harald/nixcfg
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Compare commits

base: harald:ca7f3fb9737bde17e3ffd13bc55a375d332593f2
Branches Tags
harald:main
harald:b24.05
...
compare: harald:9a36e90cd49d633df9912c0503e95056e63572f9
Branches Tags
harald:main
harald:b24.05

3 commits
ca7f3fb973 ... 9a36e90cd4

Author SHA1 Message Date
Harald Hoyer 9a36e90cd4 refactor and simplify 
Signed-off-by: Harald Hoyer <harald@hoyer.xyz>
 2024-03-06 15:36:02 +01:00
Harald Hoyer d0ad237493 sgx: add aesmd and refactor 
Signed-off-by: Harald Hoyer <harald@hoyer.xyz>
 2024-03-06 15:12:04 +01:00
Harald Hoyer 69f4e8bcf9 factor out nix-ld 
Signed-off-by: Harald Hoyer <harald@hoyer.xyz>
 2024-03-06 13:44:06 +01:00
12 changed files with 546 additions and 541 deletions
Show stats Expand all files Collapse all files

128
flake.lock
View file

@ -503,6 +503,22 @@
"type": "github"
}
},
"flake-compat_4": {
"flake": false,
"locked": {
"lastModified": 1650374568,
"narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "b4a34015c698c7793d592d66adbab377907a2be8",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
@ -578,6 +594,24 @@
"type": "github"
}
},
"flake-utils-plus_2": {
"inputs": {
"flake-utils": "flake-utils_5"
},
"locked": {
"lastModified": 1696331477,
"narHash": "sha256-YkbRa/1wQWdWkVJ01JvV+75KIdM37UErqKgTf0L54Fk=",
"owner": "gytis-ivaskevicius",
"repo": "flake-utils-plus",
"rev": "bfc53579db89de750b25b0c5e7af299e0c06d7d3",
"type": "github"
},
"original": {
"owner": "gytis-ivaskevicius",
"repo": "flake-utils-plus",
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems_2"
@ -629,6 +663,24 @@
"type": "github"
}
},
"flake-utils_5": {
"inputs": {
"systems": "systems_5"
},
"locked": {
"lastModified": 1694529238,
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flutter-tools": {
"flake": false,
"locked": {
@ -1287,6 +1339,41 @@
"type": "github"
}
},
"nixpkgs_5": {
"locked": {
"lastModified": 1707091808,
"narHash": "sha256-LahKBAfGbY836gtpVNnWwBTIzN7yf/uYM/S0g393r0Y=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "9f2ee8c91ac42da3ae6c6a1d21555f283458247e",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixsgx-flake": {
"inputs": {
"nixpkgs": "nixpkgs_5",
"snowfall-lib": "snowfall-lib"
},
"locked": {
"lastModified": 1709040449,
"narHash": "sha256-NDXSUI7GTCekniW52EBvi5PlzdQ37XkrIB1oH4GrUvM=",
"owner": "matter-labs",
"repo": "nixsgx",
"rev": "2b11fbc725fbab3fbaef13490decd3f93c43ae07",
"type": "github"
},
"original": {
"owner": "matter-labs",
"repo": "nixsgx",
"type": "github"
}
},
"nmd": {
"flake": false,
"locked": {
@ -1890,7 +1977,8 @@
"lanzaboote": "lanzaboote",
"neovim-flake": "neovim-flake",
"nixpkgs": "nixpkgs_4",
"snowfall-lib": "snowfall-lib",
"nixsgx-flake": "nixsgx-flake",
"snowfall-lib": "snowfall-lib_2",
"sops-nix": "sops-nix",
"unstable": "unstable"
}
@ -1999,6 +2087,29 @@
"inputs": {
"flake-compat": "flake-compat_3",
"flake-utils-plus": "flake-utils-plus",
"nixpkgs": [
"nixsgx-flake",
"nixpkgs"
]
},
"locked": {
"lastModified": 1696432959,
"narHash": "sha256-oJQZv2MYyJaVyVJY5IeevzqpGvMGKu5pZcCCJvb+xjc=",
"owner": "snowfallorg",
"repo": "lib",
"rev": "92803a029b5314d4436a8d9311d8707b71d9f0b6",
"type": "github"
},
"original": {
"owner": "snowfallorg",
"repo": "lib",
"type": "github"
}
},
"snowfall-lib_2": {
"inputs": {
"flake-compat": "flake-compat_4",
"flake-utils-plus": "flake-utils-plus_2",
"nixpkgs": [
"nixpkgs"
]
@ -2131,6 +2242,21 @@
"type": "github"
}
},
"systems_5": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"tabular": {
"flake": false,
"locked": {

