done

2025-02-10 21:47:57 -05:00 · 2025-02-10 21:47:57 -05:00 · 5cb473d279
commit 5cb473d279
parent 2b66f1a774
10 changed files with 76 additions and 67 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -2,3 +2,4 @@ home-manager/secrets/factorio.nix filter=git-crypt diff=git-crypt
 etcnixos/secrets/secureboot.tar filter=git-crypt diff=git-crypt
 etcnixos/secrets/wifi-passwords.nix filter=git-crypt diff=git-crypt
 etcnixos/secrets/disk-password filter=git-crypt diff=git-crypt
+etcnixos/secrets/password-hash filter=git-crypt diff=git-crypt
--- a/etcnixos/common.nix
+++ b/etcnixos/common.nix
@ -126,7 +126,7 @@
    ];
  };

-  age.identityPaths = [ "/home/${username}/.ssh/id_ed25519" ];
+  # age.identityPaths = [ "/home/${username}/.ssh/id_ed25519" ];

  # networking
  networking = import ./networking.nix { inherit hostname; };
@ -168,11 +168,6 @@
    pulse.enable = true;
  };

-  age.secrets.password-hash = {
-    file = ./secrets/password-hash.age;
-    path = "/tmp/password-hash-secret";
-  };
-
  # Define my user account (the rest of the configuration if found in `~/.config/home-manager/...`)
  users.users.${username} = {
    isNormalUser = true;
@ -183,7 +178,7 @@
      "camera"
      "adbusers"
    ];
-    hashedPasswordFile = config.age.secrets.password-hash.path;
+    hashedPasswordFile = "${./secrets/password-hash}";
  };

  services.gvfs.enable = true;
@ -216,7 +211,7 @@

    dmidecode

-    (inputs.agenix.packages.${pkgs.system}.default.override { ageBin = "${pkgs.rage}/bin/rage"; })
+    # (inputs.agenix.packages.${pkgs.system}.default.override { ageBin = "${pkgs.rage}/bin/rage"; })

    doas-sudo-shim

@ -226,6 +221,11 @@
    man-pages
    man-pages-posix

+    # needed for home-manager
+    git
+
+    home-manager
+
    # https://github.com/chaotic-cx/nyx/issues/972
    # config.boot.kernelPackages.perf
  ];
--- a/etcnixos/flake.lock
+++ b/etcnixos/flake.lock
@ -85,6 +85,27 @@
        "type": "github"
      }
    },
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1736864502,
+        "narHash": "sha256-ItkIZyebGvNH2dK9jVGzJHGPtb6BSWLN8Gmef16NeY0=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "0141aabed359f063de7413f80d906e1d98c0c123",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "latest",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
    "fenix": {
      "inputs": {
        "nixpkgs": [
@ -371,6 +392,7 @@
      "inputs": {
        "agenix": "agenix",
        "chaotic": "chaotic",
+        "disko": "disko",
        "lanzaboote": "lanzaboote",
        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs"
--- a/etcnixos/hardware_laptop.nix
+++ b/etcnixos/hardware_laptop.nix
@ -15,27 +15,6 @@
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];

-  # fileSystems."/" = {
-  #   device = "/dev/disk/by-uuid/acbd96e3-e7c7-442d-82cc-ce2913a9e90c";
-  #   fsType = "btrfs";
-  #   options = [
-  #     "subvol=@"
-  #     "compress=zstd"
-  #     "autodefrag"
-  #     "noatime"
-  #     "space_cache=v2"
-  #     "discard"
-  #   ];
-  # };
-
-  # boot.initrd.luks.devices."luks-0f481d5f-528c-4838-bd8a-d2780b4ba234".device =
-  #   "/dev/disk/by-uuid/0f481d5f-528c-4838-bd8a-d2780b4ba234";
-
-  # fileSystems."/boot" = {
-  #   device = "/dev/disk/by-uuid/4D19-520E";
-  #   fsType = "vfat";
-  # };
-
  disko.devices = {
    disk = {
      main = {
@ -78,7 +57,6 @@
        };
      };
    };
-
  };

