chase/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: chase:9cdee2278dc028d9026be0a69c7465505905d6b0
Branches Tags
chase:main
...
compare: chase:3c470b9a1bc8dacec1e2aa66c33dcd3d543288a5
Branches Tags
chase:main

3 Commits
9cdee2278d ... 3c470b9a1b

Author SHA1 Message Date
chase
3c470b9a1b Update secrets config 2025-06-10 22:34:22 -04:00
chase
d2608f594e Secureboot stuff 2025-06-10 15:24:04 -04:00
chase
f2b4c60bad Add secureboot stuff 2025-06-10 15:10:43 -04:00
7 changed files with 228 additions and 35 deletions
Expand all files Collapse all files

2
.sops.yaml
View File

@@ -3,9 +3,11 @@ keys:
- &chase age19uwxm2gynhjl9m90gckrkh76m9hjut44ak6d8969y4swhz8ypyeqvfcaas - &chase age19uwxm2gynhjl9m90gckrkh76m9hjut44ak6d8969y4swhz8ypyeqvfcaas
- &hosts: - &hosts:
- &anzu age1wdjujpvc2zd0g592a9gqa7qzz4pcans8m0tyq3m6eq9np9a3lg2s8kxf3h - &anzu age1wdjujpvc2zd0g592a9gqa7qzz4pcans8m0tyq3m6eq9np9a3lg2s8kxf3h
- &ichigo age1hpcyetyl0yrwxy0geem6z2u2kwl4hmckur7pnaaxwaylf8ata9vsv8j3wh
creation_rules: creation_rules:
- path_regex: secrets.yaml$ - path_regex: secrets.yaml$
key_groups: key_groups:
- age: - age:
- *chase - *chase
- *anzu - *anzu
- *ichigo

