harald/nixcfg
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Compare commits

base: harald:9a36e90cd49d633df9912c0503e95056e63572f9
Branches Tags
harald:main
harald:b24.05
..
compare: harald:ca7f3fb9737bde17e3ffd13bc55a375d332593f2
Branches Tags
harald:main
harald:b24.05

No commits in common. "9a36e90cd49d633df9912c0503e95056e63572f9" and "ca7f3fb9737bde17e3ffd13bc55a375d332593f2" have entirely different histories.
9a36e90cd4 ... ca7f3fb973

12 changed files with 541 additions and 546 deletions
Show stats Expand all files Collapse all files

128
flake.lock
View file

@ -503,22 +503,6 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat_4": {
"flake": false,
"locked": {
"lastModified": 1650374568,
"narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "b4a34015c698c7793d592d66adbab377907a2be8",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": { "flake-parts": {
"inputs": { "inputs": {
"nixpkgs-lib": [ "nixpkgs-lib": [
@ -594,24 +578,6 @@
"type": "github" "type": "github"
} }
}, },
"flake-utils-plus_2": {
"inputs": {
"flake-utils": "flake-utils_5"
},
"locked": {
"lastModified": 1696331477,
"narHash": "sha256-YkbRa/1wQWdWkVJ01JvV+75KIdM37UErqKgTf0L54Fk=",
"owner": "gytis-ivaskevicius",
"repo": "flake-utils-plus",
"rev": "bfc53579db89de750b25b0c5e7af299e0c06d7d3",
"type": "github"
},
"original": {
"owner": "gytis-ivaskevicius",
"repo": "flake-utils-plus",
"type": "github"
}
},
"flake-utils_2": { "flake-utils_2": {
"inputs": { "inputs": {
"systems": "systems_2" "systems": "systems_2"
@ -663,24 +629,6 @@
"type": "github" "type": "github"
} }
}, },
"flake-utils_5": {
"inputs": {
"systems": "systems_5"
},
"locked": {
"lastModified": 1694529238,
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flutter-tools": { "flutter-tools": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -1339,41 +1287,6 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_5": {
"locked": {
"lastModified": 1707091808,
"narHash": "sha256-LahKBAfGbY836gtpVNnWwBTIzN7yf/uYM/S0g393r0Y=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "9f2ee8c91ac42da3ae6c6a1d21555f283458247e",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixsgx-flake": {
"inputs": {
"nixpkgs": "nixpkgs_5",
"snowfall-lib": "snowfall-lib"
},
"locked": {
"lastModified": 1709040449,
"narHash": "sha256-NDXSUI7GTCekniW52EBvi5PlzdQ37XkrIB1oH4GrUvM=",
"owner": "matter-labs",
"repo": "nixsgx",
"rev": "2b11fbc725fbab3fbaef13490decd3f93c43ae07",
"type": "github"
},
"original": {
"owner": "matter-labs",
"repo": "nixsgx",
"type": "github"
}
},
"nmd": { "nmd": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -1977,8 +1890,7 @@
"lanzaboote": "lanzaboote", "lanzaboote": "lanzaboote",
"neovim-flake": "neovim-flake", "neovim-flake": "neovim-flake",
"nixpkgs": "nixpkgs_4", "nixpkgs": "nixpkgs_4",
"nixsgx-flake": "nixsgx-flake", "snowfall-lib": "snowfall-lib",
"snowfall-lib": "snowfall-lib_2",
"sops-nix": "sops-nix", "sops-nix": "sops-nix",
"unstable": "unstable" "unstable": "unstable"
} }
@ -2087,29 +1999,6 @@
"inputs": { "inputs": {
"flake-compat": "flake-compat_3", "flake-compat": "flake-compat_3",
"flake-utils-plus": "flake-utils-plus", "flake-utils-plus": "flake-utils-plus",
"nixpkgs": [
"nixsgx-flake",
"nixpkgs"
]
},
"locked": {
"lastModified": 1696432959,
"narHash": "sha256-oJQZv2MYyJaVyVJY5IeevzqpGvMGKu5pZcCCJvb+xjc=",
"owner": "snowfallorg",
"repo": "lib",
"rev": "92803a029b5314d4436a8d9311d8707b71d9f0b6",
"type": "github"
},
"original": {
"owner": "snowfallorg",
"repo": "lib",
"type": "github"
}
},
"snowfall-lib_2": {
"inputs": {
"flake-compat": "flake-compat_4",
"flake-utils-plus": "flake-utils-plus_2",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
] ]
@ -2242,21 +2131,6 @@
"type": "github" "type": "github"
} }
}, },
"systems_5": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"tabular": { "tabular": {
"flake": false, "flake": false,
"locked": { "locked": {

