From 69f4e8bcf99da78fe43d4ca738929ed88f61e261 Mon Sep 17 00:00:00 2001 From: Harald Hoyer Date: Wed, 6 Mar 2024 13:44:06 +0100 Subject: [PATCH 1/3] factor out nix-ld Signed-off-by: Harald Hoyer --- modules/nixos/nix-ld/default.nix | 134 ++++++++++++++++++++++++++++ systems/x86_64-linux/x1/default.nix | 131 ++------------------------- 2 files changed, 141 insertions(+), 124 deletions(-) create mode 100644 modules/nixos/nix-ld/default.nix diff --git a/modules/nixos/nix-ld/default.nix b/modules/nixos/nix-ld/default.nix new file mode 100644 index 0000000..9c0331f --- /dev/null +++ b/modules/nixos/nix-ld/default.nix @@ -0,0 +1,134 @@ +{ options, config, lib, pkgs, ... }: + +with lib; +with lib.plusultra; +let cfg = config.plusultra.gui; +in +{ + options.plusultra.nix-ld = with types; { + enable = mkBoolOpt false "Whether or not to enable nix-ld."; + }; + + config = mkIf cfg.enable { + + programs.nix-ld.enable = true; + + # Sets up all the libraries to load + programs.nix-ld.libraries = with pkgs; [ + SDL + SDL2 + SDL2_image + SDL2_mixer + SDL2_ttf + SDL_image + SDL_mixer + SDL_ttf + alsa-lib + at-spi2-atk + at-spi2-core + atk + bzip2 + cairo + cups + curlWithGnuTls + dbus + dbus-glib + desktop-file-utils + e2fsprogs + expat + flac + fontconfig + freeglut + freetype + fribidi + fuse + fuse3 + gdk-pixbuf + glew110 + glib + gmp + gst_all_1.gst-plugins-base + gst_all_1.gst-plugins-ugly + gst_all_1.gstreamer + gtk2 + harfbuzz + icu + keyutils.lib + libGL + libGLU + libappindicator-gtk2 + libcaca + libcanberra + libcap + libclang.lib + libdbusmenu + libdrm + libgcrypt + libgpg-error + libidn + libjack2 + libjpeg + libmikmod + libogg + libpng12 + libpulseaudio + librsvg + libsamplerate + libthai + libtheora + libtiff + libudev0-shim + libusb1 + libuuid + libvdpau + libvorbis + libvpx + libxcrypt-legacy + libxkbcommon + libxml2 + mesa + nspr + nss + openssl + p11-kit + pango + pixman + python3 + speex + stdenv.cc.cc + tbb + udev + vulkan-loader + wayland + xorg.libICE + xorg.libSM + xorg.libX11 + xorg.libXScrnSaver + xorg.libXcomposite + xorg.libXcursor + xorg.libXdamage + xorg.libXext + xorg.libXfixes + xorg.libXft + xorg.libXi + xorg.libXinerama + xorg.libXmu + xorg.libXrandr + xorg.libXrender + xorg.libXt + xorg.libXtst + xorg.libXxf86vm + xorg.libpciaccess + xorg.libxcb + xorg.xcbutil + xorg.xcbutilimage + xorg.xcbutilkeysyms + xorg.xcbutilrenderutil + xorg.xcbutilwm + xorg.xkeyboardconfig + xz + zlib + ]; + + }; +} diff --git a/systems/x86_64-linux/x1/default.nix b/systems/x86_64-linux/x1/default.nix index f643648..6806066 100644 --- a/systems/x86_64-linux/x1/default.nix +++ b/systems/x86_64-linux/x1/default.nix @@ -21,10 +21,13 @@ with lib.plusultra; flake = "git+https://git.hoyer.xyz/harald/nixcfg#x1"; }; - plusultra.gui.enable = true; - plusultra.nix.enable = true; - plusultra.nix.extra-substituters = { - "https://nixsgx.cachix.org".key = "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE="; + plusultra = { + gui.enable = true; + nix-ld.enable = true; + nix.enable = true; + nix.extra-substituters = { + "https://nixsgx.cachix.org".key = "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE="; + }; }; boot = { @@ -150,124 +153,4 @@ with lib.plusultra; defaultNetwork.settings = { dns_enabled = true; }; }; }; - - programs.nix-ld.enable = true; - - # Sets up all the libraries to load - programs.nix-ld.libraries = with pkgs; [ - SDL - SDL2 - SDL2_image - SDL2_mixer - SDL2_ttf - SDL_image - SDL_mixer - SDL_ttf - alsa-lib - at-spi2-atk - at-spi2-core - atk - bzip2 - cairo - cups - curlWithGnuTls - dbus - dbus-glib - desktop-file-utils - e2fsprogs - expat - flac - fontconfig - freeglut - freetype - fribidi - fuse - fuse3 - gdk-pixbuf - glew110 - glib - gmp - gst_all_1.gst-plugins-base - gst_all_1.gst-plugins-ugly - gst_all_1.gstreamer - gtk2 - harfbuzz - icu - keyutils.lib - libGL - libGLU - libappindicator-gtk2 - libcaca - libcanberra - libcap - libclang.lib - libdbusmenu - libdrm - libgcrypt - libgpg-error - libidn - libjack2 - libjpeg - libmikmod - libogg - libpng12 - libpulseaudio - librsvg - libsamplerate - libthai - libtheora - libtiff - libudev0-shim - libusb1 - libuuid - libvdpau - libvorbis - libvpx - libxcrypt-legacy - libxkbcommon - libxml2 - mesa - nspr - nss - openssl - p11-kit - pango - pixman - python3 - speex - stdenv.cc.cc - tbb - udev - vulkan-loader - wayland - xorg.libICE - xorg.libSM - xorg.libX11 - xorg.libXScrnSaver - xorg.libXcomposite - xorg.libXcursor - xorg.libXdamage - xorg.libXext - xorg.libXfixes - xorg.libXft - xorg.libXi - xorg.libXinerama - xorg.libXmu - xorg.libXrandr - xorg.libXrender - xorg.libXt - xorg.libXtst - xorg.libXxf86vm - xorg.libpciaccess - xorg.libxcb - xorg.xcbutil - xorg.xcbutilimage - xorg.xcbutilkeysyms - xorg.xcbutilrenderutil - xorg.xcbutilwm - xorg.xkeyboardconfig - xz - zlib - ]; - } From d0ad237493dbe540dd5f2281683ba8723ad0af86 Mon Sep 17 00:00:00 2001 From: Harald Hoyer Date: Wed, 6 Mar 2024 15:12:04 +0100 Subject: [PATCH 2/3] sgx: add aesmd and refactor Signed-off-by: Harald Hoyer --- flake.lock | 128 +++++++++++++- flake.nix | 9 + modules/nixos/nix-ld/default.nix | 2 +- modules/nixos/sgx/pccs/default.nix | 67 +++++++ overlays/jetbrains-toolbox/default.nix | 2 - overlays/nixsgx/default.nix | 5 + systems/x86_64-linux/sgx/default.nix | 165 ++---------------- .../sgx/hardware-configuration.nix | 12 +- 8 files changed, 227 insertions(+), 163 deletions(-) create mode 100644 modules/nixos/sgx/pccs/default.nix create mode 100644 overlays/nixsgx/default.nix diff --git a/flake.lock b/flake.lock index 8c19496..3d507d7 100644 --- a/flake.lock +++ b/flake.lock @@ -503,6 +503,22 @@ "type": "github" } }, + "flake-compat_4": { + "flake": false, + "locked": { + "lastModified": 1650374568, + "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "b4a34015c698c7793d592d66adbab377907a2be8", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": [ @@ -578,6 +594,24 @@ "type": "github" } }, + "flake-utils-plus_2": { + "inputs": { + "flake-utils": "flake-utils_5" + }, + "locked": { + "lastModified": 1696331477, + "narHash": "sha256-YkbRa/1wQWdWkVJ01JvV+75KIdM37UErqKgTf0L54Fk=", + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "rev": "bfc53579db89de750b25b0c5e7af299e0c06d7d3", + "type": "github" + }, + "original": { + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "type": "github" + } + }, "flake-utils_2": { "inputs": { "systems": "systems_2" @@ -629,6 +663,24 @@ "type": "github" } }, + "flake-utils_5": { + "inputs": { + "systems": "systems_5" + }, + "locked": { + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "flutter-tools": { "flake": false, "locked": { @@ -1287,6 +1339,41 @@ "type": "github" } }, + "nixpkgs_5": { + "locked": { + "lastModified": 1707091808, + "narHash": "sha256-LahKBAfGbY836gtpVNnWwBTIzN7yf/uYM/S0g393r0Y=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "9f2ee8c91ac42da3ae6c6a1d21555f283458247e", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixsgx-flake": { + "inputs": { + "nixpkgs": "nixpkgs_5", + "snowfall-lib": "snowfall-lib" + }, + "locked": { + "lastModified": 1709040449, + "narHash": "sha256-NDXSUI7GTCekniW52EBvi5PlzdQ37XkrIB1oH4GrUvM=", + "owner": "matter-labs", + "repo": "nixsgx", + "rev": "2b11fbc725fbab3fbaef13490decd3f93c43ae07", + "type": "github" + }, + "original": { + "owner": "matter-labs", + "repo": "nixsgx", + "type": "github" + } + }, "nmd": { "flake": false, "locked": { @@ -1890,7 +1977,8 @@ "lanzaboote": "lanzaboote", "neovim-flake": "neovim-flake", "nixpkgs": "nixpkgs_4", - "snowfall-lib": "snowfall-lib", + "nixsgx-flake": "nixsgx-flake", + "snowfall-lib": "snowfall-lib_2", "sops-nix": "sops-nix", "unstable": "unstable" } @@ -1999,6 +2087,29 @@ "inputs": { "flake-compat": "flake-compat_3", "flake-utils-plus": "flake-utils-plus", + "nixpkgs": [ + "nixsgx-flake", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1696432959, + "narHash": "sha256-oJQZv2MYyJaVyVJY5IeevzqpGvMGKu5pZcCCJvb+xjc=", + "owner": "snowfallorg", + "repo": "lib", + "rev": "92803a029b5314d4436a8d9311d8707b71d9f0b6", + "type": "github" + }, + "original": { + "owner": "snowfallorg", + "repo": "lib", + "type": "github" + } + }, + "snowfall-lib_2": { + "inputs": { + "flake-compat": "flake-compat_4", + "flake-utils-plus": "flake-utils-plus_2", "nixpkgs": [ "nixpkgs" ] @@ -2131,6 +2242,21 @@ "type": "github" } }, + "systems_5": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "tabular": { "flake": false, "locked": { diff --git a/flake.nix b/flake.nix index 5386a2b..b2d1499 100644 --- a/flake.nix +++ b/flake.nix @@ -28,6 +28,11 @@ sops-nix.url = "github:Mic92/sops-nix"; sops-nix.inputs.nixpkgs.follows = "nixpkgs"; + + nixsgx-flake = { + url = "github:matter-labs/nixsgx"; + # inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = inputs: @@ -82,6 +87,10 @@ disko.nixosModules.disko ]; + overlays = with inputs; [ + nixsgx-flake.overlays.default + ]; + outputs-builder = channels: { formatter = channels.nixpkgs.nixpkgs-fmt; defaultApp = lib.flake-utils-plus.mkApp { drv = channels.nixpkgs.home-manager; }; diff --git a/modules/nixos/nix-ld/default.nix b/modules/nixos/nix-ld/default.nix index 9c0331f..331ddef 100644 --- a/modules/nixos/nix-ld/default.nix +++ b/modules/nixos/nix-ld/default.nix @@ -2,7 +2,7 @@ with lib; with lib.plusultra; -let cfg = config.plusultra.gui; +let cfg = config.plusultra.nix-ld; in { options.plusultra.nix-ld = with types; { diff --git a/modules/nixos/sgx/pccs/default.nix b/modules/nixos/sgx/pccs/default.nix new file mode 100644 index 0000000..8e71f95 --- /dev/null +++ b/modules/nixos/sgx/pccs/default.nix @@ -0,0 +1,67 @@ +{ options, config, lib, pkgs, ... }: + +with lib; +with lib.plusultra; +let cfg = config.plusultra.pccs; +in +{ + options.plusultra.pccs = with types; { + enable = mkBoolOpt false "Whether or not to enable a SGX-DCAP."; + secret = mkOption { + type = with types; nullOr path; + default = null; + example = literalExpression "config.sops.secrets.pccs.path"; + description = lib.mdDoc "path to the pccs secret file"; + }; + }; + + config = mkIf cfg.enable { + assertions = [{ + assertion = cfg.secret != null; + message = "path to the pccs secret file is required when pccs is enabled"; + }]; + + virtualisation = { + podman = { + enable = true; + + # Create a `docker` alias for podman, to use it as a drop-in replacement + dockerCompat = true; + + # For Nixos version > 22.11 + defaultNetwork.settings = { dns_enabled = true; }; + }; + }; + + virtualisation.oci-containers.backend = "podman"; + virtualisation.oci-containers.containers = { + # podman run --pull=always --name pccs -it --rm -v /dev/log:/dev/log --secret PCCS_CONFIG,type=mount -p 8081:8081 registry.gitlab.com/haraldh/pccs:pccs_1_19 + pccs = { + image = "docker.io/backslashhh/pccs:dcap_1_19"; + autoStart = true; + ports = [ "8081:8081" ]; + extraOptions = [ + "--volume=/dev/log:/dev/log" + "--secret=PCCS_CONFIG,type=mount" + ]; + }; + }; + + systemd.services.pccs-secret = + { + description = "Inject pccs secret"; + wantedBy = [ "multi-user.target" ]; + before = [ "podman-pccs.service" ]; + + serviceConfig = { + EnvironmentFile = cfg.secret; + ExecStart = '' + -${pkgs.podman}/bin/podman secret create --env PCCS_CONFIG PCCS_CONFIG + ''; + RemainAfterExit = true; + }; + }; + + + }; +} diff --git a/overlays/jetbrains-toolbox/default.nix