193
flake.lock generated
View File

@@ -51,6 +51,21 @@
"type": "github" "type": "github"
} }
}, },
"crane": {
"locked": {
"lastModified": 1731098351,
"narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=",
"owner": "ipetkov",
"repo": "crane",
"rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
@@ -67,7 +82,44 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": { "flake-parts": {
"inputs": {
"nixpkgs-lib": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1730504689,
"narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "506278e768c2a08bec68eb62932193e341f55c90",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_2": {
"inputs": { "inputs": {
"nixpkgs-lib": [ "nixpkgs-lib": [
"nur", "nur",
@@ -110,6 +162,28 @@
"type": "github" "type": "github"
} }
}, },
"gitignore_2": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"pre-commit-hooks-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@@ -117,11 +191,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1749400020, "lastModified": 1749526396,
"narHash": "sha256-0nTmHO8AYgRYk5v6zw5oZ3x9nh+feb+Isn7WNe318M0=", "narHash": "sha256-UL9F76abAk87llXOrcQRjhd5OaOclUd6MIltsqcUZmo=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "2835e8ba0ad99ba86d4a5e497a962ec9fa35e48f", "rev": "427c96044f11a5da50faf6adaf38c9fa47e6d044",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -226,11 +300,11 @@
"xdph": "xdph" "xdph": "xdph"
}, },
"locked": { "locked": {
"lastModified": 1749410258, "lastModified": 1749540031,
"narHash": "sha256-C7X/mLccrPd87iJTRlamCsFXfWr1uFrZ3uIHFpqzw+o=", "narHash": "sha256-11k6hq/4Tao2PNBFQpSNTlFFKmKGswL17caKuZIE0sM=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "Hyprland", "repo": "Hyprland",
"rev": "231e01e39b187d9a84b4a27871eb2bc4fb5c7d84", "rev": "6bdb1f413e4c592f73d91bef33dfb202503ef7ab",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -411,6 +485,32 @@
"type": "github" "type": "github"
} }
}, },
"lanzaboote": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat_2",
"flake-parts": "flake-parts",
"nixpkgs": [
"nixpkgs"
],
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1737639419,
"narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "a65905a09e2c43ff63be8c0e86a93712361f871e",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "v0.4.2",
"repo": "lanzaboote",
"type": "github"
}
},
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1744463964, "lastModified": 1744463964,
@@ -429,11 +529,27 @@
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1749237914, "lastModified": 1730741070,
"narHash": "sha256-N5waoqWt8aMr/MykZjSErOokYH6rOsMMXu3UOVH5kiw=", "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "70c74b02eac46f4e4aa071e45a6189ce0f6d9265", "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable_2": {
"locked": {
"lastModified": 1749494155,
"narHash": "sha256-FG4DEYBpROupu758beabUk9lhrblSf5hnv84v1TLqMc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "88331c17ba434359491e8d5889cce872464052c2",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -477,18 +593,18 @@
}, },
"nur": { "nur": {
"inputs": { "inputs": {
"flake-parts": "flake-parts", "flake-parts": "flake-parts_2",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
"treefmt-nix": "treefmt-nix" "treefmt-nix": "treefmt-nix"
}, },
"locked": { "locked": {
"lastModified": 1749442228, "lastModified": 1749581904,
"narHash": "sha256-7G5q8gvYXZG5xeVg/R3VRCOMHGdpPZbpjV5VXF9Ihxw=", "narHash": "sha256-QAzSbQuxaqM33WoOGCvwKlpuGPoN1RLAJOllz/Kli0I=",
"owner": "nix-community", "owner": "nix-community",
"repo": "NUR", "repo": "NUR",
"rev": "8d54c4ce87a10f83c9ca0d9c76f7847b5e0e000a", "rev": "7f891b80637b9dc6b4254714e9cb6b435be31f86",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -543,19 +659,68 @@
"type": "github" "type": "github"
} }
}, },
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"gitignore": "gitignore_2",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1731363552,
"narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"catppuccin": "catppuccin", "catppuccin": "catppuccin",
"home-manager": "home-manager", "home-manager": "home-manager",
"home-manager-stable": "home-manager-stable", "home-manager-stable": "home-manager-stable",
"hyprland": "hyprland", "hyprland": "hyprland",
"lanzaboote": "lanzaboote",
"nixpkgs": "nixpkgs_3", "nixpkgs": "nixpkgs_3",
"nixpkgs-stable": "nixpkgs-stable", "nixpkgs-stable": "nixpkgs-stable_2",
"nur": "nur", "nur": "nur",
"plasma-manager": "plasma-manager", "plasma-manager": "plasma-manager",
"sops-nix": "sops-nix" "sops-nix": "sops-nix"
} }
}, },
"rust-overlay": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1731897198,
"narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "0be641045af6d8666c11c2c40e45ffc9667839b5",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"sops-nix": { "sops-nix": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [

28
flake.nix
View File

@@ -1,15 +1,26 @@
{ {
description = "A simple NixOS flake"; description = "SecureBoot-enabled NixOS config";
inputs = { inputs = {
# NixOS official package source, using unstable here
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-25.05";
home-manager = {
url = "github:nix-community/home-manager/master";
inputs.nixpkgs.follows = "nixpkgs";
};
home-manager-stable = {
url = "github:nix-community/home-manager/release-25.05";
inputs.nixpkgs.follows = "nixpkgs-stable";
};
nur = { nur = {
url = "github:nix-community/NUR"; url = "github:nix-community/NUR";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
home-manager = {
url = "github:nix-community/home-manager/master"; lanzaboote = {
url = "github:nix-community/lanzaboote/v0.4.2";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
sops-nix = { sops-nix = {
@@ -17,12 +28,6 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-25.05";
home-manager-stable = {
url = "github:nix-community/home-manager/release-25.05";
inputs.nixpkgs.follows = "nixpkgs-stable";
};
catppuccin.url = "github:catppuccin/nix"; catppuccin.url = "github:catppuccin/nix";
hyprland.url = "github:hyprwm/Hyprland"; hyprland.url = "github:hyprwm/Hyprland";
plasma-manager = { plasma-manager = {
@@ -35,6 +40,7 @@
outputs = { outputs = {
self, self,
catppuccin, catppuccin,
lanzaboote,
nur, nur,
plasma-manager, plasma-manager,
sops-nix, sops-nix,
@@ -107,7 +113,7 @@
host = hosts.anzu; host = hosts.anzu;
nixpkgs = inputs.nixpkgs; nixpkgs = inputs.nixpkgs;
home-manager = inputs.home-manager; home-manager = inputs.home-manager;
modules = []; modules = [lanzaboote.nixosModules.lanzaboote];
}; };
ichigo = mkNixOSConfigurations { ichigo = mkNixOSConfigurations {
host = hosts.ichigo; host = hosts.ichigo;

