kylekrein/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Secure boot, tmp unlock for framework12

Browse source
This commit is contained in:
Aleksandr Lebedev 2025-08-02 14:48:10 +02:00
parent 293eb7b5cd
commit 99f43f6646
8 changed files with 287 additions and 76 deletions
Download patch file Download diff file Expand all files Collapse all files

24
disko/impermanence-btrfs-luks.nix
View file

@ -81,28 +81,4 @@
};
fileSystems."/persist".neededForBoot = true;
boot.initrd.postResumeCommands = lib.mkAfter ''
mkdir -p /btrfs_tmp
mount /dev/disk/by-label/nixos /btrfs_tmp
if [[ -e /btrfs_tmp/root ]]; then
mkdir -p /btrfs_tmp/old_roots
timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S")
mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp"
fi
delete_subvolume_recursively() {
IFS=$'\n'
for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
delete_subvolume_recursively "/btrfs_tmp/$i"
done
btrfs subvolume delete "$1"
}
for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do
delete_subvolume_recursively "$i"
done
btrfs subvolume create /btrfs_tmp/root
umount /btrfs_tmp
'';
}

211
flake.lock generated
View file

@ -293,6 +293,21 @@
"type": "github"
}
},
"crane_3": {
"locked": {
"lastModified": 1753316655,
"narHash": "sha256-tzWa2kmTEN69OEMhxFy+J2oWSvZP5QhEgXp3TROOzl0=",
"owner": "ipetkov",
"repo": "crane",
"rev": "f35a3372d070c9e9ccb63ba7ce347f0634ddf3d2",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"devenv": {
"inputs": {
"cachix": "cachix_2",
@ -513,6 +528,22 @@
"type": "github"
}
},
"flake-compat_6": {
"flake": false,
"locked": {
"lastModified": 1747046372,
"narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
@ -560,6 +591,27 @@
}
},
"flake-parts_3": {
"inputs": {
"nixpkgs-lib": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1753121425,
"narHash": "sha256-TVcTNvOeWWk1DXljFxVRp+E0tzG1LhrVjOGGoMHuXio=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "644e0fc48951a860279da645ba77fe4a6e814c5e",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_4": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
@ -577,7 +629,7 @@
"type": "github"
}
},
"flake-parts_4": {
"flake-parts_5": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib_2"
},
@ -595,7 +647,7 @@
"type": "github"
}
},
"flake-parts_5": {
"flake-parts_6": {
"inputs": {
"nixpkgs-lib": [
"stylix",
@ -734,6 +786,28 @@
"type": "github"
}
},
"gitignore_2": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"pre-commit-hooks-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"gnome-shell": {
"flake": false,
"locked": {
@ -830,6 +904,29 @@
"type": "github"
}
},
"lanzaboote": {
"inputs": {
"crane": "crane_3",
"flake-compat": "flake-compat_5",
"flake-parts": "flake-parts_3",
"nixpkgs": "nixpkgs_9",
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay_2"
},
"locked": {
"lastModified": 1753693791,
"narHash": "sha256-pZQyCkqIFwGA77np+vqVQZgg2P0qPAI6x6kC3w6+PjE=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "785a5701b22259b85735301b1aad19c2bee15498",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "lanzaboote",
"type": "github"
}
},
"libgit2": {
"flake": false,
"locked": {
@ -911,7 +1008,7 @@
"nvf",
"nixpkgs"
],
"rust-overlay": "rust-overlay_2"
"rust-overlay": "rust-overlay_3"
},
"locked": {
"lastModified": 1732053863,
@ -931,7 +1028,7 @@
"inputs": {
"niri-stable": "niri-stable",
"niri-unstable": "niri-unstable",
"nixpkgs": "nixpkgs_10",
"nixpkgs": "nixpkgs_11",
"nixpkgs-stable": "nixpkgs-stable_2",
"xwayland-satellite-stable": "xwayland-satellite-stable",
"xwayland-satellite-unstable": "xwayland-satellite-unstable"
@ -1104,8 +1201,8 @@
},
"nix-gaming": {
"inputs": {
"flake-parts": "flake-parts_4",
"nixpkgs": "nixpkgs_11"
"flake-parts": "flake-parts_5",
"nixpkgs": "nixpkgs_12"
},
"locked": {
"lastModified": 1753841490,
@ -1241,8 +1338,8 @@
},
"nixos-wsl": {
"inputs": {
"flake-compat": "flake-compat_5",
"nixpkgs": "nixpkgs_12"
"flake-compat": "flake-compat_6",
