pim/nixos-laptop
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

Add x201 configuration

Browse source 
Create module for lanzaboote
This commit is contained in:
Pim Kunis 2024-05-26 17:12:52 +02:00
parent e069bd25a2
commit 955f9e3a07
4 changed files with 134 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
nixos/default.nix → configuration.nix
View file

@ -95,9 +95,9 @@
identityPaths = [ "/home/pim/.ssh/age_ed25519" ]; identityPaths = [ "/home/pim/.ssh/age_ed25519" ];
secrets = { secrets = {
wg-quick-home-privkey.file = ../secrets/wg-quick-home-privkey.age; wg-quick-home-privkey.file = ./secrets/wg-quick-home-privkey.age;
wg-quick-home-preshared-key.file = wg-quick-home-preshared-key.file =
../secrets/wg-quick-home-preshared-key.age; ./secrets/wg-quick-home-preshared-key.age;
}; };
}; };
@ -157,20 +157,10 @@
extraModulePackages = [ ]; extraModulePackages = [ ];
initrd = { initrd = {
availableKernelModules = [ "xhci_pci" "sd_mod" ]; availableKernelModules = [ "sd_mod" ];
kernelModules = [ ]; kernelModules = [ ];
}; };
loader = {
efi.canTouchEfiVariables = true;
systemd-boot.enable = lib.mkForce false;
};
lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
kernel.sysctl = { kernel.sysctl = {
"net.core.default_qdisc" = "fq"; "net.core.default_qdisc" = "fq";
"net.ipv4.tcp_congestion_control" = "bbr"; "net.ipv4.tcp_congestion_control" = "bbr";

21
flake.lock
View file

@ -80,6 +80,26 @@
"type": "github" "type": "github"
} }
}, },
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1716431128,
"narHash": "sha256-t3T8HlX3udO6f4ilLcN+j5eC3m2gqsouzSGiriKK6vk=",
"owner": "nix-community",
"repo": "disko",
"rev": "7ffc4354dfeb37c8c725ae1465f04a9b45ec8606",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -338,6 +358,7 @@
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix", "agenix": "agenix",
"disko": "disko",
"home-manager": "home-manager", "home-manager": "home-manager",
"homeage": "homeage", "homeage": "homeage",
"lanzaboote": "lanzaboote", "lanzaboote": "lanzaboote",

81
flake.nix
View file

@ -27,6 +27,11 @@
url = "github:nix-community/lanzaboote/v0.3.0"; url = "github:nix-community/lanzaboote/v0.3.0";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
disko = {
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs";
};
}; };
outputs = outputs =
@ -37,12 +42,12 @@
, agenix , agenix
, nur , nur
, nixos-hardware , nixos-hardware
, lanzaboote
, ... , ...
}: }@inputs:
let let
mkNixosSystem = extraModule: nixpkgs.lib.nixosSystem rec { mkNixosSystem = extraModule: nixpkgs.lib.nixosSystem rec {
system = "x86_64-linux"; system = "x86_64-linux";
specialArgs = { inherit inputs; };
modules = [ modules = [
{ {
@ -56,7 +61,8 @@
}) })
]; ];
} }
./nixos ./configuration.nix
./modules/nixos/lanzaboote.nix
agenix.nixosModules.default agenix.nixosModules.default
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
{ {
@ -66,7 +72,6 @@
imports = [ ./home-manager homeage.homeManagerModules.homeage ]; imports = [ ./home-manager homeage.homeManagerModules.homeage ];
}; };
} }
lanzaboote.nixosModules.lanzaboote
extraModule extraModule
]; ];
}; };
@ -75,10 +80,11 @@
formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt; formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt;
nixosConfigurations = { nixosConfigurations = {
personal = mkNixosSystem ({ pkgs, lib, ... }: { x260 = mkNixosSystem ({ pkgs, lib, ... }: {
imports = [ nixos-hardware.nixosModules.lenovo-thinkpad-x260 ]; imports = [ nixos-hardware.nixosModules.lenovo-thinkpad-x260 ];
config = { config = {
pim.lanzaboote.enable = true;
networking.hostName = "x260"; networking.hostName = "x260";
fprintd = { fprintd = {
@ -92,7 +98,67 @@
swapDevices = [{ device = "/dev/disk/by-uuid/6028bf52-404d-4143-9cb0-9b06cd60a373"; }]; swapDevices = [{ device = "/dev/disk/by-uuid/6028bf52-404d-4143-9cb0-9b06cd60a373"; }];
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
boot.initrd.availableKernelModules = [ "ahci" "rtsx_pci_sdmmc" ]; boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "rtsx_pci_sdmmc" ];
};
});
x201 = mkNixosSystem ({ pkgs, lib, ... }: {
config = {
networking.hostName = "x201";
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usb_storage" ];
imports = [ inputs.disko.nixosModules.disko ];
disko.devices = {
disk = {
sda = {
device = "/dev/sda";
type = "disk";
content = {
type = "gpt";
partitions = {
boot = {
size = "1M";
type = "EF02"; # for grub MBR
priority = 1; # Needs to be first partition
};
pv_os = {
size = "100%";
content = {
type = "lvm_pv";
vg = "vg_os";
};
};
};
};
};
};
lvm_vg.vg_os = {
type = "lvm_vg";
lvs = {
swap = {
size = "3GB";
content.type = "swap";
};
root = {
size = "100%FREE";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
mountOptions = [ "defaults" ];
};
};
};
};
};
}; };
}); });
@ -100,6 +166,7 @@
imports = [ nixos-hardware.nixosModules.dell-xps-13-9310 ]; imports = [ nixos-hardware.nixosModules.dell-xps-13-9310 ];
config = { config = {
pim.lanzaboote.enable = true;
networking.hostName = "xps-9315"; networking.hostName = "xps-9315";
swapDevices = [{ device = "/dev/disk/by-uuid/96a43c35-0174-4e92-81f0-168a5f601f0b"; }]; swapDevices = [{ device = "/dev/disk/by-uuid/96a43c35-0174-4e92-81f0-168a5f601f0b"; }];
fileSystems = { fileSystems = {
@ -118,7 +185,7 @@
}; };
boot.initrd.luks.devices."luks-8ffd3129-4908-4209-98c4-4eb68a35c494".device = "/dev/disk/by-uuid/8ffd3129-4908-4209-98c4-4eb68a35c494"; boot.initrd.luks.devices."luks-8ffd3129-4908-4209-98c4-4eb68a35c494".device = "/dev/disk/by-uuid/8ffd3129-4908-4209-98c4-4eb68a35c494";
boot.initrd.availableKernelModules = [ "thunderbolt" "vmd" "nvme" "usb_storage" ]; boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "vmd" "nvme" "usb_storage" ];
}; };
}); });
}; };

36
modules/nixos/lanzaboote.nix Normal file
View file

@ -0,0 +1,36 @@
{ config, lib, inputs, ... }: {
imports = [
inputs.lanzaboote.nixosModules.lanzaboote
];
options = {
pim.lanzaboote.enable = lib.mkEnableOption {
description = ''
Whether to enable lanzaboote
'';
};
};
config = lib.mkIf config.pim.lanzaboote.enable {
boot = {
# generate keys first with: `sudo nix run nixpkgs#sbctl create-keys`
# switch from lzb to bootspec by adding following line to the system configuration:
# bootspec.enable = true;
loader = {
systemd-boot.enable = lib.mkForce false;
# Use lanzaboote instead see below, default is:
# systemd-boot.enable = true;
efi = {
canTouchEfiVariables = true;
};
};
lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
};
};
}