diff --git a/disko/impermanence-btrfs-luks.nix b/disko/impermanence-btrfs-luks.nix index 74ce405..d688346 100644 --- a/disko/impermanence-btrfs-luks.nix +++ b/disko/impermanence-btrfs-luks.nix @@ -81,28 +81,4 @@ }; fileSystems."/persist".neededForBoot = true; - boot.initrd.postResumeCommands = lib.mkAfter '' - mkdir -p /btrfs_tmp - mount /dev/disk/by-label/nixos /btrfs_tmp - if [[ -e /btrfs_tmp/root ]]; then - mkdir -p /btrfs_tmp/old_roots - timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S") - mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp" - fi - - delete_subvolume_recursively() { - IFS=$'\n' - for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do - delete_subvolume_recursively "/btrfs_tmp/$i" - done - btrfs subvolume delete "$1" - } - - for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do - delete_subvolume_recursively "$i" - done - - btrfs subvolume create /btrfs_tmp/root - umount /btrfs_tmp - ''; } diff --git a/flake.lock b/flake.lock index e24a058..a57be61 100644 --- a/flake.lock +++ b/flake.lock @@ -293,6 +293,21 @@ "type": "github" } }, + "crane_3": { + "locked": { + "lastModified": 1753316655, + "narHash": "sha256-tzWa2kmTEN69OEMhxFy+J2oWSvZP5QhEgXp3TROOzl0=", + "owner": "ipetkov", + "repo": "crane", + "rev": "f35a3372d070c9e9ccb63ba7ce347f0634ddf3d2", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "devenv": { "inputs": { "cachix": "cachix_2", @@ -513,6 +528,22 @@ "type": "github" } }, + "flake-compat_6": { + "flake": false, + "locked": { + "lastModified": 1747046372, + "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": [ @@ -560,6 +591,27 @@ } }, "flake-parts_3": { + "inputs": { + "nixpkgs-lib": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1753121425, + "narHash": "sha256-TVcTNvOeWWk1DXljFxVRp+E0tzG1LhrVjOGGoMHuXio=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "644e0fc48951a860279da645ba77fe4a6e814c5e", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_4": { "inputs": { "nixpkgs-lib": "nixpkgs-lib" }, @@ -577,7 +629,7 @@ "type": "github" } }, - "flake-parts_4": { + "flake-parts_5": { "inputs": { "nixpkgs-lib": "nixpkgs-lib_2" }, @@ -595,7 +647,7 @@ "type": "github" } }, - "flake-parts_5": { + "flake-parts_6": { "inputs": { "nixpkgs-lib": [ "stylix", @@ -734,6 +786,28 @@ "type": "github" } }, + "gitignore_2": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "gnome-shell": { "flake": false, "locked": { @@ -830,6 +904,29 @@ "type": "github" } }, + "lanzaboote": { + "inputs": { + "crane": "crane_3", + "flake-compat": "flake-compat_5", + "flake-parts": "flake-parts_3", + "nixpkgs": "nixpkgs_9", + "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "rust-overlay": "rust-overlay_2" + }, + "locked": { + "lastModified": 1753693791, + "narHash": "sha256-pZQyCkqIFwGA77np+vqVQZgg2P0qPAI6x6kC3w6+PjE=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "785a5701b22259b85735301b1aad19c2bee15498", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "lanzaboote", + "type": "github" + } + }, "libgit2": { "flake": false, "locked": { @@ -911,7 +1008,7 @@ "nvf", "nixpkgs" ], - "rust-overlay": "rust-overlay_2" + "rust-overlay": "rust-overlay_3" }, "locked": { "lastModified": 