v/infrastructure
1
0
Fork 0
Code Issues 13 Pull requests 1 Actions Packages Projects Releases Activity

aoife: enable secure boot
All checks were successful
Lint / lint (push) Successful in 2s
Details
Plex Update / update (push) Successful in 9s
Details

Browse source
This commit is contained in:
Vivian 2023-05-30 08:41:42 +02:00
parent 9a4b0d51c0
commit f29f2e9b20
6 changed files with 272 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
README.md
View file

@ -10,3 +10,9 @@ to deploy the infrastructure, this can be accessed running `nix develop`.
[Flux]: https://github.com/fluxcd/flux2
[colmena]: https://colmena.cli.rs/unstable/
## Inspired by the following repos
* <https://github.com/colemickens/nixcfg>
* <https://github.com/serokell/pegasus-infra>
* <https://git.voidcorp.nl/j00lz/nixos-configs>
* <https://github.com/tadfisher/flake>

264
flake.lock
View file

@ -123,6 +123,39 @@
}
},
"crane": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"rust-overlay": [
"lanzaboote",
"rust-overlay"
]
},
"locked": {
"lastModified": 1683505101,
"narHash": "sha256-VBU64Jfu2V4sUR5+tuQS9erBRAe/QEYUxdVMcJGMZZs=",
"owner": "ipetkov",
"repo": "crane",
"rev": "7b5bd9e5acb2bb0cfba2d65f34d8568a894cdb6c",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"crane_2": {
"flake": false,
"locked": {
"lastModified": 1670284777,
@ -158,9 +191,9 @@
"inputs": {
"alejandra": "alejandra",
"all-cabal-json": "all-cabal-json",
"crane": "crane",
"crane": "crane_2",
"devshell": "devshell",
"flake-parts": "flake-parts",
"flake-parts": "flake-parts_2",
"flake-utils-pre-commit": "flake-utils-pre-commit",
"ghc-utils": "ghc-utils",
"gomod2nix": "gomod2nix",
@ -268,11 +301,11 @@
"flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1668681692,
"narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "009399224d5e398d03b22badca40a37ac85412a1",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
@ -284,11 +317,11 @@
"flake-compat_4": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"lastModified": 1668681692,
"narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"rev": "009399224d5e398d03b22badca40a37ac85412a1",
"type": "github"
},
"original": {
@ -298,6 +331,22 @@
}
},
"flake-compat_5": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_6": {
"flake": false,
"locked": {
"lastModified": 1673956053,
@ -313,6 +362,27 @@
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1683560683,
"narHash": "sha256-XAygPMN5Xnk/W2c1aW0jyEa6lfMDZWlQgiNtmHXytPc=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "006c75898cf814ef9497252b022e91c946ba8e17",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_2": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
@ -379,6 +449,24 @@
}
},
"flake-utils_3": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1681202837,
"narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "cfacdce06f30d2b68473a46042957675eebb3401",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_4": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
@ -393,7 +481,7 @@
"type": "github"
}
},
"flake-utils_4": {
"flake-utils_5": {
"locked": {
"lastModified": 1678901627,
"narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=",
@ -407,9 +495,9 @@
"type": "indirect"
}
},
"flake-utils_5": {
"flake-utils_6": {
"inputs": {
"systems": "systems_2"
"systems": "systems_3"
},
"locked": {
"lastModified": 1681202837,
@ -458,6 +546,28 @@
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"pre-commit-hooks-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1660459072,
"narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"gitignore_2": {
"inputs": {
"nixpkgs": [
"nixvim",
@ -515,6 +625,32 @@
"type": "github"
}
},
"lanzaboote": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat_3",
"flake-parts": "flake-parts",
"flake-utils": "flake-utils_2",
"nixpkgs": [
"nixpkgs"
],
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1685349926,
"narHash": "sha256-c1rKI1glJWdJIPefp9aiyhAkEZ4Sc6Rh/J5VumEXu1M=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "2e62c11babeead4b26efbb7f2cd4488baaa2e897",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "lanzaboote",
"type": "github"
}
},
"lowdown-src": {
"flake": false,
"locked": {
@ -549,7 +685,7 @@
"mailserver": {
"inputs": {
"blobs": "blobs",
"flake-compat": "flake-compat_3",
"flake-compat": "flake-compat_4",
"nixpkgs": [
"nixpkgs"
],
@ -781,6 +917,22 @@
"type": "github"
}
},
"nixpkgs-stable_2": {
"locked": {
"lastModified": 1678872516,
"narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-22.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1680668850,
@ -926,7 +1078,7 @@
"nixvim": {
"inputs": {
"beautysh": "beautysh",
"flake-utils": "flake-utils_2",
"flake-utils": "flake-utils_3",
"nixpkgs": "nixpkgs_4",
"pre-commit-hooks": "pre-commit-hooks"
},
@ -1005,14 +1157,14 @@
},
"pre-commit-hooks": {
"inputs": {
"flake-compat": "flake-compat_4",
"flake-utils": "flake-utils_3",
"gitignore": "gitignore",
"flake-compat": "flake-compat_5",
"flake-utils": "flake-utils_4",
"gitignore": "gitignore_2",
"nixpkgs": [
"nixvim",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
"nixpkgs-stable": "nixpkgs-stable_2"
},
"locked": {
"lastModified": 1684842236,
@ -1028,6 +1180,37 @@
"type": "github"
}
},
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"gitignore": "gitignore",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1682596858,
"narHash": "sha256-Hf9XVpqaGqe/4oDGr30W8HlsWvJXtMsEPHDqHZA6dDg=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "fb58866e20af98779017134319b5663b8215d912",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"pre-commit-hooks_2": {
"inputs": {
"flake-utils": [
@ -1080,6 +1263,7 @@
"colmena": "colmena",
"comma": "comma",
"home-manager": "home-manager",
"lanzaboote": "lanzaboote",
"mailserver": "mailserver",
"nixos-generators": "nixos-generators",
"nixos-hardware": "nixos-hardware",
@ -1127,6 +1311,31 @@
"type": "github"
}
},
"rust-overlay": {
"inputs": {
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1684030847,
"narHash": "sha256-z4tOxaN9Cl8C80u6wyZBpPt9A9MbL21fZ3zdB/vG+AU=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "aa1480f16bec7dda3c62b8cdb184c7e823331ba2",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"stable": {
"locked": {
"lastModified": 1669735802,
@ -1173,6 +1382,21 @@
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"utils": {
"locked": {
"lastModified": 1678901627,
@ -1220,8 +1444,8 @@
},
"vault-secrets": {
"inputs": {
"flake-compat": "flake-compat_5",
"flake-utils": "flake-utils_4",
"flake-compat": "flake-compat_6",
"flake-utils": "flake-utils_5",
"nix": "nix",
"nixpkgs": "nixpkgs_7"
},
@ -1241,7 +1465,7 @@
},
"vault-unseal": {
"inputs": {
"flake-utils": "flake-utils_5",
"flake-utils": "flake-utils_6",
"nixpkgs": "nixpkgs_8"
},
"locked": {

