetbrains-toolbox/default.nix b/overlays/jetbrains-toolbox/default.nix index 94485f7..e5429aa 100644 --- a/overlays/jetbrains-toolbox/default.nix +++ b/overlays/jetbrains-toolbox/default.nix @@ -1,5 +1,7 @@ { channels, ... }: + final: prev: + { inherit (channels.unstable) jetbrains-toolbox; } diff --git a/overlays/nixsgx/default.nix b/overlays/nixsgx/default.nix deleted file mode 100644 index 66b492e..0000000 --- a/overlays/nixsgx/default.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ channels, ... }: -final: prev: -{ - inherit (channels.nixpkgs.nixsgx) sgx-psw; -} diff --git a/systems/x86_64-linux/sgx/default.nix b/systems/x86_64-linux/sgx/default.nix index 24f31e8..b53b40a 100644 --- a/systems/x86_64-linux/sgx/default.nix +++ b/systems/x86_64-linux/sgx/default.nix @@ -2,19 +2,13 @@ with lib; with lib.plusultra; { - imports = [ ./hardware-configuration.nix ]; + imports = + [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; - plusultra = { - base.enable = true; - gui.enable = false; - nix-ld.enable = true; - nix.enable = true; - nix.extra-substituters."https://nixsgx.cachix.org".key = "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE="; - pccs.enable = true; - pccs.secret = config.sops.secrets.pccs.path; - podman.enable = true; - secureboot.enable = true; - }; + networking.hostName = "sgx"; # Define your hostname. system.autoUpgrade = { enable = true; @@ -29,20 +23,288 @@ with lib.plusultra; flake = "git+https://git.hoyer.xyz/harald/nixcfg#sgx"; }; - networking.hostName = "sgx"; # Define your hostname. - - security.tpm2.enable = false; - security.tpm2.abrmd.enable = false; - sops.secrets.pccs = { sopsFile = ../../../.secrets/sgx/pccs.yaml; # bring your own password file }; networking.wireless.enable = false; # Enables wireless support via wpa_supplicant. - services.aesmd.enable = true; + plusultra.gui.enable = false; + plusultra.nix.enable = true; + plusultra.nix.extra-substituters = { + "https://nixsgx.cachix.org".key = "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE="; + }; + + boot = { + lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + }; + tmp.cleanOnBoot = true; + loader = { + systemd-boot.enable = false; + efi.canTouchEfiVariables = true; + timeout = 2; + }; + initrd.systemd.enable = true; + kernelPackages = lib.mkOverride 0 pkgs.linuxPackages_latest; + }; + + + # Configure console keymap + console.keyMap = "us"; + i18n.extraLocaleSettings = { + LC_MESSAGES = "en_US.UTF-8"; + LC_TIME = "de_DE.UTF-8"; + }; + + environment = { + sessionVariables = { PATH = "$HOME/bin:$HOME/.cargo/bin"; }; + systemPackages = with pkgs; [ + age + bash + cachix + cifs-utils + clevis + delta + efibootmgr + git + git-delete-merged-branches + home-manager + htop + mosh + nixpkgs-fmt + openssl + restic + rrsync + sbctl + sops + strace + tmux + tpm2-pkcs11 + tpm2-pkcs11.out + tpm2-tools + vim + virt-manager + wget + ]; + shells = [ pkgs.fish pkgs.bash ]; + }; + + hardware = { + cpu = { + amd.updateMicrocode = lib.mkDefault true; + intel.updateMicrocode = lib.mkDefault true; + }; + enableRedistributableFirmware = lib.mkDefault true; + enableAllFirmware = true; + }; + + programs = { + dconf.enable = true; + bash = { + ## shellInit = '' + interactiveShellInit = '' + bind '"\e[A": history-search-backward' + bind '"\e[B": history-search-forward' + ''; + }; + starship.enable = true; + mosh.enable = true; + vim.defaultEditor = true; + fish.enable = true; + }; powerManagement.cpuFreqGovernor = "ondemand"; + services = { + dbus.implementation = "broker"; + dbus.packages = [ pkgs.gcr ]; + fwupd.enable = true; + openssh = { + enable = true; + settings.PermitRootLogin = "prohibit-password"; + settings.X11Forwarding = true; + }; + }; + + security = { + sudo = { + enable = true; + wheelNeedsPassword = false; + }; + }; + system.stateVersion = "23.11"; + + time.timeZone = "Europe/Berlin"; + + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNsmP15vH8BVKo7bdvIiiEjiQboPGcRPqJK0+bH4jKD harald@lenovo.fritz.box" + "sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBACLgT81iB1iWWVuXq6PdQ5GAAGhaZhSKnveQCvcNnAOZ5WKH80bZShKHyAYzrzbp8IGwLWJcZQ7TqRK+qZdfagAAAAEc3NoOg== harald@hoyer.xyz" + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDsb/Tr69YN5MQLweWPuJaRGm+h2kOyxfD6sqKEDTIwoAAAABHNzaDo= harald@fedora.fritz.box" + ]; + + virtualisation = { + podman = { + enable = true; + + # Create a `docker` alias for podman, to use it as a drop-in replacement + dockerCompat = true; + + # For Nixos version > 22.11 + defaultNetwork.settings = { dns_enabled = true; }; + }; + }; + + virtualisation.oci-containers.backend = "podman"; + virtualisation.oci-containers.containers = { + + # podman run --pull=always --name pccs -it --rm -v /dev/log:/dev/log --secret PCCS_CONFIG,type=mount -p 8081:8081 registry.gitlab.com/haraldh/pccs:dcap_1_19 + pccs = { + image = "registry.gitlab.com/haraldh/pccs:dcap_1_19"; + autoStart = true; + ports = [ "8081:8081" ]; + extraOptions = [ + "--volume=/dev/log:/dev/log" + "--secret=PCCS_CONFIG,type=mount" + ]; + }; + }; + + systemd.services.pccs-secret = + { + description = "Inject pccs secret"; + wantedBy = [ "multi-user.target" ]; + before = [ "podman-pccs.service" ]; + + serviceConfig = { + EnvironmentFile = config.sops.secrets.pccs.path; + ExecStart = '' + -${pkgs.podman}/bin/podman secret create --env PCCS_CONFIG PCCS_CONFIG + ''; + RemainAfterExit = true; + }; + }; + + + programs.nix-ld.enable = true; + + # Sets up all the libraries to load + programs.nix-ld.libraries = with pkgs; [ + SDL + SDL2 + SDL2_image + SDL2_mixer + SDL2_ttf + SDL_image + SDL_mixer + SDL_ttf + alsa-lib + at-spi2-atk + at-spi2-core + atk + bzip2 + cairo + cups + curlWithGnuTls + dbus + dbus-glib + desktop-file-utils + e2fsprogs + expat + flac + fontconfig + freeglut + freetype + fribidi + fuse + fuse3 + gdk-pixbuf + glew110 + glib + gmp + gst_all_1.gst-plugins-base + gst_all_1.gst-plugins-ugly + gst_all_1.gstreamer + gtk2 + harfbuzz + icu + keyutils.lib + libGL + libGLU + libappindicator-gtk2 + libcaca + libcanberra + libcap + libclang.lib + libdbusmenu + libdrm + libgcrypt + libgpg-error + libidn + libjack2 + libjpeg + libmikmod + libogg + libpng12 + libpulseaudio + librsvg + libsamplerate + libthai + libtheora + libtiff + libudev0-shim + libusb1 + libuuid + libvdpau + libvorbis + libvpx + libxcrypt-legacy + libxkbcommon + libxml2 + mesa + nspr + nss + openssl + p11-kit + pango + pixman + python3 + speex + stdenv.cc.cc + tbb + udev + vulkan-loader + wayland + xorg.libICE + xorg.libSM + xorg.libX11 + xorg.libXScrnSaver + xorg.libXcomposite + xorg.libXcursor + xorg.libXdamage + xorg.libXext + xorg.libXfixes + xorg.libXft + xorg.libXi + xorg.libXinerama + xorg.libXmu + xorg.libXrandr + xorg.libXrender + xorg.libXt + xorg.libXtst + xorg.libXxf86vm + xorg.libpciaccess + xorg.libxcb + xorg.xcbutil + xorg.xcbutilimage + xorg.xcbutilkeysyms + xorg.xcbutilrenderutil + xorg.xcbutilwm + xorg.xkeyboardconfig + xz + zlib + ]; + } diff --git a/systems/x86_64-linux/sgx/hardware-configuration.nix b/systems/x86_64-linux/sgx/hardware-configuration.nix index 0afa72d..11bc10f 100644 --- a/systems/x86_64-linux/sgx/hardware-configuration.nix +++ b/systems/x86_64-linux/sgx/hardware-configuration.nix @@ -5,8 +5,7 @@ { imports = - [ - (modulesPath + "/installer/scan/not-detected.nix") + [ (modulesPath + "/installer/scan/not-detected.nix") ]; boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "uas" "sd_mod" ]; @@ -17,20 +16,19 @@ boot.extraModprobeConfig = "options kvm_intel nested=1"; fileSystems."/" = - { - device = "/dev/disk/by-uuid/7aa17b01-785e-41c6-9723-79195af906c6"; + { device = "/dev/disk/by-uuid/7aa17b01-785e-41c6-9723-79195af906c6"; fsType = "btrfs"; options = [ "subvol=@" ]; }; fileSystems."/boot" = - { - device = "/dev/disk/by-uuid/C902-1AF5"; + { device = "/dev/disk/by-uuid/C902-1AF5"; fsType = "vfat"; }; swapDevices = - [{ device = "/dev/disk/by-uuid/72d061d7-ab18-47b9-beb1-1c465dda1be9"; }]; + [ { device = "/dev/disk/by-uuid/72d061d7-ab18-47b9-beb1-1c465dda1be9"; } + ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's diff --git a/systems/x86_64-linux/x1/default.nix b/systems/x86_64-linux/x1/default.nix index a63875f..f643648 100644 --- a/systems/x86_64-linux/x1/default.nix +++ b/systems/x86_64-linux/x1/default.nix @@ -2,17 +2,11 @@ with lib; with lib.plusultra; { - imports = [ ./hardware-configuration.nix ]; - - plusultra = { - base.enable = true; - gui.enable = true; - nix-ld.enable = true; - nix.enable = true; - nix.extra-substituters."https://nixsgx.cachix.org".key = "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE="; - podman.enable = true; - secureboot.enable = true; - }; + imports = + [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; system.autoUpgrade = { enable = true; @@ -27,5 +21,253 @@ with lib.plusultra; flake = "git+https://git.hoyer.xyz/harald/nixcfg#x1"; }; + plusultra.gui.enable = true; + plusultra.nix.enable = true; + plusultra.nix.extra-substituters = { + "https://nixsgx.cachix.org".key = "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE="; + }; + + boot = { + lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + }; + tmp.cleanOnBoot = true; + loader = { + systemd-boot.enable = false; + efi.canTouchEfiVariables = true; + timeout = 2; + }; + initrd.systemd.enable = true; + kernelPackages = lib.mkOverride 0 pkgs.linuxPackages_latest; + }; + + + # Configure console keymap + console.keyMap = "us"; + i18n.extraLocaleSettings = { + LC_MESSAGES = "en_US.UTF-8"; + LC_TIME = "de_DE.UTF-8"; + }; + + environment = { + sessionVariables = { PATH = "$HOME/bin:$HOME/.cargo/bin"; }; + systemPackages = with pkgs; [ + age + bash + cachix + cifs-utils + clevis + delta + efibootmgr + git + git-delete-merged-branches + home-manager + htop + mosh + nixpkgs-fmt + openssl + restic + rrsync + sbctl + sops + strace + tmux + tpm2-pkcs11 + tpm2-pkcs11.out + tpm2-tools + vim + virt-manager + wget + ]; + shells = [ pkgs.fish pkgs.bash ]; + }; + + hardware = { + cpu = { + amd.updateMicrocode = lib.mkDefault true; + intel.updateMicrocode = lib.mkDefault true; + }; + enableRedistributableFirmware = lib.mkDefault true; + enableAllFirmware = true; + }; + + programs = { + dconf.enable = true; + bash = { + ## shellInit = '' + interactiveShellInit = '' + bind '"\e[A": history-search-backward' + bind '"\e[B": history-search-forward' + ''; + }; + starship.enable = true; + mosh.enable = true; + vim.defaultEditor = true; + fish.enable = true; + }; + + # powerManagement.cpuFreqGovernor = "ondemand"; + + services = { + dbus.implementation = "broker"; + dbus.packages = [ pkgs.gcr ]; + fwupd.enable = true; + openssh = { + enable = true; + settings.PermitRootLogin = "prohibit-password"; + settings.X11Forwarding = true; + }; + }; + + security = { + tpm2.enable = lib.mkDefault true; + tpm2.abrmd.enable = lib.mkDefault true; + sudo = { + enable = true; + wheelNeedsPassword = false; + }; + }; + system.stateVersion = "23.11"; + + time.timeZone = "Europe/Berlin"; + + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNsmP15vH8BVKo7bdvIiiEjiQboPGcRPqJK0+bH4jKD harald@lenovo.fritz.box" + "sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBACLgT81iB1iWWVuXq6PdQ5GAAGhaZhSKnveQCvcNnAOZ5WKH80bZShKHyAYzrzbp8IGwLWJcZQ7TqRK+qZdfagAAAAEc3NoOg== harald@hoyer.xyz" + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDsb/Tr69YN5MQLweWPuJaRGm+h2kOyxfD6sqKEDTIwoAAAABHNzaDo= harald@fedora.fritz.box" + ]; + + virtualisation = { + podman = { + enable = true; + + # Create a `docker` alias for podman, to use it as a drop-in replacement + dockerCompat = true; + + # For Nixos version > 22.11 + defaultNetwork.settings = { dns_enabled = true; }; + }; + }; + + programs.nix-ld.enable = true; + + # Sets up all the libraries to load + programs.nix-ld.libraries = with pkgs; [ + SDL + SDL2 + SDL2_image + SDL2_mixer + SDL2_ttf + SDL_image + SDL_mixer + SDL_ttf + alsa-lib + at-spi2-atk + at-spi2-core + atk + bzip2 + cairo + cups + curlWithGnuTls + dbus + dbus-glib + desktop-file-utils + e2fsprogs + expat + flac + fontconfig + freeglut + freetype + fribidi + fuse + fuse3 + gdk-pixbuf + glew110 + glib + gmp + gst_all_1.gst-plugins-base + gst_all_1.gst-plugins-ugly + gst_all_1.gstreamer + gtk2 + harfbuzz + icu + keyutils.lib + libGL + libGLU + libappindicator-gtk2 + libcaca + libcanberra + libcap + libclang.lib + libdbusmenu + libdrm + libgcrypt + libgpg-error + libidn + libjack2 + libjpeg + libmikmod + libogg + libpng12 + libpulseaudio + librsvg + libsamplerate + libthai + libtheora + libtiff + libudev0-shim + libusb1 + libuuid + libvdpau + libvorbis + libvpx + libxcrypt-legacy + libxkbcommon + libxml2 + mesa + nspr + nss + openssl + p11-kit + pango + pixman + python3 + speex + stdenv.cc.cc + tbb + udev + vulkan-loader + wayland + xorg.libICE + xorg.libSM + xorg.libX11 + xorg.libXScrnSaver + xorg.libXcomposite + xorg.libXcursor + xorg.libXdamage + xorg.libXext + xorg.libXfixes + xorg.libXft + xorg.libXi + xorg.libXinerama + xorg.libXmu + xorg.libXrandr + xorg.libXrender + xorg.libXt + xorg.libXtst + xorg.libXxf86vm + xorg.libpciaccess + xorg.libxcb + xorg.xcbutil + xorg.xcbutilimage + xorg.xcbutilkeysyms + xorg.xcbutilrenderutil + xorg.xcbutilwm + xorg.xkeyboardconfig + xz + zlib + ]; + }