"nixpkgs": "nixpkgs_13"
},
"locked": {
"lastModified": 1753704990,
@ -1399,6 +1496,22 @@
}
},
"nixpkgs_10": {
"locked": {
"lastModified": 1735523292,
"narHash": "sha256-opBsbR/nrGxiiF6XzlVluiHYb6yN/hEwv+lBWTy9xoM=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "6d97d419e5a9b36e6293887a89a078cf85f5a61b",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_11": {
"locked": {
"lastModified": 1753939845,
"narHash": "sha256-K2ViRJfdVGE8tpJejs8Qpvvejks1+A4GQej/lBk5y7I=",
@ -1414,7 +1527,7 @@
"type": "github"
}
},
"nixpkgs_11": {
"nixpkgs_12": {
"locked": {
"lastModified": 1753432016,
"narHash": "sha256-cnL5WWn/xkZoyH/03NNUS7QgW5vI7D1i74g48qplCvg=",
@ -1430,7 +1543,7 @@
"type": "github"
}
},
"nixpkgs_12": {
"nixpkgs_13": {
"locked": {
"lastModified": 1753429684,
"narHash": "sha256-9h7+4/53cSfQ/uA3pSvCaBepmZaz/dLlLVJnbQ+SJjk=",
@ -1446,7 +1559,7 @@
"type": "github"
}
},
"nixpkgs_13": {
"nixpkgs_14": {
"locked": {
"lastModified": 1753749649,
"narHash": "sha256-+jkEZxs7bfOKfBIk430K+tK9IvXlwzqQQnppC2ZKFj4=",
@ -1462,7 +1575,7 @@
"type": "github"
}
},
"nixpkgs_14": {
"nixpkgs_15": {
"locked": {
"lastModified": 1744868846,
"narHash": "sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs=",
@ -1478,7 +1591,7 @@
"type": "github"
}
},
"nixpkgs_15": {
"nixpkgs_16": {
"locked": {
"lastModified": 1751211869,
"narHash": "sha256-1Cu92i1KSPbhPCKxoiVG5qnoRiKTgR5CcGSRyLpOd7Y=",
@ -1608,16 +1721,16 @@
},
"nixpkgs_9": {
"locked": {
"lastModified": 1735523292,
"narHash": "sha256-opBsbR/nrGxiiF6XzlVluiHYb6yN/hEwv+lBWTy9xoM=",
"owner": "nixos",
"lastModified": 1753590935,
"narHash": "sha256-+qBmgdTYy5f6v+5fJVGiWf5SySGsxVmJia+iB5L6nbU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "6d97d419e5a9b36e6293887a89a078cf85f5a61b",
"rev": "51a41ce9a1d46d9d1228edae97267519d42fdf28",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixpkgs-unstable",
"owner": "NixOS",
"ref": "nixos-unstable-small",
"repo": "nixpkgs",
"type": "github"
}
@ -1704,11 +1817,11 @@
},
"nvf": {
"inputs": {
"flake-parts": "flake-parts_3",
"flake-parts": "flake-parts_4",
"flake-utils": "flake-utils_2",
"mnw": "mnw",
"nil": "nil",
"nixpkgs": "nixpkgs_9",
"nixpkgs": "nixpkgs_10",
"nmd": "nmd",
"plugin-aerial-nvim": "plugin-aerial-nvim",
"plugin-alpha-nvim": "plugin-alpha-nvim",
@ -3802,6 +3915,32 @@
"type": "github"
}
},
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"gitignore": "gitignore_2",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1750779888,
"narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"rocksdb": {
"flake": false,
"locked": {
@ -3829,6 +3968,7 @@
"emacs-kylekrein": "emacs-kylekrein",
"home-manager": "home-manager_2",
"impermanence": "impermanence",
"lanzaboote": "lanzaboote",
"neovim": "neovim",
"niri-flake": "niri-flake",
"nix-darwin": "nix-darwin",
@ -3838,7 +3978,7 @@
"nixos-facter-modules": "nixos-facter-modules",
"nixos-hardware": "nixos-hardware",
"nixos-wsl": "nixos-wsl",
"nixpkgs": "nixpkgs_13",
"nixpkgs": "nixpkgs_14",
"nixpkgs-master": "nixpkgs-master",
"nixpkgs-unstable": "nixpkgs-unstable",
"sops-nix": "sops-nix",
@ -3884,6 +4024,27 @@
}
},
"rust-overlay_2": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1753584741,
"narHash": "sha256-i147iFSy4K4PJvID+zoszLbRi2o+YV8AyG4TUiDQ3+I=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "69dfe029679e73b8d159011c9547f6148a85ca6b",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"rust-overlay_3": {
"inputs": {
"nixpkgs": [
"neovim",
@ -3924,7 +4085,7 @@
},
"sops-nix": {
"inputs": {
"nixpkgs": "nixpkgs_14"
"nixpkgs": "nixpkgs_15"
},
"locked": {
"lastModified": 1752544651,
@ -3947,9 +4108,9 @@
"base16-helix": "base16-helix",
"base16-vim": "base16-vim",
"firefox-gnome-theme": "firefox-gnome-theme",
"flake-parts": "flake-parts_5",
"flake-parts": "flake-parts_6",
"gnome-shell": "gnome-shell",
"nixpkgs": "nixpkgs_15",
"nixpkgs": "nixpkgs_16",
"nur": "nur",
"systems": "systems_4",
"tinted-foot": "tinted-foot",