9
flake.nix
View file

@ -28,6 +28,11 @@
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
nixsgx-flake = {
url = "github:matter-labs/nixsgx";
# inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = inputs:
@ -82,6 +87,10 @@
disko.nixosModules.disko
];
overlays = with inputs; [
nixsgx-flake.overlays.default
];
outputs-builder = channels: {
formatter = channels.nixpkgs.nixpkgs-fmt;
defaultApp = lib.flake-utils-plus.mkApp { drv = channels.nixpkgs.home-manager; };

134
modules/nixos/nix-ld/default.nix Normal file
View file

@ -0,0 +1,134 @@
{ options, config, lib, pkgs, ... }:
with lib;
with lib.plusultra;
let cfg = config.plusultra.nix-ld;
in
{
options.plusultra.nix-ld = with types; {
enable = mkBoolOpt false "Whether or not to enable nix-ld.";
};
config = mkIf cfg.enable {
programs.nix-ld.enable = true;
# Sets up all the libraries to load
programs.nix-ld.libraries = with pkgs; [
SDL
SDL2
SDL2_image
SDL2_mixer
SDL2_ttf
SDL_image
SDL_mixer
SDL_ttf
alsa-lib
at-spi2-atk
at-spi2-core
atk
bzip2
cairo
cups
curlWithGnuTls
dbus
dbus-glib
desktop-file-utils
e2fsprogs
expat
flac
fontconfig
freeglut
freetype
fribidi
fuse
fuse3
gdk-pixbuf
glew110
glib
gmp
gst_all_1.gst-plugins-base
gst_all_1.gst-plugins-ugly
gst_all_1.gstreamer
gtk2
harfbuzz
icu
keyutils.lib
libGL
libGLU
libappindicator-gtk2
libcaca
libcanberra
libcap
libclang.lib
libdbusmenu
libdrm
libgcrypt
libgpg-error
libidn
libjack2
libjpeg
libmikmod
libogg
libpng12
libpulseaudio
librsvg
libsamplerate
libthai
libtheora
libtiff
libudev0-shim
libusb1
libuuid
libvdpau
libvorbis
libvpx
libxcrypt-legacy
libxkbcommon
libxml2
mesa
nspr
nss
openssl
p11-kit
pango
pixman
python3
speex
stdenv.cc.cc
tbb
udev
vulkan-loader
wayland
xorg.libICE
xorg.libSM
xorg.libX11
xorg.libXScrnSaver
xorg.libXcomposite
xorg.libXcursor
xorg.libXdamage
xorg.libXext
xorg.libXfixes
xorg.libXft
xorg.libXi
xorg.libXinerama
xorg.libXmu
xorg.libXrandr
xorg.libXrender
xorg.libXt
xorg.libXtst
xorg.libXxf86vm
xorg.libpciaccess
xorg.libxcb
xorg.xcbutil
xorg.xcbutilimage
xorg.xcbutilkeysyms
xorg.xcbutilrenderutil
xorg.xcbutilwm
xorg.xkeyboardconfig
xz
zlib
];
};
}

