diff --git a/README.md b/README.md index d55c001..9fd288d 100644 --- a/README.md +++ b/README.md @@ -10,3 +10,9 @@ to deploy the infrastructure, this can be accessed running `nix develop`. [Flux]: https://github.com/fluxcd/flux2 [colmena]: https://colmena.cli.rs/unstable/ + +## Inspired by the following repos +* +* +* +* diff --git a/flake.lock b/flake.lock index 53bbfd4..118d301 100644 --- a/flake.lock +++ b/flake.lock @@ -123,6 +123,39 @@ } }, "crane": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "rust-overlay": [ + "lanzaboote", + "rust-overlay" + ] + }, + "locked": { + "lastModified": 1683505101, + "narHash": "sha256-VBU64Jfu2V4sUR5+tuQS9erBRAe/QEYUxdVMcJGMZZs=", + "owner": "ipetkov", + "repo": "crane", + "rev": "7b5bd9e5acb2bb0cfba2d65f34d8568a894cdb6c", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, + "crane_2": { "flake": false, "locked": { "lastModified": 1670284777, @@ -158,9 +191,9 @@ "inputs": { "alejandra": "alejandra", "all-cabal-json": "all-cabal-json", - "crane": "crane", + "crane": "crane_2", "devshell": "devshell", - "flake-parts": "flake-parts", + "flake-parts": "flake-parts_2", "flake-utils-pre-commit": "flake-utils-pre-commit", "ghc-utils": "ghc-utils", "gomod2nix": "gomod2nix", @@ -268,11 +301,11 @@ "flake-compat_3": { "flake": false, "locked": { - "lastModified": 1668681692, - "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", "owner": "edolstra", "repo": "flake-compat", - "rev": "009399224d5e398d03b22badca40a37ac85412a1", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", "type": "github" }, "original": { @@ -284,11 +317,11 @@ "flake-compat_4": { "flake": false, "locked": { - "lastModified": 1673956053, - "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "lastModified": 1668681692, + "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", "owner": "edolstra", "repo": "flake-compat", - "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "rev": "009399224d5e398d03b22badca40a37ac85412a1", "type": "github" }, "original": { @@ -298,6 +331,22 @@ } }, "flake-compat_5": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_6": { "flake": false, "locked": { "lastModified": 1673956053, @@ -313,6 +362,27 @@ } }, "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1683560683, + "narHash": "sha256-XAygPMN5Xnk/W2c1aW0jyEa6lfMDZWlQgiNtmHXytPc=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "006c75898cf814ef9497252b022e91c946ba8e17", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { "inputs": { "nixpkgs-lib": "nixpkgs-lib" }, @@ -379,6 +449,24 @@ } }, "flake-utils_3": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1681202837, + "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "cfacdce06f30d2b68473a46042957675eebb3401", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_4": { "locked": { "lastModified": 1667395993, "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", @@ -393,7 +481,7 @@ "type": "github" } }, - "flake-utils_4": { + "flake-utils_5": { "locked": { "lastModified": 1678901627, "narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=", @@ -407,9 +495,9 @@ "type": "indirect" } }, - "flake-utils_5": { + "flake-utils_6": { "inputs": { - "systems": "systems_2" + "systems": "systems_3" }, "locked": { "lastModified": 1681202837, @@ -458,6 +546,28 @@ } }, "gitignore": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1660459072, + "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "gitignore_2": { "inputs": { "nixpkgs": [ "nixvim", @@ -515,6 +625,32 @@ "type": "github" } }, + "lanzaboote": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat_3", + "flake-parts": "flake-parts", + "flake-utils": "flake-utils_2", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1685349926, + "narHash": "sha256-c1rKI1glJWdJIPefp9aiyhAkEZ4Sc6Rh/J5VumEXu1M=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "2e62c11babeead4b26efbb7f2cd4488baaa2e897", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "lanzaboote", + "type": "github" + } + }, "lowdown-src": { "flake": false, "locked": { @@ -549,7 +685,7 @@ "mailserver": { "inputs": { "blobs": "blobs", - "flake-compat": "flake-compat_3", + "flake-compat": "flake-compat_4", "nixpkgs": [ "nixpkgs" ], @@ -781,6 +917,22 @@ "type": "github" } }, + "nixpkgs-stable_2": { + "locked": { + "lastModified": 1678872516, + "narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_2": { "locked": { "lastModified": 1680668850, @@ -926,7 +1078,7 @@ "nixvim": { "inputs": { "beautysh": "beautysh", - "flake-utils": "flake-utils_2", + "flake-utils": "flake-utils_3", "nixpkgs": "nixpkgs_4", "pre-commit-hooks": "pre-commit-hooks" }, @@ -1005,14 +1157,14 @@ }, "pre-commit-hooks": { "inputs": { - "flake-compat": "flake-compat_4", - "flake-utils": "flake-utils_3", - "gitignore": "gitignore", + "flake-compat": "flake-compat_5", + "flake-utils": "flake-utils_4", + "gitignore": "gitignore_2", "nixpkgs": [ "nixvim", "nixpkgs" ], - "nixpkgs-stable": "nixpkgs-stable" + "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { "lastModified": 1684842236, @@ -1028,6 +1180,37 @@ "type": "github" } }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1682596858, + "narHash": "sha256-Hf9XVpqaGqe/4oDGr30W8HlsWvJXtMsEPHDqHZA6dDg=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "fb58866e20af98779017134319b5663b8215d912", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "pre-commit-hooks_2": { "inputs": { "flake-utils": [ @@ -1080,6 +1263,7 @@ "colmena": "colmena", "comma": "comma", "home-manager": "home-manager", + "lanzaboote": "lanzaboote", "mailserver": "mailserver", "nixos-generators": "nixos-generators", "nixos-hardware": "nixos-hardware", @@ -1127,6 +1311,31 @@ "type": "github" } }, + "rust-overlay": { + "inputs": { + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1684030847, + "narHash": "sha256-z4tOxaN9Cl8C80u6wyZBpPt9A9MbL21fZ3zdB/vG+AU=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "aa1480f16bec7dda3c62b8cdb184c7e823331ba2", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "stable": { "locked": { "lastModified": 1669735802, @@ -1173,6 +1382,21 @@ "type": "github" } }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "utils": { "locked": { "lastModified": 1678901627, @@ -1220,8 +1444,8 @@ }, "vault-secrets": { "inputs": { - "flake-compat": "flake-compat_5", - "flake-utils": "flake-utils_4", + "flake-compat": "flake-compat_6", + "flake-utils": "flake-utils_5", "nix": "nix", "nixpkgs": "nixpkgs_7" }, @@ -1241,7 +1465,7 @@ }, "vault-unseal": { "inputs": { - "flake-utils": "flake-utils_5", + "flake-utils": "flake-utils_6", "nixpkgs": "nixpkgs_8" }, "locked": { diff --git a/flake.nix b/flake.nix index 98f81d5..40353fd 100644 --- a/flake.nix +++ b/flake.nix @@ -1,10 +1,6 @@ { description = "0x76's infrastructure"; - # Based on: - # * https://github.com/serokell/pegasus-infra/blob/master/flake.nix - # * https://git.voidcorp.nl/j00lz/nixos-configs/src/branch/main/flake.nix - # For minecraft use: # * https://github.com/Infinidoge/nix-minecraft @@ -38,6 +34,13 @@ nixos-hardware.url = "github:toastal/nixos-hardware/z-series-no-hidpi"; + lanzaboote = { + url = "github:nix-community/lanzaboote"; + + # Optional but recommended to limit the size of your system closure. + inputs.nixpkgs.follows = "nixpkgs"; + }; + vault-unseal.url = "git+https://git.0x76.dev/v/vault-unseal.git"; }; diff --git a/nixos/common/desktop/default.nix b/nixos/common/desktop/default.nix index 9a93dbe..af704c1 100644 --- a/nixos/common/desktop/default.nix +++ b/nixos/common/desktop/default.nix @@ -38,7 +38,7 @@ services.printing.enable = true; # Global Packages - environment.systemPackages = with pkgs; [ wireguard-tools ]; + environment.systemPackages = with pkgs; [ wireguard-tools sbctl ]; # Enable sound with pipewire. sound.enable = true; diff --git a/nixos/hosts/thalassa/aoife/configuration.nix b/nixos/hosts/thalassa/aoife/configuration.nix index 75ceeb5..566477e 100644 --- a/nixos/hosts/thalassa/aoife/configuration.nix +++ b/nixos/hosts/thalassa/aoife/configuration.nix @@ -2,7 +2,7 @@ # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). -{ inputs, ... }: { +{ inputs, lib, ... }: { imports = [ ./hardware-configuration.nix inputs.nixos-hardware.nixosModules.lenovo-thinkpad-z @@ -11,8 +11,16 @@ # Bootloader. boot = { + bootspec.enable = true; initrd.kernelModules = [ "amdgpu" ]; resumeDevice = "/dev/nvme0n1p2"; + loader.systemd-boot.enable = lib.mkForce false; + + lanzaboote = { + enable = true; + configurationLimit = 5; + pkiBundle = "/etc/secureboot"; + }; }; home-manager = { diff --git a/nixos/util.nix b/nixos/util.nix index 6f6511a..05f10f5 100644 --- a/nixos/util.nix +++ b/nixos/util.nix @@ -1,4 +1,4 @@ -{ nixpkgs, home-manager, mailserver, ... }: +{ nixpkgs, home-manager, mailserver, lanzaboote, ... }: let inherit (builtins) filter attrValues concatMap mapAttrs; inherit (nixpkgs.lib.attrsets) mapAttrsToList; @@ -13,7 +13,10 @@ let ./common/generic-lxc.nix ]; "vm" = [ ./common/generic-vm.nix ]; - "local" = [ ./common/desktop ]; + "local" = [ + lanzaboote.nixosModules.lanzaboote + ./common/desktop + ]; }; in type: import_cases.${type} ++ base_imports; # Helper function to resolve what should be imported depending on the type of config (lxc, vm, bare metal)