1
flake.nix
View file

@ -68,6 +68,7 @@
};
nixos-hardware.url = "github:NixOS/nixos-hardware/master";
chaotic.url = "github:chaotic-cx/nyx/nyxpkgs-unstable";
lanzaboote.url = "github:nix-community/lanzaboote";
};
outputs = {

1
nixos/configuration.nix
View file

@ -21,6 +21,7 @@ in {
inputs.chaotic.nixosModules.nyx-cache
inputs.chaotic.nixosModules.nyx-overlay
inputs.chaotic.nixosModules.nyx-registry
inputs.lanzaboote.nixosModules.lanzaboote
./modules/firefox
./modules/flatpak
./modules/steam

54
nixos/homes/kylekrein/niri.nix
View file

@ -369,34 +369,34 @@ in {
};
Service = {
ExecStart = "${pkgs.writeShellScript "autorotate" ''
transform="normal"
transform="normal"
monitor-sensor | while read -r line; do
case "$line" in
*normal*)
new_transform="normal"
;;
*right-up*)
new_transform="270"
;;
*bottom-up*)
new_transform="180"
;;
*left-up*)
new_transform="90"
;;
*)
continue
;;
esac
if [[ "$new_transform" != "$transform" ]]; then
transform="$new_transform"
echo "Transform: $transform"
niri msg output eDP-1 transform "$transform"
systemctl --user restart lisgd-niri.service
fi
done
monitor-sensor | while read -r line; do
case "$line" in
*normal*)
new_transform="normal"
;;
*right-up*)
new_transform="270"
;;
*bottom-up*)
new_transform="180"
;;
*left-up*)
new_transform="90"
;;
*)
continue
;;
esac
if [[ "$new_transform" != "$transform" ]]; then
transform="$new_transform"
echo "Transform: $transform"
niri msg output eDP-1 transform "$transform"
systemctl --user restart lisgd-niri.service
fi
done
''}";
Restart = "on-failure";
RestartSec = 5;

1
nixos/hosts/kylekrein-framework12/default.nix
View file

@ -21,6 +21,7 @@
../../users/tania
./hibernation.nix
./secure-boot.nix
];
services.fwupd.enable = true; #fwupdmgr update

27
nixos/hosts/kylekrein-framework12/secure-boot.nix Normal file
View file

@ -0,0 +1,27 @@
{
pkgs,
lib,
hwconfig,
...
}: {
boot = {
initrd.systemd.enable = true;
loader.systemd-boot.enable = lib.mkForce false;
lanzaboote = {
enable = true;
pkiBundle =
#if hwconfig.useImpermanence
#then "/persist/system/var/lib/sbctl"
# else
"/var/lib/sbctl";
};
};
environment.systemPackages = [
# For debugging and troubleshooting Secure Boot.
pkgs.sbctl
# For tpm auto unlock
pkgs.tpm2-tss
];
}

44
nixos/modules/impermanence/default.nix
View file

@ -2,8 +2,10 @@
config,
lib,
inputs,
pkgs,
...
}: let
isBtrfs = config.fileSystems."/".fsType == "btrfs";
in {
imports = [
inputs.impermanence.nixosModules.impermanence
@ -12,6 +14,7 @@ in {
environment.persistence."/persist/system" = {
hideMounts = true;
directories = [
"/var/lib/sbctl"
"/etc/nixos"
"/var/log"
"/var/lib/bluetooth"
@ -47,4 +50,45 @@ in {
];
programs.fuse.userAllowOther = true;
#https://blog.decent.id/post/nixos-systemd-initrd/
boot.initrd.systemd.services.btrfs-rollback-impermanence = lib.mkIf (isBtrfs && config.boot.initrd.systemd.enable) {
description = "Rollback BTRFS root dataset to blank snapshot";
wantedBy = [
"initrd.target"
];
after = [
# LUKS/TPM process
"systemd-cryptsetup@root_vg.service"
];
before = [
"sysroot.mount"
];
unitConfig.DefaultDependencies = "no";
serviceConfig.Type = "oneshot";
script = ''
mkdir -p /btrfs_tmp
mount /dev/mapper/root_vg /btrfs_tmp
if [[ -e /btrfs_tmp/root ]]; then
mkdir -p /btrfs_tmp/old_roots
timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S")
mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp"
fi
delete_subvolume_recursively() {
IFS=$'\n'
for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
delete_subvolume_recursively "/btrfs_tmp/$i"
done
btrfs subvolume delete "$1"
}
for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +7); do
delete_subvolume_recursively "$i"
done
btrfs subvolume create /btrfs_tmp/root
umount /btrfs_tmp
'';
};
}