9
flake.nix
View file

@ -28,11 +28,6 @@
sops-nix.url = "github:Mic92/sops-nix"; sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs"; sops-nix.inputs.nixpkgs.follows = "nixpkgs";
nixsgx-flake = {
url = "github:matter-labs/nixsgx";
# inputs.nixpkgs.follows = "nixpkgs";
};
}; };
outputs = inputs: outputs = inputs:
@ -87,10 +82,6 @@
disko.nixosModules.disko disko.nixosModules.disko
]; ];
overlays = with inputs; [
nixsgx-flake.overlays.default
];
outputs-builder = channels: { outputs-builder = channels: {
formatter = channels.nixpkgs.nixpkgs-fmt; formatter = channels.nixpkgs.nixpkgs-fmt;
defaultApp = lib.flake-utils-plus.mkApp { drv = channels.nixpkgs.home-manager; }; defaultApp = lib.flake-utils-plus.mkApp { drv = channels.nixpkgs.home-manager; };

134
modules/nixos/nix-ld/default.nix
View file

@ -1,134 +0,0 @@
{ options, config, lib, pkgs, ... }:
with lib;
with lib.plusultra;
let cfg = config.plusultra.nix-ld;
in
{
options.plusultra.nix-ld = with types; {
enable = mkBoolOpt false "Whether or not to enable nix-ld.";
};
config = mkIf cfg.enable {
programs.nix-ld.enable = true;
# Sets up all the libraries to load
programs.nix-ld.libraries = with pkgs; [
SDL
SDL2
SDL2_image
SDL2_mixer
SDL2_ttf
SDL_image
SDL_mixer
SDL_ttf
alsa-lib
at-spi2-atk
at-spi2-core
atk
bzip2
cairo
cups
curlWithGnuTls
dbus
dbus-glib
desktop-file-utils
e2fsprogs
expat
flac
fontconfig
freeglut
freetype
fribidi
fuse
fuse3
gdk-pixbuf
glew110
glib
gmp
gst_all_1.gst-plugins-base
gst_all_1.gst-plugins-ugly
gst_all_1.gstreamer
gtk2
harfbuzz
icu
keyutils.lib
libGL
libGLU
libappindicator-gtk2
libcaca
libcanberra
libcap
libclang.lib
libdbusmenu
libdrm
libgcrypt
libgpg-error
libidn
libjack2
libjpeg
libmikmod
libogg
libpng12
libpulseaudio
librsvg
libsamplerate
libthai
libtheora
libtiff
libudev0-shim
libusb1
libuuid
libvdpau
libvorbis
libvpx
libxcrypt-legacy
libxkbcommon
libxml2
mesa
nspr
nss
openssl
p11-kit
pango
pixman
python3
speex
stdenv.cc.cc
tbb
udev
vulkan-loader
wayland
xorg.libICE
xorg.libSM
xorg.libX11
xorg.libXScrnSaver
xorg.libXcomposite
xorg.libXcursor
xorg.libXdamage
xorg.libXext
xorg.libXfixes
xorg.libXft
xorg.libXi
xorg.libXinerama
xorg.libXmu
xorg.libXrandr
xorg.libXrender
xorg.libXt
xorg.libXtst
xorg.libXxf86vm
xorg.libpciaccess
xorg.libxcb
xorg.xcbutil
xorg.xcbutilimage
xorg.xcbutilkeysyms
xorg.xcbutilrenderutil
xorg.xcbutilwm
xorg.xkeyboardconfig
xz
zlib
];
};
}