120
modules/nixos/services/base/default.nix Normal file
View file

@ -0,0 +1,120 @@
{ options, config, lib, pkgs, ... }:
with lib;
with lib.plusultra;
let cfg = config.plusultra.base;
in
{
options.plusultra.base = with types; {
enable = mkBoolOpt false "Whether or not to enable the base config.";
};
config = mkIf cfg.enable {
# Configure console keymap
console.keyMap = "us";
i18n.extraLocaleSettings = {
LC_MESSAGES = "en_US.UTF-8";
LC_TIME = "de_DE.UTF-8";
};
environment = {
sessionVariables = { PATH = "$HOME/bin:$HOME/.cargo/bin"; };
systemPackages = with pkgs; [
age
bash
cachix
cifs-utils
clevis
delta
efibootmgr
git
git-delete-merged-branches
home-manager
htop
mosh
nixpkgs-fmt
openssl
restic
rrsync
sbctl
sops
strace
tmux
tpm2-pkcs11
tpm2-pkcs11.out
tpm2-tools
vim
virt-manager
wget
];
shells = [ pkgs.fish pkgs.bash ];
};
hardware = {
cpu = {
amd.updateMicrocode = lib.mkDefault true;
intel.updateMicrocode = lib.mkDefault true;
};
enableRedistributableFirmware = lib.mkDefault true;
enableAllFirmware = true;
};
programs = {
dconf.enable = true;
bash = {
## shellInit = ''
interactiveShellInit = ''
bind '"\e[A": history-search-backward'
bind '"\e[B": history-search-forward'
'';
};
starship.enable = true;
mosh.enable = true;
vim.defaultEditor = true;
fish.enable = true;
};
# powerManagement.cpuFreqGovernor = "ondemand";
services = {
dbus.implementation = "broker";
dbus.packages = [ pkgs.gcr ];
fwupd.enable = true;
openssh = {
enable = true;
settings.PermitRootLogin = "prohibit-password";
settings.X11Forwarding = true;
};
};
security = {
tpm2.enable = lib.mkDefault true;
tpm2.abrmd.enable = lib.mkDefault true;
sudo = {
enable = true;
wheelNeedsPassword = false;
};
};
system.stateVersion = "23.11";
time.timeZone = "Europe/Berlin";
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNsmP15vH8BVKo7bdvIiiEjiQboPGcRPqJK0+bH4jKD harald@lenovo.fritz.box"
"sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBACLgT81iB1iWWVuXq6PdQ5GAAGhaZhSKnveQCvcNnAOZ5WKH80bZShKHyAYzrzbp8IGwLWJcZQ7TqRK+qZdfagAAAAEc3NoOg== harald@hoyer.xyz"
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDsb/Tr69YN5MQLweWPuJaRGm+h2kOyxfD6sqKEDTIwoAAAABHNzaDo= harald@fedora.fritz.box"
];
boot = {
tmp.cleanOnBoot = true;
loader = {
systemd-boot.enable = false;
efi.canTouchEfiVariables = true;
timeout = 2;
};
initrd.systemd.enable = lib.mkDefault true;
kernelPackages = lib.mkOverride 0 pkgs.linuxPackages_latest;
};
};
}

25
modules/nixos/services/podman/default.nix Normal file
View file

@ -0,0 +1,25 @@
{ options, config, lib, pkgs, ... }:
with lib;
with lib.plusultra;
let cfg = config.plusultra.podman;
in
{
options.plusultra.podman = with types; {
enable = mkBoolOpt false "Whether or not to enable podman.";
};
config = mkIf cfg.enable {
virtualisation = {
podman = {
enable = true;
# Create a `docker` alias for podman, to use it as a drop-in replacement
dockerCompat = true;
# For Nixos version > 22.11
defaultNetwork.settings = { dns_enabled = true; };
};
};
};
}

21
modules/nixos/services/secureboot/default.nix Normal file
View file

@ -0,0 +1,21 @@
{ options, config, lib, pkgs, ... }:
with lib;
with lib.plusultra;
let cfg = config.plusultra.secureboot;
in
{
options.plusultra.secureboot = with types; {
enable = mkBoolOpt false "Whether or not to enable secureboot.";
};
config = mkIf cfg.enable {
boot = {
lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
loader.systemd-boot.enable = lib.mkForce false;
};
};
}

