diff --git a/.gitattributes b/.gitattributes index 47a3161..94ff4d4 100644 --- a/.gitattributes +++ b/.gitattributes @@ -2,3 +2,4 @@ home-manager/secrets/factorio.nix filter=git-crypt diff=git-crypt etcnixos/secrets/secureboot.tar filter=git-crypt diff=git-crypt etcnixos/secrets/wifi-passwords.nix filter=git-crypt diff=git-crypt etcnixos/secrets/disk-password filter=git-crypt diff=git-crypt +etcnixos/secrets/password-hash filter=git-crypt diff=git-crypt diff --git a/etcnixos/common.nix b/etcnixos/common.nix index d6a41d8..00e8319 100644 --- a/etcnixos/common.nix +++ b/etcnixos/common.nix @@ -126,7 +126,7 @@ ]; }; - age.identityPaths = [ "/home/${username}/.ssh/id_ed25519" ]; + # age.identityPaths = [ "/home/${username}/.ssh/id_ed25519" ]; # networking networking = import ./networking.nix { inherit hostname; }; @@ -168,11 +168,6 @@ pulse.enable = true; }; - age.secrets.password-hash = { - file = ./secrets/password-hash.age; - path = "/tmp/password-hash-secret"; - }; - # Define my user account (the rest of the configuration if found in `~/.config/home-manager/...`) users.users.${username} = { isNormalUser = true; @@ -183,7 +178,7 @@ "camera" "adbusers" ]; - hashedPasswordFile = config.age.secrets.password-hash.path; + hashedPasswordFile = "${./secrets/password-hash}"; }; services.gvfs.enable = true; @@ -216,7 +211,7 @@ dmidecode - (inputs.agenix.packages.${pkgs.system}.default.override { ageBin = "${pkgs.rage}/bin/rage"; }) + # (inputs.agenix.packages.${pkgs.system}.default.override { ageBin = "${pkgs.rage}/bin/rage"; }) doas-sudo-shim @@ -226,6 +221,11 @@ man-pages man-pages-posix + # needed for home-manager + git + + home-manager + # https://github.com/chaotic-cx/nyx/issues/972 # config.boot.kernelPackages.perf ]; diff --git a/etcnixos/flake.lock b/etcnixos/flake.lock index 732ac57..6498007 100644 --- a/etcnixos/flake.lock +++ b/etcnixos/flake.lock @@ -85,6 +85,27 @@ "type": "github" } }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1736864502, + "narHash": "sha256-ItkIZyebGvNH2dK9jVGzJHGPtb6BSWLN8Gmef16NeY0=", + "owner": "nix-community", + "repo": "disko", + "rev": "0141aabed359f063de7413f80d906e1d98c0c123", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "latest", + "repo": "disko", + "type": "github" + } + }, "fenix": { "inputs": { "nixpkgs": [ @@ -371,6 +392,7 @@ "inputs": { "agenix": "agenix", "chaotic": "chaotic", + "disko": "disko", "lanzaboote": "lanzaboote", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs" diff --git a/etcnixos/hardware_laptop.nix b/etcnixos/hardware_laptop.nix index 15c3b94..40f9c6d 100644 --- a/etcnixos/hardware_laptop.nix +++ b/etcnixos/hardware_laptop.nix @@ -15,27 +15,6 @@ boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; - # fileSystems."/" = { - # device = "/dev/disk/by-uuid/acbd96e3-e7c7-442d-82cc-ce2913a9e90c"; - # fsType = "btrfs"; - # options = [ - # "subvol=@" - # "compress=zstd" - # "autodefrag" - # "noatime" - # "space_cache=v2" - # "discard" - # ]; - # }; - - # boot.initrd.luks.devices."luks-0f481d5f-528c-4838-bd8a-d2780b4ba234".device = - # "/dev/disk/by-uuid/0f481d5f-528c-4838-bd8a-d2780b4ba234"; - - # fileSystems."