120
modules/nixos/services/base/default.nix
View file

@ -1,120 +0,0 @@
{ options, config, lib, pkgs, ... }:
with lib;
with lib.plusultra;
let cfg = config.plusultra.base;
in
{
options.plusultra.base = with types; {
enable = mkBoolOpt false "Whether or not to enable the base config.";
};
config = mkIf cfg.enable {
# Configure console keymap
console.keyMap = "us";
i18n.extraLocaleSettings = {
LC_MESSAGES = "en_US.UTF-8";
LC_TIME = "de_DE.UTF-8";
};
environment = {
sessionVariables = { PATH = "$HOME/bin:$HOME/.cargo/bin"; };
systemPackages = with pkgs; [
age
bash
cachix
cifs-utils
clevis
delta
efibootmgr
git
git-delete-merged-branches
home-manager
htop
mosh
nixpkgs-fmt
openssl
restic
rrsync
sbctl
sops
strace
tmux
tpm2-pkcs11
tpm2-pkcs11.out
tpm2-tools
vim
virt-manager
wget
];
shells = [ pkgs.fish pkgs.bash ];
};
hardware = {
cpu = {
amd.updateMicrocode = lib.mkDefault true;
intel.updateMicrocode = lib.mkDefault true;
};
enableRedistributableFirmware = lib.mkDefault true;
enableAllFirmware = true;
};
programs = {
dconf.enable = true;
bash = {
## shellInit = ''
interactiveShellInit = ''
bind '"\e[A": history-search-backward'
bind '"\e[B": history-search-forward'
'';
};
starship.enable = true;
mosh.enable = true;
vim.defaultEditor = true;
fish.enable = true;
};
# powerManagement.cpuFreqGovernor = "ondemand";
services = {
dbus.implementation = "broker";
dbus.packages = [ pkgs.gcr ];
fwupd.enable = true;
openssh = {
enable = true;
settings.PermitRootLogin = "prohibit-password";
settings.X11Forwarding = true;
};
};
security = {
tpm2.enable = lib.mkDefault true;
tpm2.abrmd.enable = lib.mkDefault true;
sudo = {
enable = true;
wheelNeedsPassword = false;
};
};
system.stateVersion = "23.11";
time.timeZone = "Europe/Berlin";
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNsmP15vH8BVKo7bdvIiiEjiQboPGcRPqJK0+bH4jKD harald@lenovo.fritz.box"
"sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBACLgT81iB1iWWVuXq6PdQ5GAAGhaZhSKnveQCvcNnAOZ5WKH80bZShKHyAYzrzbp8IGwLWJcZQ7TqRK+qZdfagAAAAEc3NoOg== harald@hoyer.xyz"
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDsb/Tr69YN5MQLweWPuJaRGm+h2kOyxfD6sqKEDTIwoAAAABHNzaDo= harald@fedora.fritz.box"
];
boot = {
tmp.cleanOnBoot = true;
loader = {
systemd-boot.enable = false;
efi.canTouchEfiVariables = true;
timeout = 2;
};
initrd.systemd.enable = lib.mkDefault true;
kernelPackages = lib.mkOverride 0 pkgs.linuxPackages_latest;
};
};
}

25
modules/nixos/services/podman/default.nix
View file

@ -1,25 +0,0 @@
{ options, config, lib, pkgs, ... }:
with lib;
with lib.plusultra;
let cfg = config.plusultra.podman;
in
{
options.plusultra.podman = with types; {
enable = mkBoolOpt false "Whether or not to enable podman.";
};
config = mkIf cfg.enable {
virtualisation = {
podman = {
enable = true;
# Create a `docker` alias for podman, to use it as a drop-in replacement
dockerCompat = true;
# For Nixos version > 22.11
defaultNetwork.settings = { dns_enabled = true; };
};
};
};
}

21
modules/nixos/services/secureboot/default.nix
View file

@ -1,21 +0,0 @@
{ options, config, lib, pkgs, ... }:
with lib;
with lib.plusultra;
let cfg = config.plusultra.secureboot;
in
{
options.plusultra.secureboot = with types; {
enable = mkBoolOpt false "Whether or not to enable secureboot.";
};
config = mkIf cfg.enable {
boot = {
lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
loader.systemd-boot.enable = lib.mkForce false;
};
};
}