1732053863, @@ -931,7 +1028,7 @@ "inputs": { "niri-stable": "niri-stable", "niri-unstable": "niri-unstable", - "nixpkgs": "nixpkgs_10", + "nixpkgs": "nixpkgs_11", "nixpkgs-stable": "nixpkgs-stable_2", "xwayland-satellite-stable": "xwayland-satellite-stable", "xwayland-satellite-unstable": "xwayland-satellite-unstable" @@ -1104,8 +1201,8 @@ }, "nix-gaming": { "inputs": { - "flake-parts": "flake-parts_4", - "nixpkgs": "nixpkgs_11" + "flake-parts": "flake-parts_5", + "nixpkgs": "nixpkgs_12" }, "locked": { "lastModified": 1753841490, @@ -1241,8 +1338,8 @@ }, "nixos-wsl": { "inputs": { - "flake-compat": "flake-compat_5", - "nixpkgs": "nixpkgs_12" + "flake-compat": "flake-compat_6", + "nixpkgs": "nixpkgs_13" }, "locked": { "lastModified": 1753704990, @@ -1399,6 +1496,22 @@ } }, "nixpkgs_10": { + "locked": { + "lastModified": 1735523292, + "narHash": "sha256-opBsbR/nrGxiiF6XzlVluiHYb6yN/hEwv+lBWTy9xoM=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "6d97d419e5a9b36e6293887a89a078cf85f5a61b", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_11": { "locked": { "lastModified": 1753939845, "narHash": "sha256-K2ViRJfdVGE8tpJejs8Qpvvejks1+A4GQej/lBk5y7I=", @@ -1414,7 +1527,7 @@ "type": "github" } }, - "nixpkgs_11": { + "nixpkgs_12": { "locked": { "lastModified": 1753432016, "narHash": "sha256-cnL5WWn/xkZoyH/03NNUS7QgW5vI7D1i74g48qplCvg=", @@ -1430,7 +1543,7 @@ "type": "github" } }, - "nixpkgs_12": { + "nixpkgs_13": { "locked": { "lastModified": 1753429684, "narHash": "sha256-9h7+4/53cSfQ/uA3pSvCaBepmZaz/dLlLVJnbQ+SJjk=", @@ -1446,7 +1559,7 @@ "type": "github" } }, - "nixpkgs_13": { + "nixpkgs_14": { "locked": { "lastModified": 1753749649, "narHash": "sha256-+jkEZxs7bfOKfBIk430K+tK9IvXlwzqQQnppC2ZKFj4=", @@ -1462,7 +1575,7 @@ "type": "github" } }, - "nixpkgs_14": { + "nixpkgs_15": { "locked": { "lastModified": 1744868846, "narHash": "sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs=", @@ -1478,7 +1591,7 @@ "type": "github" } }, - "nixpkgs_15": { + "nixpkgs_16": { "locked": { "lastModified": 1751211869, "narHash": "sha256-1Cu92i1KSPbhPCKxoiVG5qnoRiKTgR5CcGSRyLpOd7Y=", @@ -1608,16 +1721,16 @@ }, "nixpkgs_9": { "locked": { - "lastModified": 1735523292, - "narHash": "sha256-opBsbR/nrGxiiF6XzlVluiHYb6yN/hEwv+lBWTy9xoM=", - "owner": "nixos", + "lastModified": 1753590935, + "narHash": "sha256-+qBmgdTYy5f6v+5fJVGiWf5SySGsxVmJia+iB5L6nbU=", + "owner": "NixOS", "repo": "nixpkgs", - "rev": "6d97d419e5a9b36e6293887a89a078cf85f5a61b", + "rev": "51a41ce9a1d46d9d1228edae97267519d42fdf28", "type": "github" }, "original": { - "owner": "nixos", - "ref": "nixpkgs-unstable", + "owner": "NixOS", + "ref": "nixos-unstable-small", "repo": "nixpkgs", "type": "github" } @@ -1704,11 +1817,11 @@ }, "nvf": { "inputs": { - "flake-parts": "flake-parts_3", + "flake-parts": "flake-parts_4", "flake-utils": "flake-utils_2", "mnw": "mnw", "nil": "nil", - "nixpkgs": "nixpkgs_9", + "nixpkgs": "nixpkgs_10", "nmd": "nmd", "plugin-aerial-nvim": "plugin-aerial-nvim", "plugin-alpha-nvim": "plugin-alpha-nvim", @@ -3802,6 +3915,32 @@ "type": "github" } }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "gitignore": "gitignore_2", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1750779888, + "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "rocksdb": { "flake": false, "locked": { @@ -3829,6 +3968,7 @@ "emacs-kylekrein": "emacs-kylekrein", "home-manager": "home-manager_2", "impermanence": "impermanence", + "lanzaboote": "lanzaboote", "neovim": "neovim", "niri-flake": "niri-flake", "nix-darwin": "nix-darwin", @@ -3838,7 +3978,7 @@ "nixos-facter-modules": "nixos-facter-modules", "nixos-hardware": "nixos-hardware", "nixos-wsl": "nixos-wsl", - "nixpkgs": "nixpkgs_13", + "nixpkgs": "nixpkgs_14", "nixpkgs-master": "nixpkgs-master", "nixpkgs-unstable": "nixpkgs-unstable", "sops-nix": "sops-nix", @@ -3884,6 +4024,27 @@ } }, "rust-overlay_2": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1753584741, + "narHash": "sha256-i147iFSy4K4PJvID+zoszLbRi2o+YV8AyG4TUiDQ3+I=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "69dfe029679e73b8d159011c9547f6148a85ca6b", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "rust-overlay_3": { "inputs": { "nixpkgs": [ "neovim", @@ -3924,7 +4085,7 @@ }, "sops-nix": { "inputs": { - "nixpkgs": "nixpkgs_14" + "nixpkgs": "nixpkgs_15" }, "locked": { "lastModified": 1752544651, @@ -3947,9 +4108,9 @@ "base16-helix": "base16-helix", "base16-vim": "base16-vim", "firefox-gnome-theme": "firefox-gnome-theme", - "flake-parts": "flake-parts_5", + "flake-parts": "flake-parts_6", "gnome-shell": "gnome-shell", - "nixpkgs": "nixpkgs_15", + "nixpkgs": "nixpkgs_16", "nur": "nur", "systems": "systems_4", "tinted-foot": "tinted-foot", diff --git a/flake.nix b/flake.nix index 99e6002..84aca2d 100644 --- a/flake.nix +++ b/flake.nix @@ -68,6 +68,7 @@ }; nixos-hardware.url = "github:NixOS/nixos-hardware/master"; chaotic.url = "github:chaotic-cx/nyx/nyxpkgs-unstable"; + lanzaboote.url = "github:nix-community/lanzaboote"; }; outputs = { diff --git a/nixos/configuration.nix b/nixos/configuration.nix index d29c16b..4cf880a 100644 --- a/nixos/configuration.nix +++ b/nixos/configuration.nix @@ -21,6 +21,7 @@ in { inputs.chaotic.nixosModules.nyx-cache inputs.chaotic.nixosModules.nyx-overlay inputs.chaotic.nixosModules.nyx-registry + inputs.lanzaboote.nixosModules.lanzaboote ./modules/firefox ./modules/flatpak ./modules/steam diff --git a/nixos/homes/kylekrein/niri.nix b/nixos/homes/kylekrein/niri.nix index 9ebe0a5..38d2c0e 100644 --- a/nixos/homes/kylekrein/niri.nix +++ b/nixos/homes/kylekrein/niri.nix @@ -369,34 +369,34 @@ in { }; Service = { ExecStart = "${pkgs.writeShellScript "autorotate" '' - transform="normal" + transform="normal" - monitor-sensor | while read -r line; do - case "$line" in - *normal*) - new_transform="normal" - ;; - *right-up*) - new_transform="270" - ;; - *bottom-up*) - new_transform="180" - ;; - *left-up*) - new_transform="90" - ;; - *) - continue - ;; - esac - - if [[ "$new_transform" != "$transform" ]]; then - transform="$new_transform" - echo "Transform: $transform" - niri msg output eDP-1 transform "$transform" - systemctl --user restart lisgd-niri.service - fi - done + monitor-sensor | while read -r line; do + case "$line" in + *normal*) + new_transform="normal" + ;; + *right-up*) + new_transform="270" + ;; + *bottom-up*) + new_transform="180" + ;; + *left-up*) + new_transform="90" + ;; + *) + continue + ;; + esac + + if [[ "$new_transform" != "$transform" ]]; then + transform="$new_transform" + echo "Transform: $transform" + niri msg output eDP-1 transform "$transform" + systemctl --user restart lisgd-niri.service + fi + done ''}"; Restart = "on-failure"; RestartSec = 5; diff --git a/nixos/hosts/kylekrein-framework12/default.nix b/nixos/hosts/kylekrein-framework12/default.nix index e39975a..09b2311 100644 --- a/nixos/hosts/kylekrein-framework12/default.nix +++ b/nixos/hosts/kylekrein-framework12/default.nix @@ -21,6 +21,7 @@ ../../users/tania ./hibernation.nix + ./secure-boot.nix ]; services.fwupd.enable = true; #fwupdmgr update diff --git a/nixos/hosts/kylekrein-framework12/secure-boot.nix b/nixos/hosts/kylekrein-framework12/secure-boot.nix new file mode 100644 index 0000000..9f7a4e0 --- /dev/null +++ b/nixos/hosts/kylekrein-framework12/secure-boot.nix @@ -0,0 +1,27 @@ +{ + pkgs, + lib, + hwconfig, + ... +}: { + boot = { + initrd.systemd.enable = true; + + loader.systemd-boot.enable = lib.mkForce false; + + lanzaboote = { + enable = true; + pkiBundle = + #if hwconfig.useImpermanence + #then "/persist/system/var/lib/sbctl" + # else + "/var/lib/sbctl"; + }; + }; + environment.systemPackages = [ + # For debugging and troubleshooting Secure Boot. + pkgs.sbctl + # For tpm auto unlock + pkgs.tpm2-tss + ]; +} diff --git a/nixos/modules/impermanence/default.nix b/nixos/modules/impermanence/default.nix index df2703f..1f82837 100644 --- a/nixos/modules/impermanence/default.nix +++ b/nixos/modules/impermanence/default.nix @@ -2,8 +2,10 @@ config, lib, inputs, + pkgs, ... }: let + isBtrfs = config.fileSystems."/".fsType == "btrfs"; in { imports = [ inputs.impermanence.nixosModules.impermanence @@ -12,6 +14,7 @@ in { environment.persistence."/persist/system" = { hideMounts = true; directories = [ + "/var/lib/sbctl" "/etc/nixos" "/var/log" "/var/lib/bluetooth" @@ -47,4 +50,45 @@ in { ]; programs.fuse.userAllowOther = true; + + #https://blog.decent.id/post/nixos-systemd-initrd/ + boot.initrd.systemd.services.btrfs-rollback-impermanence = lib.mkIf (isBtrfs && config.boot.initrd.systemd.enable) { + description = "Rollback BTRFS root dataset to blank snapshot"; + wantedBy = [ + "initrd.target" + ]; + after = [ + # LUKS/TPM process + "systemd-cryptsetup@root_vg.service" + ]; + before = [ + "sysroot.mount" + ]; + unitConfig.DefaultDependencies = "no"; + serviceConfig.Type = "oneshot"; + script = '' + mkdir -p /btrfs_tmp + mount /dev/mapper/root_vg /btrfs_tmp + if [[ -e /btrfs_tmp/root ]]; then + mkdir -p /btrfs_tmp/old_roots + timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S") + mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp" + fi + + delete_subvolume_recursively() { + IFS=$'\n' + for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do + delete_subvolume_recursively "/btrfs_tmp/$i" + done + btrfs subvolume delete "$1" + } + + for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +7); do + delete_subvolume_recursively "$i" + done + + btrfs subvolume create /btrfs_tmp/root + umount /btrfs_tmp + ''; + }; }