feat: cleanup, secure boot for framework

2026-02-09 04:19:19 -08:00 · 2024-03-17 10:38:09 -07:00 · 2024-03-17 10:38:09 -07:00 · d37bd2c669
commit d37bd2c669
parent 15f40761fb
18 changed files with 297 additions and 144 deletions
--- a/flake.lock
+++ b/flake.lock
@ -89,6 +89,39 @@
        "type": "github"
      }
    },
+    "crane_2": {
+      "inputs": {
+        "flake-compat": [
+          "lanzaboote",
+          "flake-compat"
+        ],
+        "flake-utils": [
+          "lanzaboote",
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ],
+        "rust-overlay": [
+          "lanzaboote",
+          "rust-overlay"
+        ]
+      },
+      "locked": {
+        "lastModified": 1681177078,
+        "narHash": "sha256-ZNIjBDou2GOabcpctiQykEQVkI8BDwk7TyvlWlI4myE=",
+        "owner": "ipetkov",
+        "repo": "crane",
+        "rev": "0c9f468ff00576577d83f5019a66c557ede5acf6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ipetkov",
+        "repo": "crane",
+        "type": "github"
+      }
+    },
    "darwin": {
      "inputs": {
        "nixpkgs": [
@ -184,6 +217,27 @@
        "type": "github"
      }
    },
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1680392223,
+        "narHash": "sha256-n3g7QFr85lDODKt250rkZj2IFS3i4/8HBU2yKHO3tqw=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "dcc36e45d054d7bb554c9cdab69093debd91a0b5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
    "flakelib": {
      "inputs": {
        "fl-config": "fl-config",
@ -225,6 +279,28 @@
        "type": "github"
      }
    },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "pre-commit-hooks-nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1660459072,
+        "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@ -424,6 +500,37 @@
        "type": "github"
      }
    },
+    "lanzaboote": {
+      "inputs": {
+        "crane": "crane_2",
+        "flake-compat": [
+          "flake-compat"
+        ],
+        "flake-parts": "flake-parts",
+        "flake-utils": [
+          "utils"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "pre-commit-hooks-nix": "pre-commit-hooks-nix",
+        "rust-overlay": "rust-overlay"
+      },
+      "locked": {
+        "lastModified": 1682802423,
+        "narHash": "sha256-Fb5TeRTdvUlo/5Yi2d+FC8a6KoRLk2h1VE0/peMhWPs=",
+        "owner": "nix-community",
+        "repo": "lanzaboote",
+        "rev": "64b903ca87d18cef2752c19c098af275c6e51d63",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "v0.3.0",
+        "repo": "lanzaboote",
+        "type": "github"
+      }
+    },
    "mach-nix": {
      "inputs": {
        "flake-utils": [
@ -498,11 +605,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1706834982,
-        "narHash": "sha256-3CfxA7gZ+DVv/N9Pvw61bV5Oe/mWfxYPyVQGqp9TMJA=",
+        "lastModified": 1710123225,
+        "narHash": "sha256-j3oWlxRZxB7cFsgEntpH3rosjFHRkAo/dhX9H3OfxtY=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "83e571bb291161682b9c3ccd48318f115143a550",
+        "rev": "ad2fd7b978d5e462048729a6c635c45d3d33c9ba",
        "type": "github"
      },
      "original": {
@ -529,16 +636,16 @@
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1705957679,
-        "narHash": "sha256-Q8LJaVZGJ9wo33wBafvZSzapYsjOaNjP/pOnSiKVGHY=",
+        "lastModified": 1678872516,
+        "narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "9a333eaa80901efe01df07eade2c16d183761fa3",
+        "rev": "9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "release-23.05",
+        "ref": "nixos-22.11",
        "repo": "nixpkgs",
        "type": "github"
      }
@ -581,6 +688,37 @@
        "type": "github"
      }
    },
+    "pre-commit-hooks-nix": {
+      "inputs": {
+        "flake-compat": [
+          "lanzaboote",
+          "flake-compat"
+        ],
+        "flake-utils": [
+          "lanzaboote",
+          "flake-utils"
+        ],
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1681413034,
+        "narHash": "sha256-/t7OjNQcNkeWeSq/CFLYVBfm+IEnkjoSm9iKvArnUUI=",
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "rev": "d3de8f69ca88fb6f8b09e5b598be5ac98d28ede5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "type": "github"
+      }
+    },
    "pypi-deps-db": {
      "flake": false,
      "locked": {
@ -616,6 +754,7 @@
        "hyprlock": "hyprlock",
        "hyprsome": "hyprsome",
        "konawall-py": "konawall-py",
+        "lanzaboote": "lanzaboote",
        "mach-nix": "mach-nix",
        "minecraft": "minecraft",
        "nix-index-database": "nix-index-database",
@ -635,6 +774,31 @@
        "xdph": "xdph"
      }
    },
+    "rust-overlay": {
+      "inputs": {
+        "flake-utils": [
+          "lanzaboote",
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1682129965,
+        "narHash": "sha256-1KRPIorEL6pLpJR04FwAqqnt4Tzcm4MqD84yhlD+XSk=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "2c417c0460b788328220120c698630947547ee83",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
    "scalpel": {
      "inputs": {
        "nixpkgs": [
@ -663,7 +827,9 @@
        "nixpkgs": [
          "nixpkgs"
        ],
-        "nixpkgs-stable": "nixpkgs-stable"
+        "nixpkgs-stable": [
+          "nixpkgs"
+        ]
      },
      "locked": {
        "lastModified": 1707015547,
--- a/flake.nix
+++ b/flake.nix
@ -17,6 +17,16 @@
    nixpkgs = {
      url = "github:nixos/nixpkgs/nixos-unstable";
    };
+    lanzaboote = {
+      url = "github:nix-community/lanzaboote/v0.3.0";
+
+      # Optional but recommended to limit the size of your system closure.