69
modules/nixos/sgx/pccs/default.nix
View file

@ -1,69 +0,0 @@
{ options, config, lib, pkgs, ... }:
with lib;
with lib.plusultra;
let
cfg = config.plusultra.pccs;
cfg_podman = config.plusultra.podman;
in
{
options.plusultra.pccs = with types; {
enable = mkBoolOpt false "Whether or not to enable a SGX-DCAP.";
secret = mkOption {
type = with types; nullOr path;
default = null;
example = literalExpression "config.sops.secrets.pccs.path";
description = lib.mdDoc "path to the pccs secret file";
};
};
config = mkIf cfg.enable {
assertions = [
{
assertion = cfg.secret != null;
message = "path to the pccs secret file is required when pccs is enabled";
}
{
assertion = cfg_podman.enable;
message = "podman must be enabled when pccs is enabled";
}
];
plusultra = {
nix.extra-substituters = {
"https://nixsgx.cachix.org".key = "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE=";
};
};
virtualisation.oci-containers.backend = "podman";
virtualisation.oci-containers.containers = {
# podman run --pull=always --name pccs -it --rm -v /dev/log:/dev/log --secret PCCS_CONFIG,type=mount -p 8081:8081 registry.gitlab.com/haraldh/pccs:pccs_1_19
pccs = {
image = "docker.io/backslashhh/pccs:dcap_1_19";
autoStart = true;
ports = [ "8081:8081" ];
extraOptions = [
"--volume=/dev/log:/dev/log"
"--secret=PCCS_CONFIG,type=mount"
];
};
};
systemd.services.pccs-secret =
{
description = "Inject pccs secret";
wantedBy = [ "multi-user.target" ];
before = [ "podman-pccs.service" ];
serviceConfig = {
EnvironmentFile = cfg.secret;
ExecStart = ''
-${pkgs.podman}/bin/podman secret create --env PCCS_CONFIG PCCS_CONFIG
'';
RemainAfterExit = true;
};
};
};
}

2
overlays/jetbrains-toolbox/default.nix
View file

@ -1,5 +1,7 @@
{ channels, ... }: { channels, ... }:
final: prev: final: prev:
{ {
inherit (channels.unstable) jetbrains-toolbox; inherit (channels.unstable) jetbrains-toolbox;
} }

5
overlays/nixsgx/default.nix
View file

@ -1,5 +0,0 @@
{ channels, ... }:
final: prev:
{
inherit (channels.nixpkgs.nixsgx) sgx-psw;
}