  swapDevices = [ ];
--- a/etcnixos/secrets/password-hash
+++ b/etcnixos/secrets/password-hash
--- a/etcnixos/secrets/password-hash.age
+++ b/etcnixos/secrets/password-hash.age
--- a/etcnixos/secrets/secrets.nix
+++ b/etcnixos/secrets/secrets.nix
@ -1,16 +0,0 @@
-let
-  laptop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH";
-  desktop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJjT5QZ3zRDb+V6Em20EYpSEgPW5e/U+06uQGJdraxi";
-in
-(builtins.listToAttrs (
-  map
-    (f: {
-      f.publicKeys = [
-        laptop
-        desktop
-      ];
-    })
-    [
-      "password-hash.age"
-    ]
-))
--- a/etcnixos/system-mreow.nix
+++ b/etcnixos/system-mreow.nix
@ -6,6 +6,10 @@
  inputs,
  ...
 }:
+
+let
+  untar = pkgs.callPackage ./util/untar.nix;
+in
 {
  imports = [
    ./common.nix
@ -58,10 +62,11 @@
  };

  boot = {
-    # lanzaboote = {
-    # enable = true;
-    # pkiBundle = "/etc/secureboot";
-    # };
+    lanzaboote = {
+      enable = true;
+      # TODO: proper secrets management so this is not stored in nix store
+      pkiBundle = "${(untar { src = "${./secrets/secureboot.tar}"; })}";
+    };

    # Bootloader.
    loader = {
@ -71,7 +76,7 @@
        generated at installation time. So we force it to false
        for now.
      */
-      # systemd-boot.enable = lib.mkForce false;
+      systemd-boot.enable = lib.mkForce false;
    };

    kernelParams = [
@ -106,20 +111,18 @@
    TTYVTDisallocate = true;
  };

+  system.activationScripts = {
+    # FIX: https://github.com/NixOS/nix/issues/2982
+    "profile-channel-dummy".text = ''
+      #!/bin/sh
+      mkdir -p /nix/var/nix/profiles/per-user/root/channels
+    '';
+  };
+
  # weird hack to get swaylock working? idk, if you don't put this here, password entry doesnt work
  # if I move to another lock screen program, i will have to replace `swaylock`
  security.pam.services.swaylock = { };

-  # system.activationScripts = {
-  #   # extract all my secureboot keys
-  #   "secureboot-keys".text = ''
-  #     #!/bin/sh
-  #     rm -fr ${config.boot.lanzaboote.pkiBundle} || true
-  #     mkdir -p ${config.boot.lanzaboote.pkiBundle}
-  #     ${pkgs.gnutar}/bin/tar xf ${./secrets/secureboot.tar} -C ${config.boot.lanzaboote.pkiBundle}
-  #   '';
-  # };
-
  # disable framework kernel module
  # https://github.com/NixOS/nixos-hardware/issues/1330
  hardware.framework.enableKmod = false;
--- a/etcnixos/util/untar.nix
+++ b/etcnixos/util/untar.nix
@ -0,0 +1,21 @@
+{
+  stdenv,
+  gnutar,
+  src,
+}:
+stdenv.mkDerivation {
+  pname = "untar";
+  version = "1.0";
+
+  inherit src;
+
+  buildInputs = [ gnutar ];
+
+  # input is a file, not a directory, skip unpackPhase
+  unpackPhase = "true";
+
+  installPhase = ''
+    mkdir -p $out
+    tar xf ${src} -C $out/
+  '';
+}
--- a/home-manager/flake.lock
+++ b/home-manager/flake.lock
@ -54,11 +54,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1739226747,
-        "narHash": "sha256-uO80xwFP2sjL8qWhwplxD6GcadHbbLs5ph2CFPNh8pI=",
+        "lastModified": 1739233400,
+        "narHash": "sha256-fldFwXHP9Ndy/ADMDWNTpfWNsLdhZ8PP4DQyr1Igfo4=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "a3c9e88177f0dc4a2662b5324572425f59129f11",
+        "rev": "ba4a1a110204c27805d1a1b5c8b24b3a0da4d063",
        "type": "github"
      },
      "original": {
@ -174,11 +174,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1739154531,
-        "narHash": "sha256-QGeN6e0nMJlNLzm3Y2A7P6riXhQXMeCXLZ7yajZYFQM=",
+        "lastModified": 1739240901,
+        "narHash": "sha256-YDtl/9w71m5WcZvbEroYoWrjECDhzJZLZ8E68S3BYok=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "035dac86ab7ce5c1e8a4d59dfe85e6911a3526ea",
+        "rev": "03473e2af8a4b490f4d2cdb2e4d3b75f82c8197c",
        "type": "github"
      },
      "original": {