11
flake.nix
View file

@ -1,10 +1,6 @@
{
description = "0x76's infrastructure";
# Based on:
# * https://github.com/serokell/pegasus-infra/blob/master/flake.nix
# * https://git.voidcorp.nl/j00lz/nixos-configs/src/branch/main/flake.nix
# For minecraft use:
# * https://github.com/Infinidoge/nix-minecraft
@ -38,6 +34,13 @@
nixos-hardware.url = "github:toastal/nixos-hardware/z-series-no-hidpi";
lanzaboote = {
url = "github:nix-community/lanzaboote";
# Optional but recommended to limit the size of your system closure.
inputs.nixpkgs.follows = "nixpkgs";
};
vault-unseal.url = "git+https://git.0x76.dev/v/vault-unseal.git";
};

2
nixos/common/desktop/default.nix
View file

@ -38,7 +38,7 @@
services.printing.enable = true;
# Global Packages
environment.systemPackages = with pkgs; [ wireguard-tools ];
environment.systemPackages = with pkgs; [ wireguard-tools sbctl ];
# Enable sound with pipewire.
sound.enable = true;

10
nixos/hosts/thalassa/aoife/configuration.nix
View file

@ -2,7 +2,7 @@
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ inputs, ... }: {
{ inputs, lib, ... }: {
imports = [
./hardware-configuration.nix
inputs.nixos-hardware.nixosModules.lenovo-thinkpad-z
@ -11,8 +11,16 @@
# Bootloader.
boot = {
bootspec.enable = true;
initrd.kernelModules = [ "amdgpu" ];
resumeDevice = "/dev/nvme0n1p2";
loader.systemd-boot.enable = lib.mkForce false;
lanzaboote = {
enable = true;
configurationLimit = 5;
pkiBundle = "/etc/secureboot";
};
};
home-manager = {

7
nixos/util.nix
View file

@ -1,4 +1,4 @@
{ nixpkgs, home-manager, mailserver, ... }:
{ nixpkgs, home-manager, mailserver, lanzaboote, ... }:
let
inherit (builtins) filter attrValues concatMap mapAttrs;
inherit (nixpkgs.lib.attrsets) mapAttrsToList;
@ -13,7 +13,10 @@ let
./common/generic-lxc.nix
];
"vm" = [ ./common/generic-vm.nix ];
"local" = [ ./common/desktop ];
"local" = [
lanzaboote.nixosModules.lanzaboote
./common/desktop
];
};
in type: import_cases.${type} ++ base_imports;
# Helper function to resolve what should be imported depending on the type of config (lxc, vm, bare metal)