cleanup

etcnixos/common.nix

@@ -20,8 +20,14 @@
     inputs.nixos-hardware.nixosModules.common-pc-ssd
     inputs.chaotic.nixosModules.default
     inputs.disko.nixosModules.disko
+    inputs.lanzaboote.nixosModules.lanzaboote
   ];
 
+  hardware.enableRedistributableFirmware = true;
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+
+  swapDevices = [ ];
+
   nix = {
     # optimize the store
     optimise.automatic = true;
@@ -33,30 +39,58 @@
     ];
   };
 
+  system.activationScripts = {
+    # extract all my secureboot keys
+    # TODO! proper secrets management
+    "secureboot-keys".text = ''
+      #!/bin/sh
+      rm -fr ${config.boot.lanzaboote.pkiBundle} || true
+      mkdir -p ${config.boot.lanzaboote.pkiBundle}
+      ${pkgs.gnutar}/bin/tar xf ${./secrets/secureboot.tar} -C ${config.boot.lanzaboote.pkiBundle}
+      chown -R root:wheel ${config.boot.lanzaboote.pkiBundle}
+      chmod -R 500 ${config.boot.lanzaboote.pkiBundle}
+    '';
+  };
+
   # kernel options
   boot = {
     kernelPackages = pkgs.linuxPackages_cachyos-lto;
     # kernelPackages = pkgs.linuxPackages_latest;
     # kernelPackages = pkgs.linuxPackages;
 
-    kernel.sysctl = {
-      # dmesg shushhhhh
-      "kernel.printk" = "2 4 1 7";
+    lanzaboote = {
+      enable = true;
+      # TODO: proper secrets management so this is not stored in nix store
+      pkiBundle = "/var/lib/sbctl";
     };
 
     # Bootloader.
     loader = {
-      systemd-boot.enable = true;
       efi.canTouchEfiVariables = true;
 
       timeout = 1;
+      /*
+        Lanzaboote currently replaces the systemd-boot module.
+        This setting is usually set to true in configuration.nix
+        generated at installation time. So we force it to false
+        for now.
+      */
+      systemd-boot.enable = lib.mkForce false;
+
     };
 
     initrd = {
       compressor = "zstd";
+      availableKernelModules = [
+        "xhci_pci"
+        "thunderbolt"
+        "nvme"
+        "usbhid"
+      ];
     };
 
     kernelModules = [
+      "kvm-amd"
       "ip_tables"
       "iptable_nat"
       "msr"
@@ -95,7 +129,7 @@
     mullvad-vpn.enable = true;
   };
 
-  # Set your time zone.
+  # EST
   time.timeZone = "America/New_York";
 
   security = {
@@ -117,18 +151,6 @@
   # Select internationalisation properties.
   i18n.defaultLocale = "en_US.UTF-8";
 
-  i18n.extraLocaleSettings = {
-    LC_ADDRESS = "en_US.UTF-8";
-    LC_IDENTIFICATION = "en_US.UTF-8";
-    LC_MEASUREMENT = "en_US.UTF-8";
-    LC_MONETARY = "en_US.UTF-8";
-    LC_NAME = "en_US.UTF-8";
-    LC_NUMERIC = "en_US.UTF-8";
-    LC_PAPER = "en_US.UTF-8";
-    LC_TELEPHONE = "en_US.UTF-8";
-    LC_TIME = "en_US.UTF-8";
-  };
-
   # Enable Bluetooth
   hardware.bluetooth = {
     enable = true;
@@ -218,6 +240,7 @@
   };
 
   system.stateVersion = "24.11";
+  nixpkgs.hostPlatform = "x86_64-linux";
 
   documentation.enable = true;
   documentation.man.enable = true;