From 955f9e3a0735e5a38d4e6a916e3db379b9470a3f Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sun, 26 May 2024 17:12:52 +0200 Subject: [PATCH] Add x201 configuration Create module for lanzaboote --- nixos/default.nix => configuration.nix | 16 +---- flake.lock | 21 +++++++ flake.nix | 81 +++++++++++++++++++++++--- modules/nixos/lanzaboote.nix | 36 ++++++++++++ 4 files changed, 134 insertions(+), 20 deletions(-) rename nixos/default.nix => configuration.nix (91%) create mode 100644 modules/nixos/lanzaboote.nix diff --git a/nixos/default.nix b/configuration.nix similarity index 91% rename from nixos/default.nix rename to configuration.nix index 5e5c4aa..0f5fda1 100644 --- a/nixos/default.nix +++ b/configuration.nix @@ -95,9 +95,9 @@ identityPaths = [ "/home/pim/.ssh/age_ed25519" ]; secrets = { - wg-quick-home-privkey.file = ../secrets/wg-quick-home-privkey.age; + wg-quick-home-privkey.file = ./secrets/wg-quick-home-privkey.age; wg-quick-home-preshared-key.file = - ../secrets/wg-quick-home-preshared-key.age; + ./secrets/wg-quick-home-preshared-key.age; }; }; @@ -157,20 +157,10 @@ extraModulePackages = [ ]; initrd = { - availableKernelModules = [ "xhci_pci" "sd_mod" ]; + availableKernelModules = [ "sd_mod" ]; kernelModules = [ ]; }; - loader = { - efi.canTouchEfiVariables = true; - systemd-boot.enable = lib.mkForce false; - }; - - lanzaboote = { - enable = true; - pkiBundle = "/etc/secureboot"; - }; - kernel.sysctl = { "net.core.default_qdisc" = "fq"; "net.ipv4.tcp_congestion_control" = "bbr"; diff --git a/flake.lock b/flake.lock index 17777e2..eac2b56 100644 --- a/flake.lock +++ b/flake.lock @@ -80,6 +80,26 @@ "type": "github" } }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1716431128, + "narHash": "sha256-t3T8HlX3udO6f4ilLcN+j5eC3m2gqsouzSGiriKK6vk=", + "owner": "nix-community", + "repo": "disko", + "rev": "7ffc4354dfeb37c8c725ae1465f04a9b45ec8606", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -338,6 +358,7 @@ "root": { "inputs": { "agenix": "agenix", + "disko": "disko", "home-manager": "home-manager", "homeage": "homeage", "lanzaboote": "lanzaboote", diff --git a/flake.nix b/flake.nix index 09f644f..8ffa033 100644 --- a/flake.nix +++ b/flake.nix @@ -27,6 +27,11 @@ url = "github:nix-community/lanzaboote/v0.3.0"; inputs.nixpkgs.follows = "nixpkgs"; }; + + disko = { + url = "github:nix-community/disko"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = @@ -37,12 +42,12 @@ , agenix , nur , nixos-hardware - , lanzaboote , ... - }: + }@inputs: let mkNixosSystem = extraModule: nixpkgs.lib.nixosSystem rec { system = "x86_64-linux"; + specialArgs = { inherit inputs; }; modules = [ { @@ -56,7 +61,8 @@ }) ]; } - ./nixos + ./configuration.nix + ./modules/nixos/lanzaboote.nix agenix.nixosModules.default home-manager.nixosModules.home-manager { @@ -66,7 +72,6 @@ imports = [ ./home-manager homeage.homeManagerModules.homeage ]; }; } - lanzaboote.nixosModules.lanzaboote extraModule ]; }; @@ -75,10 +80,11 @@ formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt; nixosConfigurations = { - personal = mkNixosSystem ({ pkgs, lib, ... }: { + x260 = mkNixosSystem ({ pkgs, lib, ... }: { imports = [ nixos-hardware.nixosModules.lenovo-thinkpad-x260 ]; config = { + pim.lanzaboote.enable = true; networking.hostName = "x260"; fprintd = { @@ -92,7 +98,67 @@ swapDevices = [{ device = "/dev/disk/by-uuid/6028bf52-404d-4143-9cb0-9b06cd60a373"; }]; powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; - boot.initrd.availableKernelModules = [ "ahci" "rtsx_pci_sdmmc" ]; + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "rtsx_pci_sdmmc" ]; + }; + }); + + x201 = mkNixosSystem ({ pkgs, lib, ... }: { + config = { + networking.hostName = "x201"; + + boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usb_storage" ]; + + imports = [ inputs.disko.nixosModules.disko ]; + + disko.devices = { + disk = { + sda = { + device = "/dev/sda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; # for grub MBR + priority = 1; # Needs to be first partition + }; + + pv_os = { + size = "100%"; + + content = { + type = "lvm_pv"; + vg = "vg_os"; + }; + }; + }; + }; + }; + }; + + lvm_vg.vg_os = { + type = "lvm_vg"; + + lvs = { + swap = { + size = "3GB"; + content.type = "swap"; + }; + + root = { + size = "100%FREE"; + + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + mountOptions = [ "defaults" ]; + }; + }; + }; + }; + }; }; }); @@ -100,6 +166,7 @@ imports = [ nixos-hardware.nixosModules.dell-xps-13-9310 ]; config = { + pim.lanzaboote.enable = true; networking.hostName = "xps-9315"; swapDevices = [{ device = "/dev/disk/by-uuid/96a43c35-0174-4e92-81f0-168a5f601f0b"; }]; fileSystems = { @@ -118,7 +185,7 @@ }; boot.initrd.luks.devices."luks-8ffd3129-4908-4209-98c4-4eb68a35c494".device = "/dev/disk/by-uuid/8ffd3129-4908-4209-98c4-4eb68a35c494"; - boot.initrd.availableKernelModules = [ "thunderbolt" "vmd" "nvme" "usb_storage" ]; + boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "vmd" "nvme" "usb_storage" ]; }; }); }; diff --git a/modules/nixos/lanzaboote.nix b/modules/nixos/lanzaboote.nix new file mode 100644 index 0000000..a5435dc --- /dev/null +++ b/modules/nixos/lanzaboote.nix @@ -0,0 +1,36 @@ +{ config, lib, inputs, ... }: { + imports = [ + inputs.lanzaboote.nixosModules.lanzaboote + ]; + + options = { + pim.lanzaboote.enable = lib.mkEnableOption { + description = '' + Whether to enable lanzaboote + ''; + }; + }; + + config = lib.mkIf config.pim.lanzaboote.enable { + boot = { + # generate keys first with: `sudo nix run nixpkgs#sbctl create-keys` + # switch from lzb to bootspec by adding following line to the system configuration: + # bootspec.enable = true; + + loader = { + systemd-boot.enable = lib.mkForce false; + # Use lanzaboote instead see below, default is: + # systemd-boot.enable = true; + + efi = { + canTouchEfiVariables = true; + }; + }; + + lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + }; + }; + }; +}