diff --git a/README.md b/README.md index bc0ab48..7873b41 100644 --- a/README.md +++ b/README.md @@ -82,15 +82,17 @@ 5. Deploy system ### Add secureboot to new systems -1. generate keys with `sbct create-keys' -1. tar the resulting folder using `tar cvf secureboot.tar -C /etc/secureboot` +1. generate keys with `sbct create-keys` +1. tar the resulting folder using `tar cvf secureboot.tar -C /etc/secureboot .` 1. Copy the tar to local using scp and encrypt it using rage + - `rage -e -R ./secrets/recipients.txt secureboot.tar -o /secrets/secureboot.tar.age` 1. safe the encrypted archive to `hosts//secrets/secureboot.tar.age` 1. *DO NOT* forget to delete the unecrypted archives -1. link `/run/secureboot` to `/etc/secureboot` -1. This is necesarry since for your next apply the rekeyed keys are not yet available but needed for signing the boot files +1. Deploy your system with lanzaboote enabled + - link `/run/secureboot` to `/etc/secureboot` + - This is necesarry since for your this apply the rekeyed keys are not yet available but already needed for signing the boot files 1. ensure the boot files are signed using `sbctl verify` -1. Now reboot the computer into BIOS and enable secureboot +1. Now reboot the computer into BIOS and enable secureboot, this may include removing any existing old keys 1. bootctl should now read `Secure Boot: disabled (setup)` 1. you can now enroll your secureboot keys using @@ -98,7 +100,7 @@ If you want to be able to boot microsoft signed images append `--microsoft` 1. Time to reboot and pray -TPM keys +### Add luks encryption TPM keys `systemd-cryptenroll --tpm2-pcrs=7+8+9 --tpm2-with-pin={yes/no} --tpm2-device=auto ` diff --git a/flake.lock b/flake.lock index 9872da2..f02f85e 100644 --- a/flake.lock +++ b/flake.lock @@ -11,11 +11,11 @@ ] }, "locked": { - "lastModified": 1695384796, + "lastModified": 1696775529, "narHash": "sha256-TYlE4B0ktPtlJJF9IFxTWrEeq+XKG8Ny0gc2FGEAdj0=", "owner": "ryantm", "repo": "agenix", - "rev": "1f677b3e161d3bdbfd08a939e8f25de2568e0ef4", + "rev": "daf42cb35b2dc614d1551e37f96406e4c4a2d3e4", "type": "github" }, "original": { @@ -174,11 +174,11 @@ ] }, "locked": { - "lastModified": 1696266752, - "narHash": "sha256-wJnMDFM21+xXdsXSs6pXMElbv4YfqmQslcPApRuaYKs=", + "lastModified": 1696814493, + "narHash": "sha256-1qArVsJGG2RHbV2iKFpAmM5os3myvwpXMOdFy5nh54M=", "owner": "nix-community", "repo": "disko", - "rev": "646ee25c25fffee122a66282861f5f56ad3e0fd9", + "rev": "32ce057c183506cecb0b84950e4eaf39f37e8c75", "type": "github" }, "original": { @@ -296,11 +296,11 @@ ] }, "locked": { - "lastModified": 1696203690, - "narHash": "sha256-774XMEL7VHSTLDYVkqrbl5GCdmkVKsjMs+KLM4N4t7k=", + "lastModified": 1696343447, + "narHash": "sha256-B2xAZKLkkeRFG5XcHHSXXcP7To9Xzr59KXeZiRf4vdQ=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "21928e6758af0a258002647d14363d5ffc85545b", + "rev": "c9afaba3dfa4085dbd2ccb38dfade5141e33d9d4", "type": "github" }, "original": { @@ -471,11 +471,11 @@ ] }, "locked": { - "lastModified": 1696409884, - "narHash": "sha256-hz3i4wFJHoTIAEI19oF1fiPn6TpV+VuTSOrSHUoJMgs=", + "lastModified": 1696737557, + "narHash": "sha256-YD/pjDjj/BNmisEvRdM/vspkCU3xyyeGVAUWhvVSi5Y=", "owner": "nix-community", "repo": "home-manager", - "rev": "8aef005d44ee726911e9f793495bb40f2fbf5a05", + "rev": "3c1d8758ac3f55ab96dcaf4d271c39da4b6e836d", "type": "github" }, "original": { @@ -553,11 +553,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1696162106, - "narHash": "sha256-72gAqduG8CpBFWchiO4DxZClux5HAti4frrrYGr/5xo=", + "lastModified": 