b/overlays/jetbrains-toolbox/default.nix index e5429aa..94485f7 100644 --- a/overlays/jetbrains-toolbox/default.nix +++ b/overlays/jetbrains-toolbox/default.nix @@ -1,7 +1,5 @@ { channels, ... }: - final: prev: - { inherit (channels.unstable) jetbrains-toolbox; } diff --git a/overlays/nixsgx/default.nix b/overlays/nixsgx/default.nix new file mode 100644 index 0000000..66b492e --- /dev/null +++ b/overlays/nixsgx/default.nix @@ -0,0 +1,5 @@ +{ channels, ... }: +final: prev: +{ + inherit (channels.nixpkgs.nixsgx) sgx-psw; +} diff --git a/systems/x86_64-linux/sgx/default.nix b/systems/x86_64-linux/sgx/default.nix index b53b40a..0dab774 100644 --- a/systems/x86_64-linux/sgx/default.nix +++ b/systems/x86_64-linux/sgx/default.nix @@ -29,10 +29,17 @@ with lib.plusultra; networking.wireless.enable = false; # Enables wireless support via wpa_supplicant. - plusultra.gui.enable = false; - plusultra.nix.enable = true; - plusultra.nix.extra-substituters = { - "https://nixsgx.cachix.org".key = "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE="; + services.aesmd.enable = true; + + plusultra = { + pccs.enable = true; + pccs.secret = config.sops.secrets.pccs.path; + gui.enable = false; + nix-ld.enable = true; + nix.enable = true; + nix.extra-substituters = { + "https://nixsgx.cachix.org".key = "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE="; + }; }; boot = { @@ -157,154 +164,4 @@ with lib.plusultra; }; }; - virtualisation.oci-containers.backend = "podman"; - virtualisation.oci-containers.containers = { - - # podman run --pull=always --name pccs -it --rm -v /dev/log:/dev/log --secret PCCS_CONFIG,type=mount -p 8081:8081 registry.gitlab.com/haraldh/pccs:dcap_1_19 - pccs = { - image = "registry.gitlab.com/haraldh/pccs:dcap_1_19"; - autoStart = true; - ports = [ "8081:8081" ]; - extraOptions = [ - "--volume=/dev/log:/dev/log" - "--secret=PCCS_CONFIG,type=mount" - ]; - }; - }; - - systemd.services.pccs-secret = - { - description = "Inject pccs secret"; - wantedBy = [ "multi-user.target" ]; - before = [ "podman-pccs.service" ]; - - serviceConfig = { - EnvironmentFile = config.sops.secrets.pccs.path; - ExecStart = '' - -${pkgs.podman}/bin/podman secret create --env PCCS_CONFIG PCCS_CONFIG - ''; - RemainAfterExit = true; - }; - }; - - - programs.nix-ld.enable = true; - - # Sets up all the libraries to load - programs.nix-ld.libraries = with pkgs; [ - SDL - SDL2 - SDL2_image - SDL2_mixer - SDL2_ttf - SDL_image - SDL_mixer - SDL_ttf - alsa-lib - at-spi2-atk - at-spi2-core - atk - bzip2 - cairo - cups - curlWithGnuTls - dbus - dbus-glib - desktop-file-utils - e2fsprogs - expat - flac - fontconfig - freeglut - freetype - fribidi - fuse - fuse3 - gdk-pixbuf - glew110 - glib - gmp - gst_all_1.gst-plugins-base - gst_all_1.gst-plugins-ugly - gst_all_1.gstreamer - gtk2 - harfbuzz - icu - keyutils.lib - libGL - libGLU - libappindicator-gtk2 - libcaca - libcanberra - libcap - libclang.lib - libdbusmenu - libdrm - libgcrypt - libgpg-error - libidn - libjack2 - libjpeg - libmikmod - libogg - libpng12 - libpulseaudio - librsvg - libsamplerate - libthai - libtheora - libtiff - libudev0-shim - libusb1 - libuuid - libvdpau - libvorbis - libvpx - libxcrypt-legacy - libxkbcommon - libxml2 - mesa - nspr - nss - openssl - p11-kit - pango - pixman - python3 - speex - stdenv.cc.cc - tbb - udev - vulkan-loader - wayland - xorg.libICE - xorg.libSM - xorg.libX11 - xorg.libXScrnSaver - xorg.libXcomposite - xorg.libXcursor - xorg.libXdamage - xorg.libXext - xorg.libXfixes - xorg.libXft - xorg.libXi - xorg.libXinerama - xorg.libXmu - xorg.libXrandr - xorg.libXrender - xorg.libXt - xorg.libXtst - xorg.libXxf86vm - xorg.libpciaccess - xorg.libxcb - xorg.xcbutil - xorg.xcbutilimage - xorg.xcbutilkeysyms - xorg.xcbutilrenderutil - xorg.xcbutilwm - xorg.xkeyboardconfig - xz - zlib - ]; - } diff --git a/systems/x86_64-linux/sgx/hardware-configuration.nix b/systems/x86_64-linux/sgx/hardware-configuration.nix index 11bc10f..0afa72d 100644 --- a/systems/x86_64-linux/sgx/hardware-configuration.nix +++ b/systems/x86_64-linux/sgx/hardware-configuration.nix @@ -5,7 +5,8 @@ { imports = - [ (modulesPath + "/installer/scan/not-detected.nix") + [ + (modulesPath + "/installer/scan/not-detected.nix") ]; boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "uas" "sd_mod" ]; @@ -16,19 +17,20 @@ boot.extraModprobeConfig = "options kvm_intel nested=1"; fileSystems."/" = - { device = "/dev/disk/by-uuid/7aa17b01-785e-41c6-9723-79195af906c6"; + { + device = "/dev/disk/by-uuid/7aa17b01-785e-41c6-9723-79195af906c6"; fsType = "btrfs"; options = [ "subvol=@" ]; }; fileSystems."/boot" = - { device = "/dev/disk/by-uuid/C902-1AF5"; + { + device = "/dev/disk/by-uuid/C902-1AF5"; fsType = "vfat"; }; swapDevices = - [ { device = "/dev/disk/by-uuid/72d061d7-ab18-47b9-beb1-1c465dda1be9"; } - ]; + [{ device = "/dev/disk/by-uuid/72d061d7-ab18-47b9-beb1-1c465dda1be9"; }]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's From 9a36e90cd49d633df9912c0503e95056e63572f9 Mon Sep 17 00:00:00 2001 From: Harald Hoyer Date: Wed, 6 Mar 2024 15:36:02 +0100 Subject: [PATCH 3/3] refactor and simplify Signed-off-by: Harald Hoyer --- modules/nixos/services/base/default.nix | 120 ++++++++++++++ modules/nixos/services/podman/default.nix | 25 +++ modules/nixos/services/secureboot/default.nix | 21 +++ modules/nixos/sgx/pccs/default.nix | 30 ++-- systems/x86_64-linux/sgx/default.nix | 153 ++---------------- systems/x86_64-linux/x1/default.nix | 147 ++--------------- 6 files changed, 210 insertions(+), 286 deletions(-) create mode 100644 modules/nixos/services/base/default.nix create mode 100644 modules/nixos/services/podman/default.nix create mode 100644 modules/nixos/services/secureboot/default.nix diff --git a/modules/nixos/services/base/default.nix b/modules/nixos/services/base/default.nix new file mode 100644 index 0000000..1bc7292 --- /dev/null +++ b/modules/nixos/services/base/default.nix @@ -0,0 +1,120 @@ +{ options, config, lib, pkgs, ... }: + +with lib; +with lib.plusultra; +let cfg = config.plusultra.base; +in +{ + options.plusultra.base = with types; { + enable = mkBoolOpt false "Whether or not to enable the base config."; + }; + + config = mkIf cfg.enable { + # Configure console keymap + console.keyMap = "us"; + i18n.extraLocaleSettings = { + LC_MESSAGES = "en_US.UTF-8"; + LC_TIME = "de_DE.UTF-8"; + }; + + environment = { + sessionVariables = { PATH = "$HOME/bin:$HOME/.cargo/bin"; }; + systemPackages = with pkgs; [ + age + bash + cachix + cifs-utils + clevis + delta + efibootmgr + git + git-delete-merged-branches + home-manager + htop + mosh + nixpkgs-fmt + openssl + restic + rrsync + sbctl + sops + strace + tmux + tpm2-pkcs11 + tpm2-pkcs11.out + tpm2-tools + vim + virt-manager + wget + ]; + shells = [ pkgs.fish pkgs.bash ]; + }; + + hardware = { + cpu = { + amd.updateMicrocode = lib.mkDefault true; + intel.updateMicrocode = lib.mkDefault true; + }; + enableRedistributableFirmware = lib.mkDefault true; + enableAllFirmware = true; + }; + + programs = { + dconf.enable = true; + bash = { + ## shellInit = '' + interactiveShellInit = '' + bind '"\e[A": history-search-backward' + bind '"\e[B": history-search-forward' + ''; + }; + starship.enable = true; + mosh.enable = true; + vim.defaultEditor = true; + fish.enable = true; + }; + + # powerManagement.cpuFreqGovernor = "ondemand"; + + services = { + dbus.implementation = "broker"; + dbus.packages = [ pkgs.gcr ]; + fwupd.enable = true; + openssh = { + enable = true; + settings.PermitRootLogin = "prohibit-password"; + settings.X11Forwarding = true; + }; + }; + + security = { + tpm2.enable = lib.mkDefault true; + tpm2.abrmd.enable = lib.mkDefault true; + sudo = { + enable = true; + wheelNeedsPassword = false; + }; + }; + + system.stateVersion = "23.11"; + + time.timeZone = "Europe/Berlin"; + + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNsmP15vH8BVKo7bdvIiiEjiQboPGcRPqJK0+bH4jKD harald@lenovo.fritz.box" + "sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBACLgT81iB1iWWVuXq6PdQ5GAAGhaZhSKnveQCvcNnAOZ5WKH80bZShKHyAYzrzbp8IGwLWJcZQ7TqRK+qZdfagAAAAEc3NoOg== harald@hoyer.xyz" + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDsb/Tr69YN5MQLweWPuJaRGm+h2kOyxfD6sqKEDTIwoAAAABHNzaDo= harald@fedora.fritz.box" + ]; + + boot = { + tmp.cleanOnBoot = true; + loader = { + systemd-boot.enable = false; + efi.canTouchEfiVariables = true; + timeout = 2; + }; + initrd.systemd.enable = lib.mkDefault true; + kernelPackages = lib.mkOverride 0 pkgs.linuxPackages_latest; + }; + }; +} diff --git a/modules/nixos/services/podman/default.nix b/modules/nixos/services/podman/default.nix new file mode 100644 index 0000000..836eae8 --- /dev/null +++ b/modules/nixos/services/podman/default.nix @@ -0,0 +1,25 @@ +{ options, config, lib, pkgs, ... }: + +with lib; +with lib.plusultra; +let cfg = config.plusultra.podman; +in +{ + options.plusultra.podman = with types; { + enable = mkBoolOpt false "Whether or not to enable podman."; + }; + + config = mkIf cfg.enable { + virtualisation = { + podman = { + enable = true; + + # Create a `docker` alias for podman, to use it as a drop-in replacement + dockerCompat = true; + + # For Nixos version > 22.11 + defaultNetwork.settings = { dns_enabled = true; }; + }; + }; + }; +} diff --git a/modules/nixos/services/secureboot/default.nix b/modules/nixos/services/secureboot/default.nix new file mode 100644 index 0000000..e76b4d0 --- /dev/null +++ b/modules/nixos/services/secureboot/default.nix @@ -0,0 +1,21 @@ +{ options, config, lib, pkgs, ... }: + +with lib; +with lib.plusultra; +let cfg = config.plusultra.secureboot; +in +{ + options.plusultra.secureboot = with types; { + enable = mkBoolOpt false "Whether or not to enable secureboot."; + }; + + config = mkIf cfg.enable { + boot = { + lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + }; + loader.systemd-boot.enable = lib.mkForce false; + }; + }; +} diff --git a/modules/nixos/sgx/pccs/default.nix b/modules/nixos/sgx/pccs/default.nix index 8e71f95..5cd540a 100644 --- a/modules/nixos/sgx/pccs/default.nix +++ b/modules/nixos/sgx/pccs/default.nix @@ -2,7 +2,9 @@ with lib; with lib.plusultra; -let cfg = config.plusultra.pccs; +let + cfg = config.plusultra.pccs; + cfg_podman = config.plusultra.podman; in { options.plusultra.pccs = with types; { @@ -16,20 +18,20 @@ in }; config = mkIf cfg.enable { - assertions = [{ - assertion = cfg.secret != null; - message = "path to the pccs secret file is required when pccs is enabled"; - }]; + assertions = [ + { + assertion = cfg.secret != null; + message = "path to the pccs secret file is required when pccs is enabled"; + } + { + assertion = cfg_podman.enable; + message = "podman must be enabled when pccs is enabled"; + } + ]; - virtualisation = { - podman = { - enable = true; - - # Create a `docker` alias for podman, to use it as a drop-in replacement - dockerCompat = true; - - # For Nixos version > 22.11 - defaultNetwork.settings = { dns_enabled = true; }; + plusultra = { + nix.extra-substituters = { + "https://nixsgx.cachix.org".key = "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE="; }; }; diff --git a/systems/x86_64-linux/sgx/default.nix b/systems/x86_64-linux/sgx/default.nix index 0dab774..24f31e8 100644 --- a/systems/x86_64-linux/sgx/default.nix +++ b/systems/x86_64-linux/sgx/default.nix @@ -2,13 +2,19 @@ with lib; with lib.plusultra; { - imports = - [ - # Include the results of the hardware scan. - ./hardware-configuration.nix - ]; + imports = [ ./hardware-configuration.nix ]; - networking.hostName = "sgx"; # Define your hostname. + plusultra = { + base.enable = true; + gui.enable = false; + nix-ld.enable = true; + nix.enable = true; + nix.extra-substituters."https://nixsgx.cachix.org".key = "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE="; + pccs.enable = true; + pccs.secret = config.sops.secrets.pccs.path; + podman.enable = true; + secureboot.enable = true; + }; system.autoUpgrade = { enable = true; @@ -23,6 +29,11 @@ with lib.plusultra; flake = "git+https://git.hoyer.xyz/harald/nixcfg#sgx"; }; + networking.hostName = "sgx"; # Define your hostname. + + security.tpm2.enable = false; + security.tpm2.abrmd.enable = false; + sops.secrets.pccs = { sopsFile = ../../../.secrets/sgx/pccs.yaml; # bring your own password file }; @@ -31,137 +42,7 @@ with lib.plusultra; services.aesmd.enable = true; - plusultra = { - pccs.enable = true; - pccs.secret = config.sops.secrets.pccs.path; - gui.enable = false; - nix-ld.enable = true; - nix.enable = true; - nix.extra-substituters = { - "https://nixsgx.cachix.org".key = "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE="; - }; - }; - - boot = { - lanzaboote = { - enable = true; - pkiBundle = "/etc/secureboot"; - }; - tmp.cleanOnBoot = true; - loader = { - systemd-boot.enable = false; - efi.canTouchEfiVariables = true; - timeout = 2; - }; - initrd.systemd.enable = true; - kernelPackages = lib.mkOverride 0 pkgs.linuxPackages_latest; - }; - - - # Configure console keymap - console.keyMap = "us"; - i18n.extraLocaleSettings = { - LC_MESSAGES = "en_US.UTF-8"; - LC_TIME = "de_DE.UTF-8"; - }; - - environment = { - sessionVariables = { PATH = "$HOME/bin:$HOME/.cargo/bin"; }; - systemPackages = with pkgs; [ - age - bash - cachix - cifs-utils - clevis - delta - efibootmgr - git - git-delete-merged-branches - home-manager - htop - mosh - nixpkgs-fmt - openssl - restic - rrsync - sbctl - sops - strace - tmux - tpm2-pkcs11 - tpm2-pkcs11.out - tpm2-tools - vim - virt-manager - wget - ]; - shells = [ pkgs.fish pkgs.bash ]; - }; - - hardware = { - cpu = { - amd.updateMicrocode = lib.mkDefault true; - intel.updateMicrocode = lib.mkDefault true; - }; - enableRedistributableFirmware = lib.mkDefault true; - enableAllFirmware = true; - }; - - programs = { - dconf.enable = true; - bash = { - ## shellInit = '' - interactiveShellInit = '' - bind '"\e[A": history-search-backward' - bind '"\e[B": history-search-forward' - ''; - }; - starship.enable = true; - mosh.enable = true; - vim.defaultEditor = true; - fish.enable = true; - }; - powerManagement.cpuFreqGovernor = "ondemand"; - services = { - dbus.implementation = "broker"; - dbus.packages = [ pkgs.gcr ]; - fwupd.enable = true; - openssh = { - enable = true; - settings.PermitRootLogin = "prohibit-password"; - settings.X11Forwarding = true; - }; - }; - - security = { - sudo = { - enable = true; - wheelNeedsPassword = false; - }; - }; - system.stateVersion = "23.11"; - - time.timeZone = "Europe/Berlin"; - - users.users.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNsmP15vH8BVKo7bdvIiiEjiQboPGcRPqJK0+bH4jKD harald@lenovo.fritz.box" - "sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBACLgT81iB1iWWVuXq6PdQ5GAAGhaZhSKnveQCvcNnAOZ5WKH80bZShKHyAYzrzbp8IGwLWJcZQ7TqRK+qZdfagAAAAEc3NoOg== harald@hoyer.xyz" - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDsb/Tr69YN5MQLweWPuJaRGm+h2kOyxfD6sqKEDTIwoAAAABHNzaDo= harald@fedora.fritz.box" - ]; - - virtualisation = { - podman = { - enable = true; - - # Create a `docker` alias for podman, to use it as a drop-in replacement - dockerCompat = true; - - # For Nixos version > 22.11 - defaultNetwork.settings = { dns_enabled = true; }; - }; - }; - } diff --git a/systems/x86_64-linux/x1/default.nix b/systems/x86_64-linux/x1/default.nix index 6806066..a63875f 100644 --- a/systems/x86_64-linux/x1/default.nix +++ b/systems/x86_64-linux/x1/default.nix @@ -2,11 +2,17 @@ with lib; with lib.plusultra; { - imports = - [ - # Include the results of the hardware scan. - ./hardware-configuration.nix - ]; + imports = [ ./hardware-configuration.nix ]; + + plusultra = { + base.enable = true; + gui.enable = true; + nix-ld.enable = true; + nix.enable = true; + nix.extra-substituters."https://nixsgx.cachix.org".key = "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE="; + podman.enable = true; + secureboot.enable = true; + }; system.autoUpgrade = { enable = true; @@ -21,136 +27,5 @@ with lib.plusultra; flake = "git+https://git.hoyer.xyz/harald/nixcfg#x1"; }; - plusultra = { - gui.enable = true; - nix-ld.enable = true; - nix.enable = true; - nix.extra-substituters = { - "https://nixsgx.cachix.org".key = "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE="; - }; - }; - - boot = { - lanzaboote = { - enable = true; - pkiBundle = "/etc/secureboot"; - }; - tmp.cleanOnBoot = true; - loader = { - systemd-boot.enable = false; - efi.canTouchEfiVariables = true; - timeout = 2; - }; - initrd.systemd.enable = true; - kernelPackages = lib.mkOverride 0 pkgs.linuxPackages_latest; - }; - - - # Configure console keymap - console.keyMap = "us"; - i18n.extraLocaleSettings = { - LC_MESSAGES = "en_US.UTF-8"; - LC_TIME = "de_DE.UTF-8"; - }; - - environment = { - sessionVariables = { PATH = "$HOME/bin:$HOME/.cargo/bin"; }; - systemPackages = with pkgs; [ - age - bash - cachix - cifs-utils - clevis - delta - efibootmgr - git - git-delete-merged-branches - home-manager - htop - mosh - nixpkgs-fmt - openssl - restic - rrsync - sbctl - sops - strace - tmux - tpm2-pkcs11 - tpm2-pkcs11.out - tpm2-tools - vim - virt-manager - wget - ]; - shells = [ pkgs.fish pkgs.bash ]; - }; - - hardware = { - cpu = { - amd.updateMicrocode = lib.mkDefault true; - intel.updateMicrocode = lib.mkDefault true; - }; - enableRedistributableFirmware = lib.mkDefault true; - enableAllFirmware = true; - }; - - programs = { - dconf.enable = true; - bash = { - ## shellInit = '' - interactiveShellInit = '' - bind '"\e[A": history-search-backward' - bind '"\e[B": history-search-forward' - ''; - }; - starship.enable = true; - mosh.enable = true; - vim.defaultEditor = true; - fish.enable = true; - }; - - # powerManagement.cpuFreqGovernor = "ondemand"; - - services = { - dbus.implementation = "broker"; - dbus.packages = [ pkgs.gcr ]; - fwupd.enable = true; - openssh = { - enable = true; - settings.PermitRootLogin = "prohibit-password"; - settings.X11Forwarding = true; - }; - }; - - security = { - tpm2.enable = lib.mkDefault true; - tpm2.abrmd.enable = lib.mkDefault true; - sudo = { - enable = true; - wheelNeedsPassword = false; - }; - }; - system.stateVersion = "23.11"; - - time.timeZone = "Europe/Berlin"; - - users.users.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNsmP15vH8BVKo7bdvIiiEjiQboPGcRPqJK0+bH4jKD harald@lenovo.fritz.box" - "sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBACLgT81iB1iWWVuXq6PdQ5GAAGhaZhSKnveQCvcNnAOZ5WKH80bZShKHyAYzrzbp8IGwLWJcZQ7TqRK+qZdfagAAAAEc3NoOg== harald@hoyer.xyz" - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDsb/Tr69YN5MQLweWPuJaRGm+h2kOyxfD6sqKEDTIwoAAAABHNzaDo= harald@fedora.fritz.box" - ]; - - virtualisation = { - podman = { - enable = true; - - # Create a `docker` alias for podman, to use it as a drop-in replacement - dockerCompat = true; - - # For Nixos version > 22.11 - defaultNetwork.settings = { dns_enabled = true; }; - }; - }; }