3
home/hypr.nix
View File

@@ -51,6 +51,7 @@
brightnessctl brightnessctl
helvum helvum
]; ];
services.hyprpolkitagent.enable = true; services.hyprpolkitagent.enable = true;
services.hyprsunset.enable = true; services.hyprsunset.enable = true;
@@ -63,6 +64,8 @@
}; };
}; };
services.network-manager-applet.enable = true;
wayland.windowManager.hyprland = { wayland.windowManager.hyprland = {
enable = false; enable = false;
package = null; package = null;

7
hosts/anzu/configuration.nix
View File

@@ -1,5 +1,6 @@
{ {
config, config,
lib,
pkgs, pkgs,
... ...
}: { }: {
@@ -29,5 +30,11 @@
#in ["${automount_opts},credentials=/etc/nixos/smb-secrets,uid=1000,gid=100"]; #in ["${automount_opts},credentials=/etc/nixos/smb-secrets,uid=1000,gid=100"];
}; };
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.lanzaboote = {
enable = true;
pkiBundle = "/var/lib/sbctl";
};
system.stateVersion = "24.11"; system.stateVersion = "24.11";
} }

1
nixos/base.nix
View File

@@ -162,6 +162,7 @@
python3 python3
qemu qemu
rustup rustup
sbctl
usbutils usbutils
wget wget
yubikey-manager yubikey-manager