69
modules/nixos/sgx/pccs/default.nix Normal file
View file

@ -0,0 +1,69 @@
{ options, config, lib, pkgs, ... }:
with lib;
with lib.plusultra;
let
cfg = config.plusultra.pccs;
cfg_podman = config.plusultra.podman;
in
{
options.plusultra.pccs = with types; {
enable = mkBoolOpt false "Whether or not to enable a SGX-DCAP.";
secret = mkOption {
type = with types; nullOr path;
default = null;
example = literalExpression "config.sops.secrets.pccs.path";
description = lib.mdDoc "path to the pccs secret file";
};
};
config = mkIf cfg.enable {
assertions = [
{
assertion = cfg.secret != null;
message = "path to the pccs secret file is required when pccs is enabled";
}
{
assertion = cfg_podman.enable;
message = "podman must be enabled when pccs is enabled";
}
];
plusultra = {
nix.extra-substituters = {
"https://nixsgx.cachix.org".key = "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE=";
};
};
virtualisation.oci-containers.backend = "podman";
virtualisation.oci-containers.containers = {
# podman run --pull=always --name pccs -it --rm -v /dev/log:/dev/log --secret PCCS_CONFIG,type=mount -p 8081:8081 registry.gitlab.com/haraldh/pccs:pccs_1_19
pccs = {
image = "docker.io/backslashhh/pccs:dcap_1_19";
autoStart = true;
ports = [ "8081:8081" ];
extraOptions = [
"--volume=/dev/log:/dev/log"
"--secret=PCCS_CONFIG,type=mount"
];
};
};
systemd.services.pccs-secret =
{
description = "Inject pccs secret";
wantedBy = [ "multi-user.target" ];
before = [ "podman-pccs.service" ];
serviceConfig = {
EnvironmentFile = cfg.secret;
ExecStart = ''
-${pkgs.podman}/bin/podman secret create --env PCCS_CONFIG PCCS_CONFIG
'';
RemainAfterExit = true;
};
};
};
}

2
overlays/jetbrains-toolbox/default.nix
View file

@ -1,7 +1,5 @@
{ channels, ... }:
final: prev:
{
inherit (channels.unstable) jetbrains-toolbox;
}

5
overlays/nixsgx/default.nix Normal file
View file

@ -0,0 +1,5 @@
{ channels, ... }:
final: prev:
{
inherit (channels.nixpkgs.nixsgx) sgx-psw;
}