+      inputs = {
+        nixpkgs.follows = "nixpkgs";
+        flake-utils.follows = "utils";
+        flake-compat.follows = "flake-compat";
+      };
+    };
    flakelibstd = {
      url = "github:flakelib/std";
      inputs.nix-std.follows = "std";
@ -88,7 +98,10 @@
    # secrets
    sops-nix = {
      url = "github:Mic92/sops-nix";
-      inputs.nixpkgs.follows = "nixpkgs";
+      inputs = {
+        nixpkgs.follows = "nixpkgs";
+        nixpkgs-stable.follows = "nixpkgs";
+      };
    };
    # secrets templating
    scalpel = {
--- a/home/environments/hyprland/hyprland.nix
+++ b/home/environments/hyprland/hyprland.nix
@ -33,6 +33,10 @@ in {
    systemd = {
      enable = true;
      variables = ["--all"];
+      extraCommands = [
+        "systemctl --user stop graphical-session.target"
+        "systemctl --user start hyprland-session.target"
+      ];
    };
    xwayland.enable = true;
    settings = {
@ -76,6 +80,8 @@ in {
        "${pkgs.mako}/bin/mako"
        "${pkgs.udiskie}/bin/udiskie &"
        "${pkgs.pasystray}/bin/pasystray"
+        "${pkgs.systemd}/bin/systemctl restart waybar --user"
+        "${pkgs.systemd}/bin/systemctl restart konawall-py --user"
      ];
      exec = [
      ];
@ -112,9 +118,9 @@ in {
          "$mod, G, togglegroup,"
          "$mod SHIFT, N, changegroupactive, f"
          "$mod SHIFT, P, changegroupactive, b"
-          "$mod, R, togglesplit,"
          "$mod, T, togglefloating,"
-          "$mod SHIFT, P, pseudo,"
+          "$mod SHIFT, T, togglesplit,"
+          "$mod SHIFT, X, pseudo,"
          "$mod ALT, ,resizeactive,"
          "$mod, Escape, exec, wlogout -p layer-shell"
          "$mod, L, exec, loginctl lock-session"
@ -127,6 +133,10 @@ in {
          "$mod SHIFT, right, movewindow, r"
          "$mod SHIFT, up, movewindow, u"
          "$mod SHIFT, down, movewindow, d"
+          "$mod ALT, left, movewindoworgroup, l"
+          "$mod ALT, right, movewindoworgroup, r"
+          "$mod ALT, up, movewindoworgroup, u"
+          "$mod ALT, down, movewindoworgroup, d"

          "$mod, P, exec, ${pkgs.hyprpicker}/bin/hyprpicker -na"

--- a/home/environments/hyprland/konawall.nix
+++ b/home/environments/hyprland/konawall.nix
@ -4,19 +4,6 @@
  config,
  ...