298
systems/x86_64-linux/sgx/default.nix
View file

@ -2,19 +2,13 @@
with lib; with lib;
with lib.plusultra; with lib.plusultra;
{ {
imports = [ ./hardware-configuration.nix ]; imports =
[
# Include the results of the hardware scan.
./hardware-configuration.nix
];
plusultra = { networking.hostName = "sgx"; # Define your hostname.
base.enable = true;
gui.enable = false;
nix-ld.enable = true;
nix.enable = true;
nix.extra-substituters."https://nixsgx.cachix.org".key = "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE=";
pccs.enable = true;
pccs.secret = config.sops.secrets.pccs.path;
podman.enable = true;
secureboot.enable = true;
};
system.autoUpgrade = { system.autoUpgrade = {
enable = true; enable = true;
@ -29,20 +23,288 @@ with lib.plusultra;
flake = "git+https://git.hoyer.xyz/harald/nixcfg#sgx"; flake = "git+https://git.hoyer.xyz/harald/nixcfg#sgx";
}; };
networking.hostName = "sgx"; # Define your hostname.
security.tpm2.enable = false;
security.tpm2.abrmd.enable = false;
sops.secrets.pccs = { sops.secrets.pccs = {
sopsFile = ../../../.secrets/sgx/pccs.yaml; # bring your own password file sopsFile = ../../../.secrets/sgx/pccs.yaml; # bring your own password file
}; };
networking.wireless.enable = false; # Enables wireless support via wpa_supplicant. networking.wireless.enable = false; # Enables wireless support via wpa_supplicant.
services.aesmd.enable = true; plusultra.gui.enable = false;
plusultra.nix.enable = true;
plusultra.nix.extra-substituters = {
"https://nixsgx.cachix.org".key = "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE=";
};
boot = {
lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
tmp.cleanOnBoot = true;
loader = {
systemd-boot.enable = false;
efi.canTouchEfiVariables = true;
timeout = 2;
};
initrd.systemd.enable = true;
kernelPackages = lib.mkOverride 0 pkgs.linuxPackages_latest;
};
# Configure console keymap
console.keyMap = "us";
i18n.extraLocaleSettings = {
LC_MESSAGES = "en_US.UTF-8";
LC_TIME = "de_DE.UTF-8";
};
environment = {
sessionVariables = { PATH = "$HOME/bin:$HOME/.cargo/bin"; };
systemPackages = with pkgs; [
age
bash
cachix
cifs-utils
clevis
delta
efibootmgr
git
git-delete-merged-branches
home-manager
htop
mosh
nixpkgs-fmt
openssl
restic
rrsync
sbctl
sops
strace
tmux
tpm2-pkcs11
tpm2-pkcs11.out
tpm2-tools
vim
virt-manager
wget
];
shells = [ pkgs.fish pkgs.bash ];
};
hardware = {
cpu = {
amd.updateMicrocode = lib.mkDefault true;
intel.updateMicrocode = lib.mkDefault true;
};
enableRedistributableFirmware = lib.mkDefault true;
enableAllFirmware = true;
};
programs = {
dconf.enable = true;
bash = {
## shellInit = ''
interactiveShellInit = ''
bind '"\e[A": history-search-backward'
bind '"\e[B": history-search-forward'
'';
};
starship.enable = true;
mosh.enable = true;
vim.defaultEditor = true;
fish.enable = true;
};
powerManagement.cpuFreqGovernor = "ondemand"; powerManagement.cpuFreqGovernor = "ondemand";
services = {
dbus.implementation = "broker";
dbus.packages = [ pkgs.gcr ];
fwupd.enable = true;
openssh = {
enable = true;
settings.PermitRootLogin = "prohibit-password";
settings.X11Forwarding = true;
};
};
security = {
sudo = {
enable = true;
wheelNeedsPassword = false;
};
};
system.stateVersion = "23.11"; system.stateVersion = "23.11";
time.timeZone = "Europe/Berlin";
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNsmP15vH8BVKo7bdvIiiEjiQboPGcRPqJK0+bH4jKD harald@lenovo.fritz.box"
"sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBACLgT81iB1iWWVuXq6PdQ5GAAGhaZhSKnveQCvcNnAOZ5WKH80bZShKHyAYzrzbp8IGwLWJcZQ7TqRK+qZdfagAAAAEc3NoOg== harald@hoyer.xyz"
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDsb/Tr69YN5MQLweWPuJaRGm+h2kOyxfD6sqKEDTIwoAAAABHNzaDo= harald@fedora.fritz.box"
];
virtualisation = {
podman = {
enable = true;
# Create a `docker` alias for podman, to use it as a drop-in replacement
dockerCompat = true;
# For Nixos version > 22.11
defaultNetwork.settings = { dns_enabled = true; };
};
};
virtualisation.oci-containers.backend = "podman";
virtualisation.oci-containers.containers = {
# podman run --pull=always --name pccs -it --rm -v /dev/log:/dev/log --secret PCCS_CONFIG,type=mount -p 8081:8081 registry.gitlab.com/haraldh/pccs:dcap_1_19
pccs = {
image = "registry.gitlab.com/haraldh/pccs:dcap_1_19";
autoStart = true;
ports = [ "8081:8081" ];
extraOptions = [
"--volume=/dev/log:/dev/log"
"--secret=PCCS_CONFIG,type=mount"
];
};
};
systemd.services.pccs-secret =
{
description = "Inject pccs secret";
wantedBy = [ "multi-user.target" ];
before = [ "podman-pccs.service" ];
serviceConfig = {
EnvironmentFile = config.sops.secrets.pccs.path;
ExecStart = ''
-${pkgs.podman}/bin/podman secret create --env PCCS_CONFIG PCCS_CONFIG
'';
RemainAfterExit = true;
};
};
programs.nix-ld.enable = true;
# Sets up all the libraries to load
programs.nix-ld.libraries = with pkgs; [
SDL
SDL2
SDL2_image
SDL2_mixer
SDL2_ttf
SDL_image
SDL_mixer
SDL_ttf
alsa-lib
at-spi2-atk
at-spi2-core
atk
bzip2
cairo
cups
curlWithGnuTls
dbus
dbus-glib
desktop-file-utils
e2fsprogs
expat
flac
fontconfig
freeglut
freetype
fribidi
fuse
fuse3
gdk-pixbuf
glew110
glib
gmp
gst_all_1.gst-plugins-base
gst_all_1.gst-plugins-ugly
gst_all_1.gstreamer
gtk2
harfbuzz
icu
keyutils.lib
libGL
libGLU
libappindicator-gtk2
libcaca
libcanberra
libcap
libclang.lib
libdbusmenu
libdrm
libgcrypt
libgpg-error
libidn
libjack2
libjpeg
libmikmod
libogg
libpng12
libpulseaudio
librsvg
libsamplerate
libthai
libtheora
libtiff
libudev0-shim
libusb1
libuuid
libvdpau
libvorbis
libvpx
libxcrypt-legacy
libxkbcommon
libxml2
mesa
nspr
nss
openssl
p11-kit
pango
pixman
python3
speex
stdenv.cc.cc
tbb
udev
vulkan-loader
wayland
xorg.libICE
xorg.libSM
xorg.libX11
xorg.libXScrnSaver
xorg.libXcomposite
xorg.libXcursor
xorg.libXdamage
xorg.libXext
xorg.libXfixes
xorg.libXft
xorg.libXi
xorg.libXinerama
xorg.libXmu
xorg.libXrandr
xorg.libXrender
xorg.libXt
xorg.libXtst
xorg.libXxf86vm
xorg.libpciaccess
xorg.libxcb
xorg.xcbutil
xorg.xcbutilimage
xorg.xcbutilkeysyms
xorg.xcbutilrenderutil
xorg.xcbutilwm
xorg.xkeyboardconfig
xz
zlib
];
} }