298
systems/x86_64-linux/sgx/default.nix
View file

@ -2,13 +2,19 @@
with lib;
with lib.plusultra;
{
imports =
[
# Include the results of the hardware scan.
./hardware-configuration.nix
];
imports = [ ./hardware-configuration.nix ];
networking.hostName = "sgx"; # Define your hostname.
plusultra = {
base.enable = true;
gui.enable = false;
nix-ld.enable = true;
nix.enable = true;
nix.extra-substituters."https://nixsgx.cachix.org".key = "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE=";
pccs.enable = true;
pccs.secret = config.sops.secrets.pccs.path;
podman.enable = true;
secureboot.enable = true;
};
system.autoUpgrade = {
enable = true;
@ -23,288 +29,20 @@ with lib.plusultra;
flake = "git+https://git.hoyer.xyz/harald/nixcfg#sgx";
};
networking.hostName = "sgx"; # Define your hostname.
security.tpm2.enable = false;
security.tpm2.abrmd.enable = false;
sops.secrets.pccs = {
sopsFile = ../../../.secrets/sgx/pccs.yaml; # bring your own password file
};
networking.wireless.enable = false; # Enables wireless support via wpa_supplicant.
plusultra.gui.enable = false;
plusultra.nix.enable = true;
plusultra.nix.extra-substituters = {
"https://nixsgx.cachix.org".key = "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE=";
};
boot = {
lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
tmp.cleanOnBoot = true;
loader = {
systemd-boot.enable = false;
efi.canTouchEfiVariables = true;
timeout = 2;
};
initrd.systemd.enable = true;
kernelPackages = lib.mkOverride 0 pkgs.linuxPackages_latest;
};
# Configure console keymap
console.keyMap = "us";
i18n.extraLocaleSettings = {
LC_MESSAGES = "en_US.UTF-8";
LC_TIME = "de_DE.UTF-8";
};
environment = {
sessionVariables = { PATH = "$HOME/bin:$HOME/.cargo/bin"; };
systemPackages = with pkgs; [
age
bash
cachix
cifs-utils
clevis
delta
efibootmgr
git
git-delete-merged-branches
home-manager
htop
mosh
nixpkgs-fmt
openssl
restic
rrsync
sbctl
sops
strace
tmux
tpm2-pkcs11
tpm2-pkcs11.out
tpm2-tools
vim
virt-manager
wget
];
shells = [ pkgs.fish pkgs.bash ];
};
hardware = {
cpu = {
amd.updateMicrocode = lib.mkDefault true;
intel.updateMicrocode = lib.mkDefault true;
};
enableRedistributableFirmware = lib.mkDefault true;
enableAllFirmware = true;
};
programs = {
dconf.enable = true;
bash = {
## shellInit = ''
interactiveShellInit = ''
bind '"\e[A": history-search-backward'
bind '"\e[B": history-search-forward'
'';
};
starship.enable = true;
mosh.enable = true;
vim.defaultEditor = true;
fish.enable = true;
};
services.aesmd.enable = true;
powerManagement.cpuFreqGovernor = "ondemand";
services = {
dbus.implementation = "broker";
dbus.packages = [ pkgs.gcr ];
fwupd.enable = true;
openssh = {
enable = true;
settings.PermitRootLogin = "prohibit-password";
settings.X11Forwarding = true;
};
};
security = {
sudo = {
enable = true;
wheelNeedsPassword = false;