 }: let
-  systemd.user.services.konawall-py = {
-    Unit = {
-      Description = "konawall-py";
-      X-Restart-Triggers = [(toString config.xdg.configFile."konawall/config.toml".source)];
-      After = ["hyprland-session.target"];
-    };
-    Service = {
-      ExecStart = "${inputs.konawall-py.packages.${pkgs.system}.konawall-py}/bin/konawall";
-      Restart = "always";
-    };
-    Install = {WantedBy = ["hyprland-session.target"];};
-  };
-
  konawallConfig = {
    interval = 60 * 5;
    rotate = true;
@ -33,6 +20,19 @@
    };
  };
 in {
+  systemd.user.services.konawall-py = {
+    Unit = {
+      Description = "konawall-py";
+      X-Restart-Triggers = [(toString config.xdg.configFile."konawall/config.toml".source)];
+      After = ["hyprland-session.target" "network-online.target"];
+    };
+    Service = {
+      ExecStart = "${inputs.konawall-py.packages.${pkgs.system}.konawall-py}/bin/konawall";
+      Restart = "on-failure";
+      RestartSec = "1s";
+    };
+    Install = {WantedBy = ["hyprland-session.target"];};
+  };
  xdg.configFile = {
    "konawall/config.toml".source = (pkgs.formats.toml {}).generate "konawall-config" konawallConfig;
  };
--- a/home/profiles/graphical/firefox.nix
+++ b/home/profiles/graphical/firefox.nix
@ -120,7 +120,7 @@
          "beacon.enabled" = false;
          "browser.search.geoip.url" = "";
          "browser.search.region" = "CA";
-          "browser.search.suggest.enabled" = false;
+          "browser.search.suggest.enabled" = true;
          "browser.search.update" = false;
          "browser.selfsupport.url" = "";
          "extensions.getAddons.cache.enabled" = false;
--- a/home/profiles/neovim/default.nix
+++ b/home/profiles/neovim/default.nix
@ -56,6 +56,10 @@ in {
      bufferline-nvim
      # Language Server
      nvim-lspconfig
+      # tree
+      nui-nvim
+      neo-tree-nvim
+      # tree sitter
      (pkgs.vimPlugins.nvim-treesitter.withPlugins (_:
        with pkgs.tree-sitter-grammars; [
          tree-sitter-c
--- a/nixos/hardware/amd_cpu.nix
+++ b/nixos/hardware/amd_cpu.nix
@ -1,10 +0,0 @@
-{
-  config,
-  lib,
-  ...
-}: let
-  inherit (lib.modules) mkDefault;
-in {
-  boot.kernelModules = ["kvm-amd"];
-  hardware.cpu.amd.updateMicrocode = mkDefault config.hardware.enableRedistributableFirmware;
-}
--- a/nixos/hardware/amd_gpu.nix
+++ b/nixos/hardware/amd_gpu.nix
@ -1,5 +0,0 @@
-_: {
-  boot.kernelParams = [
-    "amdgpu.gpu_recovery=1"
-  ];
-}
--- a/nixos/hardware/framework/color.nix
+++ b/nixos/hardware/framework/color.nix
@ -1,8 +0,0 @@
-{
-  pkgs,
-  ...
-}: {
-  home-manager.users.kat.wayland.windowManager.hyprland.settings.exec-once = [
-    "${pkgs.colord}/bin/colormgr import-profile ${./framework-icc.icm}"
-  ];
-}
--- a/nixos/hardware/framework/imports.nix
+++ b/nixos/hardware/framework/imports.nix
@ -4,10 +4,8 @@
  ...
 }: {
  imports =
-    (with tree.nixos.hardware; [
-      amd_cpu
-      amd_gpu
-      uefi
+    (with tree.nixos.profiles; [
+        uefi
    ])
    ++ [
      inputs.nixos-hardware.outputs.nixosModules.framework-13-7040-amd
--- a/nixos/hardware/intel_cpu.nix
+++ b/nixos/hardware/intel_cpu.nix
@ -1,5 +0,0 @@
-_: let
-in {
-  boot.kernelModules = ["kvm-intel"];
-  services.thermald.enable = true;
-}
--- a/nixos/hardware/intel_gpu.nix
+++ b/nixos/hardware/intel_gpu.nix
@ -1,13 +0,0 @@
-{pkgs, ...}: {
-  services.xserver.videoDrivers = ["intel"];
-  hardware.opengl = {
-    enable = true;
-    driSupport = true;
-    extraPackages = with pkgs; [
-      intel-media-driver
-      vaapiIntel
-      vaapiVdpau
-      libvdpau-va-gl
-    ];
-  };
-}
--- a/nixos/profiles/bootable/grub.nix
+++ b/nixos/profiles/bootable/grub.nix
@ -1,8 +1,9 @@
-_: {
-  boot.loader = {
+{config, lib, ... }: let
+    inherit (lib.modules) mkIf;
+ in {
+  boot.loader = mkIf (config.boot.loader.grub.enable) {
    timeout = null;
    grub = {
-      enable = false;
      useOSProber = true;
      splashImage = ./splash.jpg;
      extraConfig = ''
--- a/nixos/profiles/bootable/zfs.nix
+++ b/nixos/profiles/bootable/zfs.nix
@ -1,14 +0,0 @@
-{
-  std,
-  config,
-  lib,
-  ...