12
systems/x86_64-linux/sgx/hardware-configuration.nix
View file

@ -5,8 +5,7 @@
{ {
imports = imports =
[ [ (modulesPath + "/installer/scan/not-detected.nix")
(modulesPath + "/installer/scan/not-detected.nix")
]; ];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "uas" "sd_mod" ]; boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "uas" "sd_mod" ];
@ -17,20 +16,19 @@
boot.extraModprobeConfig = "options kvm_intel nested=1"; boot.extraModprobeConfig = "options kvm_intel nested=1";
fileSystems."/" = fileSystems."/" =
{ { device = "/dev/disk/by-uuid/7aa17b01-785e-41c6-9723-79195af906c6";
device = "/dev/disk/by-uuid/7aa17b01-785e-41c6-9723-79195af906c6";
fsType = "btrfs"; fsType = "btrfs";
options = [ "subvol=@" ]; options = [ "subvol=@" ];
}; };
fileSystems."/boot" = fileSystems."/boot" =
{ { device = "/dev/disk/by-uuid/C902-1AF5";
device = "/dev/disk/by-uuid/C902-1AF5";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = swapDevices =
[{ device = "/dev/disk/by-uuid/72d061d7-ab18-47b9-beb1-1c465dda1be9"; }]; [ { device = "/dev/disk/by-uuid/72d061d7-ab18-47b9-beb1-1c465dda1be9"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's

