From 1cd5c82dc5ef65ccf12ec62f1a58655af2ef6404 Mon Sep 17 00:00:00 2001 From: Natsu Kagami Date: Wed, 30 Aug 2023 23:53:14 +0200 Subject: [PATCH] Init yoga with secure boot --- flake.lock | 251 +++++++++++++++++++++-- flake.nix | 43 ++-- home/modules/linux/graphical/default.nix | 19 +- home/nki-x1c1.nix | 24 ++- modules/common/linux/default.nix | 2 + nki-yoga-g8/configuration.nix | 93 +++++++++ nki-yoga-g8/hardware-configuration.nix | 48 +++++ 7 files changed, 437 insertions(+), 43 deletions(-) create mode 100644 nki-yoga-g8/configuration.nix create mode 100644 nki-yoga-g8/hardware-configuration.nix diff --git a/flake.lock b/flake.lock index 4ab50b7..55bc6a1 100644 --- a/flake.lock +++ b/flake.lock @@ -92,6 +92,39 @@ "type": "github" } }, + "crane_3": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "rust-overlay": [ + "lanzaboote", + "rust-overlay" + ] + }, + "locked": { + "lastModified": 1681177078, + "narHash": "sha256-ZNIjBDou2GOabcpctiQykEQVkI8BDwk7TyvlWlI4myE=", + "owner": "ipetkov", + "repo": "crane", + "rev": "0c9f468ff00576577d83f5019a66c557ede5acf6", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "darwin": { "inputs": { "nixpkgs": [ @@ -223,6 +256,22 @@ } }, "flake-compat_4": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_5": { "locked": { "lastModified": 1688025799, "narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=", @@ -237,7 +286,7 @@ "type": "github" } }, - "flake-compat_5": { + "flake-compat_6": { "flake": false, "locked": { "lastModified": 1673956053, @@ -274,6 +323,27 @@ "type": "github" } }, + "flake-parts_2": { + "inputs": { + "nixpkgs-lib": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1680392223, + "narHash": "sha256-n3g7QFr85lDODKt250rkZj2IFS3i4/8HBU2yKHO3tqw=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "dcc36e45d054d7bb554c9cdab69093debd91a0b5", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "flake-utils": { "inputs": { "systems": "systems" @@ -341,12 +411,15 @@ } }, "flake-utils_5": { + "inputs": { + "systems": "systems_3" + }, "locked": { - "lastModified": 1676283394, - "narHash": "sha256-XX2f9c3iySLCw54rJ/CZs+ZK6IQy7GXNY4nSOyu2QG4=", + "lastModified": 1681202837, + "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", "owner": "numtide", "repo": "flake-utils", - "rev": "3db36a8b464d0c4532ba1c7dda728f4576d6d073", + "rev": "cfacdce06f30d2b68473a46042957675eebb3401", "type": "github" }, "original": { @@ -357,11 +430,11 @@ }, "flake-utils_6": { "locked": { - "lastModified": 1659877975, - "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", + "lastModified": 1676283394, + "narHash": "sha256-XX2f9c3iySLCw54rJ/CZs+ZK6IQy7GXNY4nSOyu2QG4=", "owner": "numtide", "repo": "flake-utils", - "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0", + "rev": "3db36a8b464d0c4532ba1c7dda728f4576d6d073", "type": "github" }, "original": { @@ -385,6 +458,43 @@ "type": "github" } }, + "flake-utils_8": { + "locked": { + "lastModified": 1659877975, + "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1660459072, + "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "haskell-flake": { "locked": { "lastModified": 1675296942, @@ -454,9 +564,36 @@ "type": "github" } }, + "lanzaboote": { + "inputs": { + "crane": "crane_3", + "flake-compat": "flake-compat_4", + "flake-parts": "flake-parts_2", + "flake-utils": "flake-utils_5", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "rust-overlay": "rust-overlay_3" + }, + "locked": { + "lastModified": 