};
};
system.stateVersion = "23.11";
time.timeZone = "Europe/Berlin";
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNsmP15vH8BVKo7bdvIiiEjiQboPGcRPqJK0+bH4jKD harald@lenovo.fritz.box"
"sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBACLgT81iB1iWWVuXq6PdQ5GAAGhaZhSKnveQCvcNnAOZ5WKH80bZShKHyAYzrzbp8IGwLWJcZQ7TqRK+qZdfagAAAAEc3NoOg== harald@hoyer.xyz"
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDsb/Tr69YN5MQLweWPuJaRGm+h2kOyxfD6sqKEDTIwoAAAABHNzaDo= harald@fedora.fritz.box"
];
virtualisation = {
podman = {
enable = true;
# Create a `docker` alias for podman, to use it as a drop-in replacement
dockerCompat = true;
# For Nixos version > 22.11
defaultNetwork.settings = { dns_enabled = true; };
};
};
virtualisation.oci-containers.backend = "podman";
virtualisation.oci-containers.containers = {
# podman run --pull=always --name pccs -it --rm -v /dev/log:/dev/log --secret PCCS_CONFIG,type=mount -p 8081:8081 registry.gitlab.com/haraldh/pccs:dcap_1_19
pccs = {
image = "registry.gitlab.com/haraldh/pccs:dcap_1_19";
autoStart = true;
ports = [ "8081:8081" ];
extraOptions = [
"--volume=/dev/log:/dev/log"
"--secret=PCCS_CONFIG,type=mount"
];
};
};
systemd.services.pccs-secret =
{
description = "Inject pccs secret";
wantedBy = [ "multi-user.target" ];
before = [ "podman-pccs.service" ];
serviceConfig = {
EnvironmentFile = config.sops.secrets.pccs.path;
ExecStart = ''
-${pkgs.podman}/bin/podman secret create --env PCCS_CONFIG PCCS_CONFIG
'';
RemainAfterExit = true;
};
};
programs.nix-ld.enable = true;
# Sets up all the libraries to load
programs.nix-ld.libraries = with pkgs; [
SDL
SDL2
SDL2_image
SDL2_mixer
SDL2_ttf
SDL_image
SDL_mixer
SDL_ttf
alsa-lib
at-spi2-atk
at-spi2-core
atk
bzip2
cairo
cups
curlWithGnuTls
dbus
dbus-glib
desktop-file-utils
e2fsprogs
expat
flac
fontconfig
freeglut
freetype
fribidi
fuse
fuse3
gdk-pixbuf
glew110
glib
gmp
gst_all_1.gst-plugins-base
gst_all_1.gst-plugins-ugly
gst_all_1.gstreamer
gtk2
harfbuzz
icu
keyutils.lib
libGL
libGLU
libappindicator-gtk2
libcaca
libcanberra
libcap
libclang.lib
libdbusmenu
libdrm
libgcrypt
libgpg-error
libidn
libjack2
libjpeg
libmikmod
libogg
libpng12
libpulseaudio
librsvg
libsamplerate
libthai
libtheora
libtiff
libudev0-shim
libusb1
libuuid
libvdpau
libvorbis
libvpx
libxcrypt-legacy
libxkbcommon
libxml2
mesa
nspr
nss
openssl
p11-kit
pango
pixman
python3
speex
stdenv.cc.cc
tbb
udev
vulkan-loader
wayland
xorg.libICE
xorg.libSM
xorg.libX11
xorg.libXScrnSaver
xorg.libXcomposite
xorg.libXcursor
xorg.libXdamage
xorg.libXext
xorg.libXfixes
xorg.libXft
xorg.libXi
xorg.libXinerama
xorg.libXmu
xorg.libXrandr
xorg.libXrender
xorg.libXt
xorg.libXtst
xorg.libXxf86vm
xorg.libpciaccess
xorg.libxcb
xorg.xcbutil
xorg.xcbutilimage
xorg.xcbutilkeysyms
xorg.xcbutilrenderutil
xorg.xcbutilwm
xorg.xkeyboardconfig
xz
zlib
];
}

12
systems/x86_64-linux/sgx/hardware-configuration.nix
View file

@ -5,7 +5,8 @@
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "uas" "sd_mod" ];
@ -16,19 +17,20 @@
boot.extraModprobeConfig = "options kvm_intel nested=1";
fileSystems."/" =
{ device = "/dev/disk/by-uuid/7aa17b01-785e-41c6-9723-79195af906c6";
{
device = "/dev/disk/by-uuid/7aa17b01-785e-41c6-9723-79195af906c6";
fsType = "btrfs";
options = [ "subvol=@" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/C902-1AF5";
{
device = "/dev/disk/by-uuid/C902-1AF5";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/72d061d7-ab18-47b9-beb1-1c465dda1be9"; }
];
[{ device = "/dev/disk/by-uuid/72d061d7-ab18-47b9-beb1-1c465dda1be9"; }];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's

264
systems/x86_64-linux/x1/default.nix
View file

@ -2,11 +2,17 @@
with lib;
with lib.plusultra;
{
imports =
[
# Include the results of the hardware scan.
./hardware-configuration.nix
];
imports = [ ./hardware-configuration.nix ];
plusultra = {
base.enable = true;
gui.enable = true;
nix-ld.enable = true;
nix.enable = true;
nix.extra-substituters."https://nixsgx.cachix.org".key = "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE=";
podman.enable = true;
secureboot.enable = true;
};
system.autoUpgrade = {
enable = true;
@ -21,253 +27,5 @@ with lib.plusultra;
flake = "git+https://git.hoyer.xyz/harald/nixcfg#x1";
};
plusultra.gui.enable = true;
plusultra.nix.enable = true;
plusultra.nix.extra-substituters = {
"https://nixsgx.cachix.org".key = "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE=";
};
boot = {
lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
tmp.cleanOnBoot = true;
loader = {
systemd-boot.enable = false;
efi.canTouchEfiVariables = true;
timeout = 2;
};
initrd.systemd.enable = true;
kernelPackages = lib.mkOverride 0 pkgs.linuxPackages_latest;
};
# Configure console keymap
console.keyMap = "us";
i18n.extraLocaleSettings = {
LC_MESSAGES = "en_US.UTF-8";
LC_TIME = "de_DE.UTF-8";
};
environment = {
sessionVariables = { PATH = "$HOME/bin:$HOME/.cargo/bin"; };
systemPackages = with pkgs; [
age
bash
cachix
cifs-utils
clevis
delta
efibootmgr
git
git-delete-merged-branches
home-manager
htop
mosh
nixpkgs-fmt
openssl
restic
rrsync
sbctl
sops
strace
tmux
tpm2-pkcs11
tpm2-pkcs11.out
tpm2-tools
vim
virt-manager
wget
];
shells = [ pkgs.fish pkgs.bash ];
};
hardware = {
cpu = {
amd.updateMicrocode = lib.mkDefault true;
intel.updateMicrocode = lib.mkDefault true;
};
enableRedistributableFirmware = lib.mkDefault true;
enableAllFirmware = true;
};
programs = {
dconf.enable = true;
bash = {
## shellInit = ''
interactiveShellInit = ''
bind '"\e[A": history-search-backward'
bind '"\e[B": history-search-forward'
'';
};
starship.enable = true;
mosh.enable = true;
vim.defaultEditor = true;
fish.enable = true;
};
# powerManagement.cpuFreqGovernor = "ondemand";
services = {
dbus.implementation = "broker";
dbus.packages = [ pkgs.gcr ];
fwupd.enable = true;
openssh = {
enable = true;
settings.PermitRootLogin = "prohibit-password";
settings.X11Forwarding = true;
};
};
security = {
tpm2.enable = lib.mkDefault true;
tpm2.abrmd.enable = lib.mkDefault true;
sudo = {
enable = true;
wheelNeedsPassword = false;
};
};
system.stateVersion = "23.11";
time.timeZone = "Europe/Berlin";
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNsmP15vH8BVKo7bdvIiiEjiQboPGcRPqJK0+bH4jKD harald@lenovo.fritz.box"
"sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBACLgT81iB1iWWVuXq6PdQ5GAAGhaZhSKnveQCvcNnAOZ5WKH80bZShKHyAYzrzbp8IGwLWJcZQ7TqRK+qZdfagAAAAEc3NoOg== harald@hoyer.xyz"
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDsb/Tr69YN5MQLweWPuJaRGm+h2kOyxfD6sqKEDTIwoAAAABHNzaDo= harald@fedora.fritz.box"
];
virtualisation = {
podman = {
enable = true;
# Create a `docker` alias for podman, to use it as a drop-in replacement
dockerCompat = true;
# For Nixos version > 22.11
defaultNetwork.settings = { dns_enabled = true; };
};
};
programs.nix-ld.enable = true;
# Sets up all the libraries to load
programs.nix-ld.libraries = with pkgs; [
SDL
SDL2
SDL2_image
SDL2_mixer
SDL2_ttf
SDL_image
SDL_mixer
SDL_ttf
alsa-lib
at-spi2-atk
at-spi2-core
atk
bzip2
cairo
cups
curlWithGnuTls
dbus
dbus-glib
desktop-file-utils
e2fsprogs
expat
flac
fontconfig
freeglut
freetype
fribidi
fuse
fuse3
gdk-pixbuf
glew110
glib
gmp
gst_all_1.gst-plugins-base
gst_all_1.gst-plugins-ugly
gst_all_1.gstreamer
gtk2
harfbuzz
icu
keyutils.lib
libGL
libGLU
libappindicator-gtk2
libcaca
libcanberra
libcap
libclang.lib
libdbusmenu
libdrm
libgcrypt
libgpg-error
libidn
libjack2
libjpeg
libmikmod
libogg
libpng12
libpulseaudio
librsvg
libsamplerate
libthai
libtheora
libtiff
libudev0-shim
libusb1
libuuid
libvdpau
libvorbis
libvpx
libxcrypt-legacy
libxkbcommon
libxml2
mesa
nspr
nss
openssl
p11-kit
pango
pixman
python3
speex
stdenv.cc.cc
tbb
udev
vulkan-loader
wayland
xorg.libICE
xorg.libSM
xorg.libX11
xorg.libXScrnSaver
xorg.libXcomposite
xorg.libXcursor
xorg.libXdamage
xorg.libXext
xorg.libXfixes
xorg.libXft
xorg.libXi
xorg.libXinerama
xorg.libXmu
xorg.libXrandr
xorg.libXrender
xorg.libXt
xorg.libXtst
xorg.libXxf86vm
xorg.libpciaccess
xorg.libxcb
xorg.xcbutil
xorg.xcbutilimage
xorg.xcbutilkeysyms
xorg.xcbutilrenderutil
xorg.xcbutilwm
xorg.xkeyboardconfig
xz
zlib
];
}