chore: last computer got secureboot

README.md

@@ -82,15 +82,17 @@
 5. Deploy system
 
 ### Add secureboot to new systems
-1. generate keys with `sbct create-keys'
+1. generate keys with `sbct create-keys`
-1. tar the resulting folder using `tar cvf secureboot.tar -C /etc/secureboot`
+1. tar the resulting folder using `tar cvf secureboot.tar -C /etc/secureboot .`
 1. Copy the tar to local using scp and encrypt it using rage
+    - `rage -e -R ./secrets/recipients.txt secureboot.tar -o <host>/secrets/secureboot.tar.age`
 1. safe the encrypted archive to `hosts/<host>/secrets/secureboot.tar.age`
 1. *DO NOT* forget to delete the unecrypted archives
-1. link `/run/secureboot` to `/etc/secureboot`
+1. Deploy your system with lanzaboote enabled
-1. This is necesarry since for your next apply the rekeyed keys are not yet available but needed for signing the boot files
+    - link `/run/secureboot` to `/etc/secureboot`
+    - This is necesarry since for your this apply the rekeyed keys are not yet available but already needed for signing the boot files
 1. ensure the boot files are signed using `sbctl verify`
-1. Now reboot the computer into BIOS and enable secureboot
+1. Now reboot the computer into BIOS and enable secureboot,
     this may include removing any existing old keys
 1. bootctl should now read `Secure Boot: disabled (setup)`
 1. you can now enroll your secureboot keys using
@@ -98,7 +100,7 @@
     If you want to be able to boot microsoft signed images append `--microsoft`
 1. Time to reboot and pray
 
-TPM keys
+### Add luks encryption TPM keys
 `systemd-cryptenroll --tpm2-pcrs=7+8+9 --tpm2-with-pin={yes/no} --tpm2-device=auto <device>`
 
 