-}: let
-  inherit (std) list;
-  inherit (lib.modules) mkDefault mkIf;
-in {
-  boot = mkIf (list.elem "zfs" config.boot.supportedFilesystems) {
-    kernelPackages = mkDefault config.boot.zfs.package.latestCompatibleLinuxPackages;
-    zfs.enableUnstable = true;
-  };
-}
--- a/nixos/profiles/uefi.nix
+++ b/nixos/profiles/uefi.nix
--- a/nixos/profiles/wireless/wifi.nix
+++ b/nixos/profiles/wireless/wifi.nix
@ -12,6 +12,7 @@ in {
  networking = {
    networkmanager = {
      enable = true;
+      wifi.backend = "iwd";
      connectionConfig = {
        "ipv6.ip6-privacy" = mkForce 0;
      };
--- a/systems/koishi.nix
+++ b/systems/koishi.nix
@ -1,71 +1,85 @@
 _: let
-  hostConfig = {
-    tree,
-    pkgs,
-    lib,
-    inputs,
-    ...
-  }: {
-    imports =
-      (with tree.nixos.hardware; [
-        framework
-      ])
-      ++ (with tree.nixos.profiles; [
+hostConfig = {
+  tree,
+  pkgs,
+  lib,
+  inputs,
+  ...
+}: {
+  imports =
+    (with tree.nixos.hardware; [
+     framework
+    ])
+    ++ (with tree.nixos.profiles; [
        graphical
+        gaming
        wireless
        laptop
        bcachefs
-      ])
-      ++ (with tree.nixos.environments; [
+    ])
+    ++ (with tree.nixos.environments; [
        hyprland
-      ]);
-    config = {
-      home-manager.users.kat.imports =
-        (with tree.home.profiles; [
-          graphical
-          devops
-        ])
-        ++ (with tree.home.environments; [
+    ]);
+  config = let
+    inherit (lib.modules) mkForce;
+  in {
+    home-manager.users.kat.imports =
+      (with tree.home.profiles; [
+       graphical
+       devops
+      ])
+      ++ (with tree.home.environments; [
          hyprland
-        ]);
+      ]);

-      environment.systemPackages = with pkgs; [
-        parsec-bin
-      ];
-
-      fileSystems = {
-        "/" = {
-          device = "/dev/disk/by-uuid/861e8815-9327-4e49-915b-73a3b0bdfa25";
-          fsType = "bcachefs";
-        };
-        "/boot" = {
-          device = "/dev/disk/by-uuid/DD84-303D";
-          fsType = "vfat";
-        };
+    environment.systemPackages = with pkgs; [
+      parsec-bin
+      sbctl
+    ];
+    services.avahi = {
+      nssmdns = true;
+      enable = true;
+      ipv4 = true;
+      ipv6 = true;
+      publish = {
+        enable = true;
+        addresses = true;
+        workstation = true;
      };
-
-      swapDevices = [
-        {device = "/dev/disk/by-uuid/04bd322e-dca0-43b8-b588-cc0ef1b1488e";}
-      ];
-
-      boot = {
-        supportedFilesystems = ["ntfs"];
-        loader = {
-          efi = {
-            canTouchEfiVariables = true;
-            efiSysMountPoint = "/boot";
-          };
-          systemd-boot.enable = true;
-        };
-      };
-
-      networking = {
-        useDHCP = false;
-      };
-
-      system.stateVersion = "24.05";
    };
+    fileSystems = {
+      "/" = {
+        device = "/dev/disk/by-uuid/861e8815-9327-4e49-915b-73a3b0bdfa25";
+        fsType = "bcachefs";
+      };
+      "/boot" = {
+        device = "/dev/disk/by-uuid/DD84-303D";
+        fsType = "vfat";
+      };
+    };
+
+    swapDevices = [
+    {device = "/dev/disk/by-uuid/04bd322e-dca0-43b8-b588-cc0ef1b1488e";}
+    ];
+
+    boot = {
+      supportedFilesystems = ["ntfs"];
+      loader = {
+        systemd-boot.enable = mkForce false;
+      };
+      lanzaboote = {
+        enable = true;
+        pkiBundle = "/etc/secureboot";
+      };
+    };
+
+    networking = {
+      useDHCP = false;
+    };
+
+    system.stateVersion = "24.05";
  };
+};
 in {
  arch = "x86_64";
  type = "NixOS";
--- a/tree.nix
+++ b/tree.nix
@ -76,6 +76,7 @@
          minecraft.nixosModules.minecraft-servers
          sops-nix.nixosModules.sops
          base16.nixosModules.base16
+          lanzaboote.nixosModules.lanzaboote
        ];
      };
    };