1682802423, + "narHash": "sha256-Fb5TeRTdvUlo/5Yi2d+FC8a6KoRLk2h1VE0/peMhWPs=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "64b903ca87d18cef2752c19c098af275c6e51d63", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "v0.3.0", + "repo": "lanzaboote", + "type": "github" + } + }, "mpd-mpris": { "inputs": { - "flake-utils": "flake-utils_5", + "flake-utils": "flake-utils_6", "nixpkgs": [ "nixpkgs" ] @@ -520,11 +657,11 @@ }, "nixos-m1": { "inputs": { - "flake-compat": "flake-compat_4", + "flake-compat": "flake-compat_5", "nixpkgs": [ "nixpkgs" ], - "rust-overlay": "rust-overlay_3" + "rust-overlay": "rust-overlay_4" }, "locked": { "lastModified": 1693064156, @@ -556,6 +693,22 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1678872516, + "narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-unstable": { "locked": { "lastModified": 1691464053, @@ -683,6 +836,37 @@ "type": "github" } }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1681413034, + "narHash": "sha256-/t7OjNQcNkeWeSq/CFLYVBfm+IEnkjoSm9iKvArnUUI=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "d3de8f69ca88fb6f8b09e5b598be5ac98d28ede5", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "rnix-lsp": { "inputs": { "naersk": "naersk", @@ -715,6 +899,7 @@ "home-manager": "home-manager", "kak-lsp": "kak-lsp", "kakoune": "kakoune", + "lanzaboote": "lanzaboote", "mpd-mpris": "mpd-mpris", "nixos-m1": "nixos-m1", "nixpkgs": "nixpkgs_5", @@ -797,6 +982,31 @@ } }, "rust-overlay_3": { + "inputs": { + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1682129965, + "narHash": "sha256-1KRPIorEL6pLpJR04FwAqqnt4Tzcm4MqD84yhlD+XSk=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "2c417c0460b788328220120c698630947547ee83", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "rust-overlay_4": { "flake": false, "locked": { "lastModified": 1686795910, @@ -814,7 +1024,7 @@ }, "secrets": { "inputs": { - "flake-utils": "flake-utils_6" + "flake-utils": "flake-utils_7" }, "locked": { "lastModified": 1686133200, @@ -855,7 +1065,7 @@ }, "swayfx": { "inputs": { - "flake-compat": "flake-compat_5", + "flake-compat": "flake-compat_6", "nixpkgs": [ "nixpkgs" ] @@ -904,6 +1114,21 @@ "type": "github" } }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "utils": { "locked": { "lastModified": 1667395993, @@ -936,7 +1161,7 @@ }, "youmubot": { "inputs": { - "flake-utils": "flake-utils_7", + "flake-utils": "flake-utils_8", "naersk": "naersk_2", "nixpkgs": "nixpkgs_7" }, diff --git a/flake.nix b/flake.nix index fd70009..56e539f 100644 --- a/flake.nix +++ b/flake.nix @@ -14,6 +14,12 @@ deploy-rs.url = "github:Serokell/deploy-rs"; nur.url = "github:nix-community/NUR"; + # --- Secure boot + lanzaboote = { + url = github:nix-community/lanzaboote/v0.3.0; + inputs.nixpkgs.follows = "nixpkgs"; + }; + # --- Build tools flake-utils.url = github:numtide/flake-utils; crane.url = github:ipetkov/crane; @@ -137,20 +143,29 @@ } ]; }; - # x1c1 configuration - # nixosConfigurations."nki-x1c1" = nixpkgs.lib.nixosSystem rec { - # system = "x86_64-linux"; - # modules = [ - # (common-nixos nixpkgs) - # ./nki-x1c1/configuration.nix - # home-manager.nixosModules.home-manager - # { - # home-manager.useGlobalPkgs = true; - # home-manager.useUserPackages = true; - # home-manager.users.nki = import ./home/nki-x1c1.nix; - # } - # ]; - # }; + # yoga g8 configuration + nixosConfigurations."nki-yoga-g8" = nixpkgs.lib.nixosSystem rec { + system = "x86_64-linux"; + modules = [ + (common-nixos nixpkgs) + inputs.lanzaboote.nixosModules.lanzaboote + ({ ... }: { + # Sets up secure boot + boot.loader.systemd-boot.enable = lib.mkForce false; + boot.lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + }; + }) + ./nki-yoga-g8/configuration.nix + home-manager.nixosModules.home-manager + { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.users.nki = import ./home/nki-x1c1.nix; + } + ]; + }; # macbook nixos nixosConfigurations."kagami-air-m1" = inputs.nixpkgs.lib.nixosSystem rec { system = "aarch64-linux"; diff --git a/home/modules/linux/graphical/default.nix b/home/modules/linux/graphical/default.nix index b91269c..567284a 100644 --- a/home/modules/linux/graphical/default.nix +++ b/home/modules/linux/graphical/default.nix @@ -25,6 +25,11 @@ in description = "List of packages to include in ~/.config/autostart"; default = [ ]; }; + defaults.webBrowser = mkOption { + type = types.str; + default = "firefox.desktop"; + description = "Desktop file of the default web browser"; + }; }; config = mkIf (cfg.type != null) { # Packages @@ -81,13 +86,13 @@ in "x-scheme-handler/mailto" = [ "org.gnome.Evolution.desktop" ]; # Default web browser stuff - "text/html" = [ "firefox.desktop" ]; - "x-scheme-handler/about" = [ "firefox.desktop" ]; - "x-scheme-handler/unknown" = [ "firefox.desktop" ]; - "x-scheme-handler/http" = [ "firefox.desktop" ]; - "x-scheme-handler/https" = [ "firefox.desktop" ]; - "x-scheme-handler/ftp" = [ "firefox.desktop" ]; - "x-scheme-handler/ftps" = [ "firefox.desktop" ]; + "text/html" = [ cfg.defaults.webBrowser ]; + "x-scheme-handler/about" = [ cfg.defaults.webBrowser ]; + "x-scheme-handler/unknown" = [ cfg.defaults.webBrowser ]; + "x-scheme-handler/http" = [ cfg.defaults.webBrowser ]; + "x-scheme-handler/https" = [ cfg.defaults.webBrowser ]; + "x-scheme-handler/ftp" = [ cfg.defaults.webBrowser ]; + "x-scheme-handler/ftps" = [ cfg.defaults.webBrowser ]; # Torrent "application/x-bittorrent" = [ "deluge.desktop" ]; diff --git a/home/nki-x1c1.nix b/home/nki-x1c1.nix index 4e80b76..d9439a4 100644 --- a/home/nki-x1c1.nix +++ b/home/nki-x1c1.nix @@ -31,18 +31,24 @@ # Graphical set up linux.graphical.type = "wayland"; linux.graphical.wallpaper = ./images/wallpaper_0.png; + linux.graphical.defaults.webBrowser = "librewolf.desktop"; # Enable sway programs.my-sway.enable = true; programs.my-sway.fontSize = 14.0; programs.my-sway.terminal = "${config.programs.kitty.package}/bin/kitty"; + programs.my-sway.browser = "librewolf"; # Keyboard support wayland.windowManager.sway.config = { + input."*".xkb_layout = "jp"; input."1278:34:HHKB-Hybrid_3_Keyboard".xkb_layout = "jp"; input."1:1:AT_Translated_Set_2_keyboard" = { xkb_options = "ctrl:swapcaps"; - xkb_layout = "us"; + # xkb_layout = "us"; }; }; + # input-remapping + xdg.configFile."autostart/input-remapper-autoload.desktop".source = + "${pkgs.input-remapper}/share/applications/input-remapper-autoload.desktop"; # Kitty nki.programs.kitty = { enable = true; @@ -50,14 +56,14 @@ }; # Multiple screen setup - services.kanshi = { - enable = true; - profiles.undocked.outputs = [{ criteria = "LVDS-1"; }]; - profiles.docked-hdmi.outputs = [ - { criteria = "LVDS-1"; status = "disable"; } - { criteria = "HDMI-A-1"; } - ]; - }; + # services.kanshi = { + # enable = true; + # profiles.undocked.outputs = [{ criteria = "LVDS-1"; }]; + # profiles.docked-hdmi.outputs = [ + # # { criteria = "LVDS-1"; status = "disable"; } + # { criteria = "HDMI-A-1"; } + # ]; + # }; # This value determines the Home Manager release that your # configuration is compatible with. This helps avoid breakage diff --git a/modules/common/linux/default.nix b/modules/common/linux/default.nix index fa5d86d..eeb69bc 100644 --- a/modules/common/linux/default.nix +++ b/modules/common/linux/default.nix @@ -17,6 +17,7 @@ let