29
secrets.yaml
View File

@@ -5,20 +5,29 @@ sops:
- recipient: age19uwxm2gynhjl9m90gckrkh76m9hjut44ak6d8969y4swhz8ypyeqvfcaas - recipient: age19uwxm2gynhjl9m90gckrkh76m9hjut44ak6d8969y4swhz8ypyeqvfcaas
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiaFZIL1UzQWJlcG5hN29q YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaKzlYVzI5U04xbU05L28z
YTVqeXAyY05nWDJyNHZIdlNrUWFDbmZBakFRCkQwUG40MTJaZE5obldBNG9YVUlq ZGQvTG15T0t5dmgvbitxS204anBpMVROaGtvCkdJQlVmeGpCcjEyRlJRaWN6WEJv
NEVRMTl3RnhkSno3ck5NcjAwVVV2T2sKLS0tIHozVmdCWVcvcm9HZisycHlXejNM eVJ2N0RmS2ZxMGNLTHd5bUxFY2ZmdEUKLS0tIGEvM2wzZE5yd3dvSk5KRGpQbU5C
aitVV05pZ29Kb2N0OFZxZ0R0Q2RrcWsKuCuZvI6mWOlqnoWvYsGNZ0DyrutWjBiX dmh3d3RPbS9WSmF2bm12VHhwNUZ4SUEK0+efCtnuIIhotR92BNaEPyq5bGwadClp
0r5nrOw0Fp3P5YJyHss0of/aU116gTUYxJn6zqHTqKfDGRAu8kcI7Q== pEf2CRhTaSGiPHK+VRDy1X+pW+q9Jxu5Z7jesjGLdH8ypW5lpYjc3Q==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1wdjujpvc2zd0g592a9gqa7qzz4pcans8m0tyq3m6eq9np9a3lg2s8kxf3h - recipient: age1wdjujpvc2zd0g592a9gqa7qzz4pcans8m0tyq3m6eq9np9a3lg2s8kxf3h
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0dDBCQmFuTUJ1Ym5OTlRh YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2NGdjbm43T2NaK3krWmtB
UDFMd3ZKQjFrUTBZOVB2UmpSbkVRdk82WEVNCmRlVkFJZHpNbzVIbjgrN1BTb0Uv eHJMK0xyZVFGWndabmJ5aDJiRm05dlJRUlJBClZJY2Zmc0xHUXFFbHJ0dEhDN1Zh
TTlXUEhZUUtWa3hlSVR1endieExOTjQKLS0tIGJTTWlHVnNtZHRZOVkrS0NxL3do SVppL0pWRm9VbFBtempIRHQzOXR2dzgKLS0tIExxTFJMV2NBajdWNkRKSmR4YUFj
aVFNTW8yeEUvb2tLcnRpUFltSVlZVXMKSnKkMhnW7/ZOW/LkBGJZvrfE6lUT1TrB MVFubkgwWFJ2cEtWUVJCc2JvWU9NSGcKcsGs3q55cJ4dp1mdo7KOQWqF98uPsZOF
O83/WxPsN5mFz9WxqKevPNlLJaPwqJQjAS2TRYlya3uvGydpJoV7+g== zFm7oJh6LwbHJarz2m3mlUGBded4ndYrsyJbh2NjHyfUvz2XZgZRkg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1hpcyetyl0yrwxy0geem6z2u2kwl4hmckur7pnaaxwaylf8ata9vsv8j3wh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZWGNlNmdhVlRXRlN3OXo4
dEVTL01uenhEY1VVMkRveGQrQXQ2TXlvSWpZCnRoVjI2TDRpbE1FVVNMTytMb3A2
cjN0T2UyYm9idmg5dkdFUWp1a3ZHQXcKLS0tIFpnYS8veEVGMkFkMzlibHRUUUxF
TVpjTzArTkRGVFhHdzVHdWNSYm5EZjAK6iwQI8usDMhdHdphcJeoxeeidcbto1d0
NFId4dYlrplJmkI7Og8bIxLqnaEw7enIsTz49LjLdKPRDfQB+PkEJw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-06-08T19:43:47Z" lastmodified: "2025-06-08T19:43:47Z"
mac: ENC[AES256_GCM,data:9YpgBrJwWhz2utNPldpIU/ylaN2QfkSj1LvWa8sISSnuXvsBsZ8a+oNzuGDd5+Q1pSYtoiBt6viqZn65wp8x+kb9ZMJdsWoZZG2U1b3rHUsadOYarvwMVDoQ5TZFFjEOyzyCgT7ln6v1rfAKwL5LJ3Kjv6SRIb9dK51sDsVijhQ=,iv:yTlxgZoOdB7pu5iZKP+q1cXbDsTT5HgsWo4tkix8948=,tag:qJbiq+Fayx5L9V7to1ijvQ==,type:str] mac: ENC[AES256_GCM,data:9YpgBrJwWhz2utNPldpIU/ylaN2QfkSj1LvWa8sISSnuXvsBsZ8a+oNzuGDd5+Q1pSYtoiBt6viqZn65wp8x+kb9ZMJdsWoZZG2U1b3rHUsadOYarvwMVDoQ5TZFFjEOyzyCgT7ln6v1rfAKwL5LJ3Kjv6SRIb9dK51sDsVijhQ=,iv:yTlxgZoOdB7pu5iZKP+q1cXbDsTT5HgsWo4tkix8948=,tag:qJbiq+Fayx5L9V7to1ijvQ==,type:str]