kat/nixfiles
1
0
Fork 0
mirror of https://github.com/kittywitch/nixfiles.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity

feat: cleanup, secure boot for framework

Browse source
This commit is contained in:
Kat Inskip 2024-03-17 10:38:09 -07:00
parent 15f40761fb
commit d37bd2c669
Signed by: kat
GPG key ID: 465E64DECEA8CF0F
18 changed files with 297 additions and 144 deletions
Download patch file Download diff file Expand all files Collapse all files

182
flake.lock generated
View file

@ -89,6 +89,39 @@
"type": "github" "type": "github"
} }
}, },
"crane_2": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"rust-overlay": [
"lanzaboote",
"rust-overlay"
]
},
"locked": {
"lastModified": 1681177078,
"narHash": "sha256-ZNIjBDou2GOabcpctiQykEQVkI8BDwk7TyvlWlI4myE=",
"owner": "ipetkov",
"repo": "crane",
"rev": "0c9f468ff00576577d83f5019a66c557ede5acf6",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"darwin": { "darwin": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -184,6 +217,27 @@
"type": "github" "type": "github"
} }
}, },
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1680392223,
"narHash": "sha256-n3g7QFr85lDODKt250rkZj2IFS3i4/8HBU2yKHO3tqw=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "dcc36e45d054d7bb554c9cdab69093debd91a0b5",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flakelib": { "flakelib": {
"inputs": { "inputs": {
"fl-config": "fl-config", "fl-config": "fl-config",
@ -225,6 +279,28 @@
"type": "github" "type": "github"
} }
}, },
"gitignore": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"pre-commit-hooks-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1660459072,
"narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -424,6 +500,37 @@
"type": "github" "type": "github"
} }
}, },
"lanzaboote": {
"inputs": {
"crane": "crane_2",
"flake-compat": [
"flake-compat"
],
"flake-parts": "flake-parts",
"flake-utils": [
"utils"
],
"nixpkgs": [
"nixpkgs"
],
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1682802423,
"narHash": "sha256-Fb5TeRTdvUlo/5Yi2d+FC8a6KoRLk2h1VE0/peMhWPs=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "64b903ca87d18cef2752c19c098af275c6e51d63",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "v0.3.0",
"repo": "lanzaboote",
"type": "github"
}
},
"mach-nix": { "mach-nix": {
"inputs": { "inputs": {
"flake-utils": [ "flake-utils": [
@ -498,11 +605,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1706834982, "lastModified": 1710123225,
"narHash": "sha256-3CfxA7gZ+DVv/N9Pvw61bV5Oe/mWfxYPyVQGqp9TMJA=", "narHash": "sha256-j3oWlxRZxB7cFsgEntpH3rosjFHRkAo/dhX9H3OfxtY=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "83e571bb291161682b9c3ccd48318f115143a550", "rev": "ad2fd7b978d5e462048729a6c635c45d3d33c9ba",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -529,16 +636,16 @@
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1705957679, "lastModified": 1678872516,
"narHash": "sha256-Q8LJaVZGJ9wo33wBafvZSzapYsjOaNjP/pOnSiKVGHY=", "narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "9a333eaa80901efe01df07eade2c16d183761fa3", "rev": "9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "release-23.05", "ref": "nixos-22.11",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
@ -581,6 +688,37 @@
"type": "github" "type": "github"
} }
}, },
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"gitignore": "gitignore",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1681413034,
"narHash": "sha256-/t7OjNQcNkeWeSq/CFLYVBfm+IEnkjoSm9iKvArnUUI=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "d3de8f69ca88fb6f8b09e5b598be5ac98d28ede5",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"pypi-deps-db": { "pypi-deps-db": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -616,6 +754,7 @@
"hyprlock": "hyprlock", "hyprlock": "hyprlock",
"hyprsome": "hyprsome", "hyprsome": "hyprsome",
"konawall-py": "konawall-py", "konawall-py": "konawall-py",
"lanzaboote": "lanzaboote",
"mach-nix": "mach-nix", "mach-nix": "mach-nix",
"minecraft": "minecraft", "minecraft": "minecraft",
"nix-index-database": "nix-index-database", "nix-index-database": "nix-index-database",
@ -635,6 +774,31 @@
"xdph": "xdph" "xdph": "xdph"
} }
}, },
"rust-overlay": {
"inputs": {
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1682129965,
"narHash": "sha256-1KRPIorEL6pLpJR04FwAqqnt4Tzcm4MqD84yhlD+XSk=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "2c417c0460b788328220120c698630947547ee83",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"scalpel": { "scalpel": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -663,7 +827,9 @@
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": [
"nixpkgs"
]
}, },
"locked": { "locked": {
"lastModified": 1707015547, "lastModified": 1707015547,

15
flake.nix
View file

@ -17,6 +17,16 @@
nixpkgs = { nixpkgs = {
url = "github:nixos/nixpkgs/nixos-unstable"; url = "github:nixos/nixpkgs/nixos-unstable";
}; };
lanzaboote = {
url = "github:nix-community/lanzaboote/v0.3.0";
# Optional but recommended to limit the size of your system closure.
inputs = {
nixpkgs.follows = "nixpkgs";
flake-utils.follows = "utils";
flake-compat.follows = "flake-compat";
};
};
flakelibstd = { flakelibstd = {
url = "github:flakelib/std"; url = "github:flakelib/std";
inputs.nix-std.follows = "std"; inputs.nix-std.follows = "std";
@ -88,7 +98,10 @@
# secrets # secrets
sops-nix = { sops-nix = {
url = "github:Mic92/sops-nix"; url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs"; inputs = {
nixpkgs.follows = "nixpkgs";
nixpkgs-stable.follows = "nixpkgs";
};
}; };
# secrets templating # secrets templating
scalpel = { scalpel = {

14
home/environments/hyprland/hyprland.nix
View file

@ -33,6 +33,10 @@ in {
systemd = { systemd = {
enable = true; enable = true;
variables = ["--all"]; variables = ["--all"];
extraCommands = [
"systemctl --user stop graphical-session.target"
"systemctl --user start hyprland-session.target"
];
}; };
xwayland.enable = true; xwayland.enable = true;
settings = { settings = {
@ -76,6 +80,8 @@ in {
"${pkgs.mako}/bin/mako" "${pkgs.mako}/bin/mako"
"${pkgs.udiskie}/bin/udiskie &" "${pkgs.udiskie}/bin/udiskie &"
"${pkgs.pasystray}/bin/pasystray" "${pkgs.pasystray}/bin/pasystray"
"${pkgs.systemd}/bin/systemctl restart waybar --user"
"${pkgs.systemd}/bin/systemctl restart konawall-py --user"
]; ];
exec = [ exec = [
]; ];
@ -112,9 +118,9 @@ in {
"$mod, G, togglegroup," "$mod, G, togglegroup,"
"$mod SHIFT, N, changegroupactive, f" "$mod SHIFT, N, changegroupactive, f"
"$mod SHIFT, P, changegroupactive, b" "$mod SHIFT, P, changegroupactive, b"
"$mod, R, togglesplit,"
"$mod, T, togglefloating," "$mod, T, togglefloating,"
"$mod SHIFT, P, pseudo," "$mod SHIFT, T, togglesplit,"
"$mod SHIFT, X, pseudo,"
"$mod ALT, ,resizeactive," "$mod ALT, ,resizeactive,"
"$mod, Escape, exec, wlogout -p layer-shell" "$mod, Escape, exec, wlogout -p layer-shell"
"$mod, L, exec, loginctl lock-session" "$mod, L, exec, loginctl lock-session"
@ -127,6 +133,10 @@ in {
"$mod SHIFT, right, movewindow, r" "$mod SHIFT, right, movewindow, r"
"$mod SHIFT, up, movewindow, u" "$mod SHIFT, up, movewindow, u"
"$mod SHIFT, down, movewindow, d" "$mod SHIFT, down, movewindow, d"
"$mod ALT, left, movewindoworgroup, l"
"$mod ALT, right, movewindoworgroup, r"
"$mod ALT, up, movewindoworgroup, u"
"$mod ALT, down, movewindoworgroup, d"
"$mod, P, exec, ${pkgs.hyprpicker}/bin/hyprpicker -na" "$mod, P, exec, ${pkgs.hyprpicker}/bin/hyprpicker -na"

26
home/environments/hyprland/konawall.nix
View file

@ -4,19 +4,6 @@
config, config,
... ...
}: let }: let
systemd.user.services.konawall-py = {
Unit = {
Description = "konawall-py";
X-Restart-Triggers = [(toString config.xdg.configFile."konawall/config.toml".source)];
After = ["hyprland-session.target"];
};
Service = {
ExecStart = "${inputs.konawall-py.packages.${pkgs.system}.konawall-py}/bin/konawall";
Restart = "always";
};
Install = {WantedBy = ["hyprland-session.target"];};
};
konawallConfig = { konawallConfig = {
interval = 60 * 5; interval = 60 * 5;
rotate = true; rotate = true;
@ -33,6 +20,19 @@
}; };
}; };
in { in {
systemd.user.services.konawall-py = {
Unit = {
Description = "konawall-py";
X-Restart-Triggers = [(toString config.xdg.configFile."konawall/config.toml".source)];
After = ["hyprland-session.target" "network-online.target"];
};
Service = {
ExecStart = "${inputs.konawall-py.packages.${pkgs.system}.konawall-py}/bin/konawall";
Restart = "on-failure";
RestartSec = "1s";
};
Install = {WantedBy = ["hyprland-session.target"];};
};
xdg.configFile = { xdg.configFile = {
"konawall/config.toml".source = (pkgs.formats.toml {}).generate "konawall-config" konawallConfig; "konawall/config.toml".source = (pkgs.formats.toml {}).generate "konawall-config" konawallConfig;
}; };

2
home/profiles/graphical/firefox.nix
View file

@ -120,7 +120,7 @@
"beacon.enabled" = false; "beacon.enabled" = false;
"browser.search.geoip.url" = ""; "browser.search.geoip.url" = "";
"browser.search.region" = "CA"; "browser.search.region" = "CA";
"browser.search.suggest.enabled" = false; "browser.search.suggest.enabled" = true;
"browser.search.update" = false; "browser.search.update" = false;
"browser.selfsupport.url" = ""; "browser.selfsupport.url" = "";
"extensions.getAddons.cache.enabled" = false; "extensions.getAddons.cache.enabled" = false;

4
home/profiles/neovim/default.nix
View file

@ -56,6 +56,10 @@ in {
bufferline-nvim bufferline-nvim
# Language Server # Language Server
nvim-lspconfig nvim-lspconfig
# tree
nui-nvim
neo-tree-nvim
# tree sitter
(pkgs.vimPlugins.nvim-treesitter.withPlugins (_: (pkgs.vimPlugins.nvim-treesitter.withPlugins (_:
with pkgs.tree-sitter-grammars; [ with pkgs.tree-sitter-grammars; [
tree-sitter-c tree-sitter-c

10
nixos/hardware/amd_cpu.nix
View file

@ -1,10 +0,0 @@
{
config,
lib,
...
}: let
inherit (lib.modules) mkDefault;
in {
boot.kernelModules = ["kvm-amd"];
hardware.cpu.amd.updateMicrocode = mkDefault config.hardware.enableRedistributableFirmware;
}

5
nixos/hardware/amd_gpu.nix
View file

@ -1,5 +0,0 @@
_: {
boot.kernelParams = [
"amdgpu.gpu_recovery=1"
];
}

8
nixos/hardware/framework/color.nix
View file

@ -1,8 +0,0 @@
{
pkgs,
...
}: {
home-manager.users.kat.wayland.windowManager.hyprland.settings.exec-once = [
"${pkgs.colord}/bin/colormgr import-profile ${./framework-icc.icm}"
];
}

6
nixos/hardware/framework/imports.nix
View file

@ -4,10 +4,8 @@
... ...
}: { }: {
imports = imports =
(with tree.nixos.hardware; [ (with tree.nixos.profiles; [
amd_cpu uefi
amd_gpu
uefi
]) ])
++ [ ++ [
inputs.nixos-hardware.outputs.nixosModules.framework-13-7040-amd inputs.nixos-hardware.outputs.nixosModules.framework-13-7040-amd

5
nixos/hardware/intel_cpu.nix
View file

@ -1,5 +0,0 @@
_: let
in {
boot.kernelModules = ["kvm-intel"];
services.thermald.enable = true;
}

13
nixos/hardware/intel_gpu.nix
View file

@ -1,13 +0,0 @@
{pkgs, ...}: {
services.xserver.videoDrivers = ["intel"];
hardware.opengl = {
enable = true;
driSupport = true;
extraPackages = with pkgs; [
intel-media-driver
vaapiIntel
vaapiVdpau
libvdpau-va-gl
];
};
}

7
nixos/profiles/bootable/grub.nix
View file

@ -1,8 +1,9 @@
_: { {config, lib, ... }: let
boot.loader = { inherit (lib.modules) mkIf;
in {
boot.loader = mkIf (config.boot.loader.grub.enable) {
timeout = null; timeout = null;
grub = { grub = {
enable = false;
useOSProber = true; useOSProber = true;
splashImage = ./splash.jpg; splashImage = ./splash.jpg;
extraConfig = '' extraConfig = ''

14
nixos/profiles/bootable/zfs.nix
View file

@ -1,14 +0,0 @@
{
std,
config,
lib,
...
}: let
inherit (std) list;
inherit (lib.modules) mkDefault mkIf;
in {
boot = mkIf (list.elem "zfs" config.boot.supportedFilesystems) {
kernelPackages = mkDefault config.boot.zfs.package.latestCompatibleLinuxPackages;
zfs.enableUnstable = true;
};
}

0
nixos/hardware/uefi.nix → nixos/profiles/uefi.nix
View file

1
nixos/profiles/wireless/wifi.nix
View file

@ -12,6 +12,7 @@ in {
networking = { networking = {
networkmanager = { networkmanager = {
enable = true; enable = true;
wifi.backend = "iwd";
connectionConfig = { connectionConfig = {
"ipv6.ip6-privacy" = mkForce 0; "ipv6.ip6-privacy" = mkForce 0;
}; };

128
systems/koishi.nix
View file

@ -1,71 +1,85 @@
_: let _: let
hostConfig = { hostConfig = {
tree, tree,
pkgs, pkgs,
lib, lib,
inputs, inputs,
... ...
}: { }: {
imports = imports =
(with tree.nixos.hardware; [ (with tree.nixos.hardware; [
framework framework
]) ])
++ (with tree.nixos.profiles; [ ++ (with tree.nixos.profiles; [
graphical graphical
gaming
wireless wireless
laptop laptop
bcachefs bcachefs
]) ])
++ (with tree.nixos.environments; [ ++ (with tree.nixos.environments; [
hyprland hyprland
]); ]);
config = { config = let
home-manager.users.kat.imports = inherit (lib.modules) mkForce;
(with tree.home.profiles; [ in {
graphical home-manager.users.kat.imports =
devops (with tree.home.profiles; [
]) graphical
++ (with tree.home.environments; [ devops
])
++ (with tree.home.environments; [
hyprland hyprland
]); ]);
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
parsec-bin parsec-bin
]; sbctl
];
fileSystems = { services.avahi = {
"/" = { nssmdns = true;
device = "/dev/disk/by-uuid/861e8815-9327-4e49-915b-73a3b0bdfa25"; enable = true;
fsType = "bcachefs"; ipv4 = true;
}; ipv6 = true;
"/boot" = { publish = {
device = "/dev/disk/by-uuid/DD84-303D"; enable = true;
fsType = "vfat"; addresses = true;
}; workstation = true;
}; };
swapDevices = [
{device = "/dev/disk/by-uuid/04bd322e-dca0-43b8-b588-cc0ef1b1488e";}
];
boot = {
supportedFilesystems = ["ntfs"];
loader = {
efi = {
canTouchEfiVariables = true;
efiSysMountPoint = "/boot";
};
systemd-boot.enable = true;
};
};
networking = {
useDHCP = false;
};
system.stateVersion = "24.05";
}; };
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/861e8815-9327-4e49-915b-73a3b0bdfa25";
fsType = "bcachefs";
};
"/boot" = {
device = "/dev/disk/by-uuid/DD84-303D";
fsType = "vfat";
};
};
swapDevices = [
{device = "/dev/disk/by-uuid/04bd322e-dca0-43b8-b588-cc0ef1b1488e";}
];
boot = {
supportedFilesystems = ["ntfs"];
loader = {
systemd-boot.enable = mkForce false;
};
lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
};
networking = {
useDHCP = false;
};
system.stateVersion = "24.05";
}; };
};
in { in {
arch = "x86_64"; arch = "x86_64";
type = "NixOS"; type = "NixOS";

1
tree.nix
View file

@ -76,6 +76,7 @@
minecraft.nixosModules.minecraft-servers minecraft.nixosModules.minecraft-servers
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
base16.nixosModules.base16 base16.nixosModules.base16
lanzaboote.nixosModules.lanzaboote
]; ];
}; };
}; };