systemd.network.networks."05-ios-tethering" = { matchConfig.Driver = "ipheth"; networkConfig.DHCP = "yes"; + linkConfig.RequiredForOnline = "no"; }; }; @@ -158,6 +159,7 @@ in ## Network configuration systemd.network.enable = true; + systemd.network.wait-online.enable = false; networking.hostName = cfg.networking.hostname; networking.wireless.iwd.enable = true; systemd.network.networks = builtins.mapAttrs diff --git a/nki-yoga-g8/configuration.nix b/nki-yoga-g8/configuration.nix new file mode 100644 index 0000000..386fa08 --- /dev/null +++ b/nki-yoga-g8/configuration.nix @@ -0,0 +1,93 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, lib, ... }: + +{ + imports = + [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + # Fonts + ../modules/personal/fonts + # Encrypted DNS + ../modules/services/edns + ]; + + services.xserver.desktopManager.plasma5.enable = true; + + # Power Management + services.upower = { + enable = true; + criticalPowerAction = "PowerOff"; + + usePercentageForPolicy = true; + percentageCritical = 3; + percentageLow = 10; + }; + services.logind.lidSwitch = "suspend"; + + # Printing + services.printing.drivers = with pkgs; [ epfl-cups-drivers ]; + + # Enable touchpad support (enabled default in most desktopManager). + services.xserver.libinput.enable = true; + # Keyboard + services.input-remapper.enable = true; + services.input-remapper.serviceWantedBy = [ "multi-user.target" ]; + hardware.uinput.enable = true; + + # Define a user account. Don't forget to set a password with ‘passwd’. + common.linux.username = "nki"; + + # Networking + common.linux.networking = { + hostname = "nki-yoga-g8"; + networks."10-wired".match = "enp*"; + networks."20-wireless".match = "wlan*"; + dnsServers = [ "127.0.0.1" ]; + }; + nki.services.edns.enable = true; + nki.services.edns.ipv6 = true; + + # Secrets + # sops.defaultSopsFile = ./secrets.yaml; + # sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + + ## tinc + # sops.secrets."tinc/ed25519-private-key" = { }; + # services.my-tinc = { + # enable = true; + # hostName = "macbooknix"; + # ed25519PrivateKey = config.sops.secrets."tinc/ed25519-private-key".path; + # bindPort = 6565; + # }; + + services.dbus.packages = with pkgs; [ gcr ]; + + # Power Management + powerManagement = { + enable = true; + }; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # Copy the NixOS configuration file and link it from the resulting system + # (/run/current-system/configuration.nix). This is useful in case you + # accidentally delete configuration.nix. + # system.copySystemConfiguration = true; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.05"; # Did you read the comment? +} + diff --git a/nki-yoga-g8/hardware-configuration.nix b/nki-yoga-g8/hardware-configuration.nix new file mode 100644 index 0000000..f03c91a --- /dev/null +++ b/nki-yoga-g8/hardware-configuration.nix @@ -0,0 +1,48 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { + device = "/dev/disk/by-uuid/b32d27bf-9df6-43c1-8b93-c0693811bf5b"; + fsType = "btrfs"; + }; + + common.linux.luksDevices."nixroot" = "/dev/disk/by-uuid/09114015-79bc-4a40-bf60-b4022e969acb"; + + fileSystems."/boot" = + { + device = "/dev/disk/by-uuid/E820-D6C7"; + fsType = "vfat"; + }; + + swapDevices = [ + { device = "/var/swapfile"; size = 32 * 1024; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s20f0u1c4i2.useDHCP = lib.mkDefault true; + # networking.interfaces.tailscale0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlan0.useDHCP = lib.mkDefault true; + # networking.interfaces.wwan0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +}