kylekrein/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Secure boot, tmp unlock for framework12

Browse source
This commit is contained in:
Aleksandr Lebedev 2025-08-02 14:48:10 +02:00
parent 293eb7b5cd
commit 99f43f6646
8 changed files with 287 additions and 76 deletions
Download patch file Download diff file Expand all files Collapse all files

1
nixos/configuration.nix
View file

@ -21,6 +21,7 @@ in {
inputs.chaotic.nixosModules.nyx-cache
inputs.chaotic.nixosModules.nyx-overlay
inputs.chaotic.nixosModules.nyx-registry
inputs.lanzaboote.nixosModules.lanzaboote
./modules/firefox
./modules/flatpak
./modules/steam

54
nixos/homes/kylekrein/niri.nix
View file

@ -369,34 +369,34 @@ in {
};
Service = {
ExecStart = "${pkgs.writeShellScript "autorotate" ''
transform="normal"
transform="normal"
monitor-sensor | while read -r line; do
case "$line" in
*normal*)
new_transform="normal"
;;
*right-up*)
new_transform="270"
;;
*bottom-up*)
new_transform="180"
;;
*left-up*)
new_transform="90"
;;
*)
continue
;;
esac
if [[ "$new_transform" != "$transform" ]]; then
transform="$new_transform"
echo "Transform: $transform"
niri msg output eDP-1 transform "$transform"
systemctl --user restart lisgd-niri.service
fi
done
monitor-sensor | while read -r line; do
case "$line" in
*normal*)
new_transform="normal"
;;
*right-up*)
new_transform="270"
;;
*bottom-up*)
new_transform="180"
;;
*left-up*)
new_transform="90"
;;
*)
continue
;;
esac
if [[ "$new_transform" != "$transform" ]]; then
transform="$new_transform"
echo "Transform: $transform"
niri msg output eDP-1 transform "$transform"
systemctl --user restart lisgd-niri.service
fi
done
''}";
Restart = "on-failure";
RestartSec = 5;

1
nixos/hosts/kylekrein-framework12/default.nix
View file

@ -21,6 +21,7 @@
../../users/tania
./hibernation.nix
./secure-boot.nix
];
services.fwupd.enable = true; #fwupdmgr update

27
nixos/hosts/kylekrein-framework12/secure-boot.nix Normal file
View file

@ -0,0 +1,27 @@
{
pkgs,
lib,
hwconfig,
...
}: {
boot = {
initrd.systemd.enable = true;
loader.systemd-boot.enable = lib.mkForce false;
lanzaboote = {
enable = true;
pkiBundle =
#if hwconfig.useImpermanence
#then "/persist/system/var/lib/sbctl"
# else
"/var/lib/sbctl";
};
};
environment.systemPackages = [
# For debugging and troubleshooting Secure Boot.
pkgs.sbctl
# For tpm auto unlock
pkgs.tpm2-tss
];
}

44
nixos/modules/impermanence/default.nix
View file

@ -2,8 +2,10 @@
config,
lib,
inputs,
pkgs,
...
}: let
isBtrfs = config.fileSystems."/".fsType == "btrfs";
in {
imports = [
inputs.impermanence.nixosModules.impermanence
@ -12,6 +14,7 @@ in {
environment.persistence."/persist/system" = {
hideMounts = true;
directories = [
"/var/lib/sbctl"
"/etc/nixos"
"/var/log"
"/var/lib/bluetooth"
@ -47,4 +50,45 @@ in {
];
programs.fuse.userAllowOther = true;
#https://blog.decent.id/post/nixos-systemd-initrd/
boot.initrd.systemd.services.btrfs-rollback-impermanence = lib.mkIf (isBtrfs && config.boot.initrd.systemd.enable) {
description = "Rollback BTRFS root dataset to blank snapshot";
wantedBy = [
"initrd.target"
];
after = [
# LUKS/TPM process
"systemd-cryptsetup@root_vg.service"
];
before = [
"sysroot.mount"
];
unitConfig.DefaultDependencies = "no";
serviceConfig.Type = "oneshot";
script = ''
mkdir -p /btrfs_tmp
mount /dev/mapper/root_vg /btrfs_tmp
if [[ -e /btrfs_tmp/root ]]; then
mkdir -p /btrfs_tmp/old_roots
timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S")
mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp"
fi
delete_subvolume_recursively() {
IFS=$'\n'
for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
delete_subvolume_recursively "/btrfs_tmp/$i"
done
btrfs subvolume delete "$1"
}
for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +7); do
delete_subvolume_recursively "$i"
done
btrfs subvolume create /btrfs_tmp/root
umount /btrfs_tmp
'';
};
}