/boot" = { - # device = "/dev/disk/by-uuid/4D19-520E"; - # fsType = "vfat"; - # }; - disko.devices = { disk = { main = { @@ -78,7 +57,6 @@ }; }; }; - }; swapDevices = [ ]; diff --git a/etcnixos/secrets/password-hash b/etcnixos/secrets/password-hash new file mode 100644 index 0000000..ba58675 Binary files /dev/null and b/etcnixos/secrets/password-hash differ diff --git a/etcnixos/secrets/password-hash.age b/etcnixos/secrets/password-hash.age deleted file mode 100644 index ca3ac41..0000000 Binary files a/etcnixos/secrets/password-hash.age and /dev/null differ diff --git a/etcnixos/secrets/secrets.nix b/etcnixos/secrets/secrets.nix deleted file mode 100644 index a929fec..0000000 --- a/etcnixos/secrets/secrets.nix +++ /dev/null @@ -1,16 +0,0 @@ -let - laptop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH"; - desktop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJjT5QZ3zRDb+V6Em20EYpSEgPW5e/U+06uQGJdraxi"; -in -(builtins.listToAttrs ( - map - (f: { - f.publicKeys = [ - laptop - desktop - ]; - }) - [ - "password-hash.age" - ] -)) diff --git a/etcnixos/system-mreow.nix b/etcnixos/system-mreow.nix index eae2370..651a37d 100644 --- a/etcnixos/system-mreow.nix +++ b/etcnixos/system-mreow.nix @@ -6,6 +6,10 @@ inputs, ... }: + +let + untar = pkgs.callPackage ./util/untar.nix; +in { imports = [ ./common.nix @@ -58,10 +62,11 @@ }; boot = { - # lanzaboote = { - # enable = true; - # pkiBundle = "/etc/secureboot"; - # }; + lanzaboote = { + enable = true; + # TODO: proper secrets management so this is not stored in nix store + pkiBundle = "${(untar { src = "${./secrets/secureboot.tar}"; })}"; + }; # Bootloader. loader = { @@ -71,7 +76,7 @@ generated at installation time. So we force it to false for now. */ - # systemd-boot.enable = lib.mkForce false; + systemd-boot.enable = lib.mkForce false; }; kernelParams = [ @@ -106,20 +111,18 @@ TTYVTDisallocate = true; }; + system.activationScripts = { + # FIX: https://github.com/NixOS/nix/issues/2982 + "profile-channel-dummy".text = '' + #!/bin/sh + mkdir -p /nix/var/nix/profiles/per-user/root/channels + ''; + }; + # weird hack to get swaylock working? idk, if you don't put this here, password entry doesnt work # if I move to another lock screen program, i will have to replace `swaylock` security.pam.services.swaylock = { }; - # system.activationScripts = { - # # extract all my secureboot keys - # "secureboot-keys".text = '' - # #!/bin/sh - # rm -fr ${config.boot.lanzaboote.pkiBundle} || true - # mkdir -p ${config.boot.lanzaboote.pkiBundle} - # ${pkgs.gnutar}/bin/tar xf ${./secrets/secureboot.tar} -C ${config.boot.lanzaboote.pkiBundle} - # ''; - # }; - # disable framework kernel module # https://github.com/NixOS/nixos-hardware/issues/1330 hardware.framework.enableKmod = false; diff --git a/etcnixos/util/untar.nix b/etcnixos/util/untar.nix new file mode 100644 index 0000000..f5bb304 --- /dev/null +++ b/etcnixos/util/untar.nix @@ -0,0 +1,21 @@ +{ + stdenv, + gnutar, + src, +}: +stdenv.mkDerivation { + pname = "untar"; + version = "1.0"; + + inherit src; + + buildInputs = [ gnutar ]; + + # input is a file, not a directory, skip unpackPhase + unpackPhase = "true"; + + installPhase = '' + mkdir -p $out + tar xf ${src} -C $out/ + ''; +} diff --git a/home-manager/flake.lock b/home-manager/flake.lock index 9588717..942db7c 100644 --- a/home-manager/flake.lock +++ b/home-manager/flake.lock @@ -54,11 +54,11 @@ ] }, "locked": { - "lastModified": 1739226747, - "narHash": "sha256-uO80xwFP2sjL8qWhwplxD6GcadHbbLs5ph2CFPNh8pI=", + "lastModified": 1739233400, + "narHash": "sha256-fldFwXHP9Ndy/ADMDWNTpfWNsLdhZ8PP4DQyr1Igfo4=", "owner": "nix-community", "repo": "home-manager", - "rev": "a3c9e88177f0dc4a2662b5324572425f59129f11", + "rev": "ba4a1a110204c27805d1a1b5c8b24b3a0da4d063", "type": "github" }, "original": { @@ -174,11 +174,11 @@ ] }, "locked": { - "lastModified": 1739154531, - "narHash": "sha256-QGeN6e0nMJlNLzm3Y2A7P6riXhQXMeCXLZ7yajZYFQM=", + "lastModified": 1739240901, + "narHash": "sha256-YDtl/9w71m5WcZvbEroYoWrjECDhzJZLZ8E68S3BYok=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "035dac86ab7ce5c1e8a4d59dfe85e6911a3526ea", + "rev": "03473e2af8a4b490f4d2cdb2e4d3b75f82c8197c", "type": "github" }, "original": {