264
systems/x86_64-linux/x1/default.nix
View file

@ -2,17 +2,11 @@
with lib; with lib;
with lib.plusultra; with lib.plusultra;
{ {
imports = [ ./hardware-configuration.nix ]; imports =
[
plusultra = { # Include the results of the hardware scan.
base.enable = true; ./hardware-configuration.nix
gui.enable = true; ];
nix-ld.enable = true;
nix.enable = true;
nix.extra-substituters."https://nixsgx.cachix.org".key = "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE=";
podman.enable = true;
secureboot.enable = true;
};
system.autoUpgrade = { system.autoUpgrade = {
enable = true; enable = true;
@ -27,5 +21,253 @@ with lib.plusultra;
flake = "git+https://git.hoyer.xyz/harald/nixcfg#x1"; flake = "git+https://git.hoyer.xyz/harald/nixcfg#x1";
}; };
plusultra.gui.enable = true;
plusultra.nix.enable = true;
plusultra.nix.extra-substituters = {
"https://nixsgx.cachix.org".key = "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE=";
};
boot = {
lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
tmp.cleanOnBoot = true;
loader = {
systemd-boot.enable = false;
efi.canTouchEfiVariables = true;
timeout = 2;
};
initrd.systemd.enable = true;
kernelPackages = lib.mkOverride 0 pkgs.linuxPackages_latest;
};
# Configure console keymap
console.keyMap = "us";
i18n.extraLocaleSettings = {
LC_MESSAGES = "en_US.UTF-8";
LC_TIME = "de_DE.UTF-8";
};
environment = {
sessionVariables = { PATH = "$HOME/bin:$HOME/.cargo/bin"; };
systemPackages = with pkgs; [
age
bash
cachix
cifs-utils
clevis
delta
efibootmgr
git
git-delete-merged-branches
home-manager
htop
mosh
nixpkgs-fmt
openssl
restic
rrsync
sbctl
sops
strace
tmux
tpm2-pkcs11
tpm2-pkcs11.out
tpm2-tools
vim
virt-manager
wget
];
shells = [ pkgs.fish pkgs.bash ];
};
hardware = {
cpu = {
amd.updateMicrocode = lib.mkDefault true;
intel.updateMicrocode = lib.mkDefault true;
};
enableRedistributableFirmware = lib.mkDefault true;
enableAllFirmware = true;
};
programs = {
dconf.enable = true;
bash = {
## shellInit = ''
interactiveShellInit = ''
bind '"\e[A": history-search-backward'
bind '"\e[B": history-search-forward'
'';
};
starship.enable = true;
mosh.enable = true;
vim.defaultEditor = true;
fish.enable = true;
};
# powerManagement.cpuFreqGovernor = "ondemand";
services = {
dbus.implementation = "broker";
dbus.packages = [ pkgs.gcr ];
fwupd.enable = true;
openssh = {
enable = true;
settings.PermitRootLogin = "prohibit-password";
settings.X11Forwarding = true;
};
};
security = {
tpm2.enable = lib.mkDefault true;
tpm2.abrmd.enable = lib.mkDefault true;
sudo = {
enable = true;
wheelNeedsPassword = false;
};
};
system.stateVersion = "23.11"; system.stateVersion = "23.11";
time.timeZone = "Europe/Berlin";
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNsmP15vH8BVKo7bdvIiiEjiQboPGcRPqJK0+bH4jKD harald@lenovo.fritz.box"
"sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBACLgT81iB1iWWVuXq6PdQ5GAAGhaZhSKnveQCvcNnAOZ5WKH80bZShKHyAYzrzbp8IGwLWJcZQ7TqRK+qZdfagAAAAEc3NoOg== harald@hoyer.xyz"
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDsb/Tr69YN5MQLweWPuJaRGm+h2kOyxfD6sqKEDTIwoAAAABHNzaDo= harald@fedora.fritz.box"
];
virtualisation = {
podman = {
enable = true;
# Create a `docker` alias for podman, to use it as a drop-in replacement
dockerCompat = true;
# For Nixos version > 22.11
defaultNetwork.settings = { dns_enabled = true; };
};
};
programs.nix-ld.enable = true;
# Sets up all the libraries to load
programs.nix-ld.libraries = with pkgs; [
SDL
SDL2
SDL2_image
SDL2_mixer
SDL2_ttf
SDL_image
SDL_mixer
SDL_ttf
alsa-lib
at-spi2-atk
at-spi2-core
atk
bzip2
cairo
cups
curlWithGnuTls
dbus
dbus-glib
desktop-file-utils
e2fsprogs
expat
flac
fontconfig
freeglut
freetype
fribidi
fuse
fuse3
gdk-pixbuf
glew110
glib
gmp
gst_all_1.gst-plugins-base
gst_all_1.gst-plugins-ugly
gst_all_1.gstreamer
gtk2
harfbuzz
icu
keyutils.lib
libGL
libGLU
libappindicator-gtk2
libcaca
libcanberra
libcap
libclang.lib
libdbusmenu
libdrm
libgcrypt
libgpg-error
libidn
libjack2
libjpeg
libmikmod
libogg
libpng12
libpulseaudio
librsvg
libsamplerate
libthai
libtheora
libtiff
libudev0-shim
libusb1
libuuid
libvdpau
libvorbis
libvpx
libxcrypt-legacy
libxkbcommon
libxml2
mesa
nspr
nss
openssl
p11-kit
pango
pixman
python3
speex
stdenv.cc.cc
tbb
udev
vulkan-loader
wayland
xorg.libICE
xorg.libSM
xorg.libX11
xorg.libXScrnSaver
xorg.libXcomposite
xorg.libXcursor
xorg.libXdamage
xorg.libXext
xorg.libXfixes
xorg.libXft
xorg.libXi
xorg.libXinerama
xorg.libXmu
xorg.libXrandr
xorg.libXrender
xorg.libXt
xorg.libXtst
xorg.libXxf86vm
xorg.libpciaccess
xorg.libxcb
xorg.xcbutil
xorg.xcbutilimage
xorg.xcbutilkeysyms
xorg.xcbutilrenderutil
xorg.xcbutilwm
xorg.xkeyboardconfig
xz
zlib
];
} }