1696766909, + "narHash": "sha256-lU1BmCWpQ9cx64YnJKc89lMg9cx4pCokXIbh5J//2t0=", "owner": "nix-community", "repo": "lib-aggregate", - "rev": "273cc814826475216b2a8aa008697b939e784514", + "rev": "9f495e4feea66426589cbb59ac8b972993b5d872", "type": "github" }, "original": { @@ -573,11 +573,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1696208796, - "narHash": "sha256-dGhlQ0TeiJhbtEk40ddbJ9Fz4kDa/JfU22F34iYJwu8=", + "lastModified": 1696813662, + "narHash": "sha256-dQTBtvjdzKa7+ViWiDdnBpdtDS4FD+gWuJJrfIrxSkc=", "owner": "nix-community", "repo": "nix-eval-jobs", - "rev": "82cede4edd01989095040b55d0212d61a65fc5fd", + "rev": "7cdbfd5ffe59fe54fd5c44be96f58c45e25d5b62", "type": "github" }, "original": { @@ -593,11 +593,11 @@ ] }, "locked": { - "lastModified": 1696131323, - "narHash": "sha256-Y47r8Jo+9rs+XUWHcDPZtkQs6wFeZ24L4CQTfVwE+vY=", + "lastModified": 1696736548, + "narHash": "sha256-Dg0gJ9xVXud55sAbXspMapFYZOpVAldQQo7MFp91Vb0=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "031d4b22505fdea47bd53bfafad517cd03c26a4f", + "rev": "2902dc66f64f733bfb45754e984e958e9fe7faf9", "type": "github" }, "original": { @@ -644,11 +644,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1696161939, - "narHash": "sha256-HI1DxS//s46/qv9dcW06TzXaBjxL2DVTQP8R1QsnHzM=", + "lastModified": 1696614066, + "narHash": "sha256-nAyYhO7TCr1tikacP37O9FnGr2USOsVBD3IgvndUYjM=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "0ab3ee718e964fb42dc57ace6170f19cb0b66532", + "rev": "bb2db418b616fea536b1be7f6ee72fb45c11afe0", "type": "github" }, "original": { @@ -659,11 +659,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1696193975, - "narHash": "sha256-mnQjUcYgp9Guu3RNVAB2Srr1TqKcPpRXmJf4LJk6KRY=", + "lastModified": 1696604326, + "narHash": "sha256-YXUNI0kLEcI5g8lqGMb0nh67fY9f2YoJsILafh6zlMo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "fdd898f8f79e8d2f99ed2ab6b3751811ef683242", + "rev": "87828a0e03d1418e848d3dd3f3014a632e4a4f64", "type": "github" }, "original": { @@ -675,11 +675,11 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1696121361, - "narHash": "sha256-sstnEW0Qwqo3MHmy1In/hJHjypfsSDlnhegNKw5eplk=", + "lastModified": 1696726172, + "narHash": "sha256-89yxFXzTA7JRyWo6hg7SD4DlS/ejYt8Y8IvGZHbSWsg=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "56992d3dfd3b8cee5c5b5674c1a477446839b6ad", + "rev": "59da6ac0c02c48aa92dee37057f978412797db2a", "type": "github" }, "original": { @@ -746,11 +746,11 @@ ] }, "locked": { - "lastModified": 1696436453, - "narHash": "sha256-S/lyJ9ZrCSJML6m8jiIrYBaFhjl+Rmm4lqd1fGVYjM0=", + "lastModified": 1696843042, + "narHash": "sha256-2ykZDYtBaFXWc4zHUEknecBSIOM0e7CUKqMHNZPKlbU=", "owner": "nix-community", "repo": "nixpkgs-wayland", - "rev": "c2621389c63551781ea31d08d20e5f11dc2ef3fd", + "rev": "4c7744c36f1f53a42da3c303ebdd05a668269a18", "type": "github" }, "original": { @@ -761,11 +761,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1696207572, - "narHash": "sha256-w24NTSMrc7bMIQP5Y8BFsKbpYjbRh/+ptf/9gCEFrKo=", + "lastModified": 1696810678, + "narHash": "sha256-XAw8D1ZEbdqwhSvn8RsgeeNrDktx4YSikTb5V4ArsrA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "fe0b3b663e98c85db7f08ab3a4ac318c523c0684", + "rev": "35c640b19a189ce3a86698ce2fdcd87d085a339b", "type": "github" }, "original": { @@ -898,11 +898,11 @@ "nixpkgs-stable": "nixpkgs-stable_3" }, "locked": { - "lastModified": 1696158581, - "narHash": "sha256-h0vY4E7Lx95lpYQbG2w4QH4yG5wCYOvPJzK93wVQbT0=", + "lastModified": 1696846637, + "narHash": "sha256-0hv4kbXxci2+pxhuXlVgftj/Jq79VSmtAyvfabCCtYk=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "033453f85064ccac434dfd957f95d8457901ecd6", + "rev": "42e1b6095ef80a51f79595d9951eb38e91c4e6ca", "type": "github" }, "original": { @@ -1056,11 +1056,11 @@ }, "templates": { "locked": { - "lastModified": 1685790891, - "narHash": "sha256-ch0Q6JVV0Dfsd7FMGVrxR+r657pnI535jEuHfO6S1Go=", + "lastModified": 1696855554, + "narHash": "sha256-9VYXESOCqGGZ8HHl4LN51k+74Kf5Nf9czoqqIN7IEo0=", "ref": "refs/heads/main", - "rev": "6702d07d398f1fd676a15b8f727845fb8fe45cfb", - "revCount": 6, + "rev": "a6c35c2af9f26599e81002630329054b99efbe79", + "revCount": 11, "type": "git", "url": "https://git.lel.lol/patrick/nix-templates.git" }, diff --git a/hosts/desktopnix/default.nix b/hosts/desktopnix/default.nix index bef283b..d960a6b 100644 --- a/hosts/desktopnix/default.nix +++ b/hosts/desktopnix/default.nix @@ -10,6 +10,7 @@ ../../modules/graphical ../../modules/optional/xserver.nix + ../../modules/optional/secureboot.nix ../../modules/hardware/bluetooth.nix ../../modules/hardware/intel.nix diff --git a/hosts/desktopnix/secrets/secureboot.tar.age b/hosts/desktopnix/secrets/secureboot.tar.age new file mode 100644 index 0000000..67e9ea8 Binary files /dev/null and b/hosts/desktopnix/secrets/secureboot.tar.age differ diff --git a/modules/config/nix.nix b/modules/config/nix.nix index f584a4c..fe14425 100644 --- a/modules/config/nix.nix +++ b/modules/config/nix.nix @@ -1,6 +1,7 @@ { inputs, stateVersion, + pkgs, ... }: { nix = { @@ -49,5 +50,6 @@ templates.flake = inputs.templates; }; }; + programs.nix-ld.enable = true; system.stateVersion = stateVersion; } diff --git a/secrets/smb.cred.age b/secrets/smb.cred.age index 8a1120b..a0f9d84 100644 --- a/secrets/smb.cred.age +++ b/secrets/smb.cred.age @@ -1,11 +1,14 @@ age-encryption.org/v1 --> X25519 3VPtgGs+YkYHBe63OyhOuUVL/fVX//XSizOdLHR3wDI -I/a7lYzVFGXLuBGtvn9hbsq6Tb5NMjgb6C0x44AW9hc --> piv-p256 XTQkUA A8ttYGbQD9jY7zA2X3SDynQy6WCOsp9qUenalQ0KtbPx -ssWdY0MKCJ33cVLLxR8Kv1wLbEz6F6MrV/yRcZK5fuk --> piv-p256 ZFgiIw Aqe9ZNtlViD+o+pMDP0F1FtUGFw35KmHyhjnFB4XVPRK -+I0y5TtoxGBla/46dk0tEzBEakHdb//m9ts92QCm7XA --> --grease S[|%w\&o t$efh*] jl8~ cB\tOaM -DpG7+qrkZLPtzRtZ38GatDO2rthpFyT93E/pqizz69QK0OXgv4ZAjA ---- f7oAB4l0kZpBDfwwwUwH/g76YX7GhbSIw2WCTNcg6dc -ӧ1vzzN9xt!Cr_DGؘVcr*[PRtCŠMR%oX@sf!!b&1>] \ No newline at end of file +-> X25519 g3YIxGyN1eZ+1EBvmDOidwML6GtFdSDZdqmgcoXStkU +CX8+qiwK+8snDkwzQ4hjP1LvXFuSIGjzGzB8ZXoZFgY +-> piv-p256 XTQkUA A+v6zX1feVTgp7PcQVxdVb9f+swtpTREyjDfi00AgTEE +MVwPR6qqPmNrhStXBN4JqzGLiKaQQkoQBUGzknUpLgs +-> piv-p256 ZFgiIw A37uVQyzvorE7+GOYcSNpGvwVfxqh1OJYz5lQ5+sIQ+m +AJqdNjxgifzfmYTXn5XTPC4DHY3r982xmSQU/HirrrM +-> piv-p256 ZFgiIw Am/nyZaSfikZr+OdP9qhIjhRfUSRwlxUclus3Bahl1Ed ++IWfzeNXvFO5Q/s8XJkGCJguMHiuTM5dnks9M9pRw/M +-> qPGW+-grease +VsuA9wcfbxca5OGjj6gOm2z4sivSF2lzhHM5gOznobFeMZDAbv8i+G0KPepxwalM +/CAzsYTmY5Qb6abKb2zAFNQ +--- eJn/i1/7jmP6oCQ6a3oRiAkSf6IKhVnLBIc2Dm1EmeQ +=zrsr߷ p5֎.+Nq…)N@iQ͠_ޙ?13ȗ^&{*,}zB \ No newline at end of file diff --git a/users/patrick/default.nix b/users/patrick/default.nix index 57162cc..5663300 100644 --- a/users/patrick/default.nix +++ b/users/patrick/default.nix @@ -65,7 +65,7 @@ lib.optionalAttrs (!minimal) { ++ { "desktopnix" = [ ../common/graphical/Xorg - #./streamdeck.nix + ./streamdeck.nix ./smb.nix ]; "patricknix" = [ diff --git a/users/patrick/firefox.nix b/users/patrick/firefox.nix index 265f8af..5f0e11e 100644 --- a/users/patrick/firefox.nix +++ b/users/patrick/firefox.nix @@ -46,6 +46,8 @@ "browser.tabs.crashReporting.sendReport" = false; # don't send crash reports "accessibility.typeaheadfind.enablesound" = false; # No sound in search windows pls "general.autoScroll" = true; + "browser.translations.automaticallyPopup" = false; + "browser.translations.neverTranslateLanguages" = "de"; # Privacy "privacy.donottrackheader.enabled" = true;