flake.lock

@@ -11,11 +11,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1695384796,
+        "lastModified": 1696775529,
         "narHash": "sha256-TYlE4B0ktPtlJJF9IFxTWrEeq+XKG8Ny0gc2FGEAdj0=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "1f677b3e161d3bdbfd08a939e8f25de2568e0ef4",
+        "rev": "daf42cb35b2dc614d1551e37f96406e4c4a2d3e4",
         "type": "github"
       },
       "original": {
@@ -174,11 +174,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1696266752,
+        "lastModified": 1696814493,
-        "narHash": "sha256-wJnMDFM21+xXdsXSs6pXMElbv4YfqmQslcPApRuaYKs=",
+        "narHash": "sha256-1qArVsJGG2RHbV2iKFpAmM5os3myvwpXMOdFy5nh54M=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "646ee25c25fffee122a66282861f5f56ad3e0fd9",
+        "rev": "32ce057c183506cecb0b84950e4eaf39f37e8c75",
         "type": "github"
       },
       "original": {
@@ -296,11 +296,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1696203690,
+        "lastModified": 1696343447,
-        "narHash": "sha256-774XMEL7VHSTLDYVkqrbl5GCdmkVKsjMs+KLM4N4t7k=",
+        "narHash": "sha256-B2xAZKLkkeRFG5XcHHSXXcP7To9Xzr59KXeZiRf4vdQ=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "21928e6758af0a258002647d14363d5ffc85545b",
+        "rev": "c9afaba3dfa4085dbd2ccb38dfade5141e33d9d4",
         "type": "github"
       },
       "original": {
@@ -471,11 +471,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1696409884,
+        "lastModified": 1696737557,
-        "narHash": "sha256-hz3i4wFJHoTIAEI19oF1fiPn6TpV+VuTSOrSHUoJMgs=",
+        "narHash": "sha256-YD/pjDjj/BNmisEvRdM/vspkCU3xyyeGVAUWhvVSi5Y=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "8aef005d44ee726911e9f793495bb40f2fbf5a05",
+        "rev": "3c1d8758ac3f55ab96dcaf4d271c39da4b6e836d",
         "type": "github"
       },
       "original": {
@@ -553,11 +553,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1696162106,
+        "lastModified": 1696766909,
-        "narHash": "sha256-72gAqduG8CpBFWchiO4DxZClux5HAti4frrrYGr/5xo=",
+        "narHash": "sha256-lU1BmCWpQ9cx64YnJKc89lMg9cx4pCokXIbh5J//2t0=",
         "owner": "nix-community",
         "repo": "lib-aggregate",
-        "rev": "273cc814826475216b2a8aa008697b939e784514",
+        "rev": "9f495e4feea66426589cbb59ac8b972993b5d872",
         "type": "github"
       },
       "original": {
@@ -573,11 +573,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1696208796,
+        "lastModified": 1696813662,
-        "narHash": "sha256-dGhlQ0TeiJhbtEk40ddbJ9Fz4kDa/JfU22F34iYJwu8=",
+        "narHash": "sha256-dQTBtvjdzKa7+ViWiDdnBpdtDS4FD+gWuJJrfIrxSkc=",
         "owner": "nix-community",
         "repo": "nix-eval-jobs",
-        "rev": "82cede4edd01989095040b55d0212d61a65fc5fd",
+        "rev": "7cdbfd5ffe59fe54fd5c44be96f58c45e25d5b62",
         "type": "github"
       },
       "original": {
@@ -593,11 +593,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1696131323,
+        "lastModified": 1696736548,
-        "narHash": "sha256-Y47r8Jo+9rs+XUWHcDPZtkQs6wFeZ24L4CQTfVwE+vY=",
+        "narHash": "sha256-Dg0gJ9xVXud55sAbXspMapFYZOpVAldQQo7MFp91Vb0=",
         "owner": "nix-community",
         "repo": "nix-index-database",
-        "rev": "031d4b22505fdea47bd53bfafad517cd03c26a4f",
+        "rev": "2902dc66f64f733bfb45754e984e958e9fe7faf9",
         "type": "github"
       },
       "original": {
@@ -644,11 +644,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1696161939,
+        "lastModified": 1696614066,
-        "narHash": "sha256-HI1DxS//s46/qv9dcW06TzXaBjxL2DVTQP8R1QsnHzM=",
+        "narHash": "sha256-nAyYhO7TCr1tikacP37O9FnGr2USOsVBD3IgvndUYjM=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "0ab3ee718e964fb42dc57ace6170f19cb0b66532",
+        "rev": "bb2db418b616fea536b1be7f6ee72fb45c11afe0",
         "type": "github"
       },
       "original": {
@@ -659,11 +659,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1696193975,
+        "lastModified": 1696604326,
-        "narHash": "sha256-mnQjUcYgp9Guu3RNVAB2Srr1TqKcPpRXmJf4LJk6KRY=",
+        "narHash": "sha256-YXUNI0kLEcI5g8lqGMb0nh67fY9f2YoJsILafh6zlMo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "fdd898f8f79e8d2f99ed2ab6b3751811ef683242",
+        "rev": "87828a0e03d1418e848d3dd3f3014a632e4a4f64",
         "type": "github"
       },
       "original": {
@@ -675,11 +675,11 @@
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1696121361,
+        "lastModified": 1696726172,
-        "narHash": "sha256-sstnEW0Qwqo3MHmy1In/hJHjypfsSDlnhegNKw5eplk=",
+        "narHash": "sha256-89yxFXzTA7JRyWo6hg7SD4DlS/ejYt8Y8IvGZHbSWsg=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "56992d3dfd3b8cee5c5b5674c1a477446839b6ad",
+        "rev": "59da6ac0c02c48aa92dee37057f978412797db2a",
         "type": "github"
       },
       "original": {
@@ -746,11 +746,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1696436453,
+        "lastModified": 1696843042,
-        "narHash": "sha256-S/lyJ9ZrCSJML6m8jiIrYBaFhjl+Rmm4lqd1fGVYjM0=",
+        "narHash": "sha256-2ykZDYtBaFXWc4zHUEknecBSIOM0e7CUKqMHNZPKlbU=",
         "owner": "nix-community",
         "repo": "nixpkgs-wayland",
-        "rev": "c2621389c63551781ea31d08d20e5f11dc2ef3fd",
+        "rev": "4c7744c36f1f53a42da3c303ebdd05a668269a18",
         "type": "github"
       },
       "original": {
@@ -761,11 +761,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1696207572,
+        "lastModified": 1696810678,
-        "narHash": "sha256-w24NTSMrc7bMIQP5Y8BFsKbpYjbRh/+ptf/9gCEFrKo=",
+        "narHash": "sha256-XAw8D1ZEbdqwhSvn8RsgeeNrDktx4YSikTb5V4ArsrA=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "fe0b3b663e98c85db7f08ab3a4ac318c523c0684",
+        "rev": "35c640b19a189ce3a86698ce2fdcd87d085a339b",
         "type": "github"
       },
       "original": {
@@ -898,11 +898,11 @@
         "nixpkgs-stable": "nixpkgs-stable_3"
       },
       "locked": {
-        "lastModified": 1696158581,
+        "lastModified": 1696846637,
-        "narHash": "sha256-h0vY4E7Lx95lpYQbG2w4QH4yG5wCYOvPJzK93wVQbT0=",
+        "narHash": "sha256-0hv4kbXxci2+pxhuXlVgftj/Jq79VSmtAyvfabCCtYk=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "033453f85064ccac434dfd957f95d8457901ecd6",
+        "rev": "42e1b6095ef80a51f79595d9951eb38e91c4e6ca",
         "type": "github"
       },
       "original": {
@@ -1056,11 +1056,11 @@
     },
     "templates": {
       "locked": {
-        "lastModified": 1685790891,
+        "lastModified": 1696855554,
-        "narHash": "sha256-ch0Q6JVV0Dfsd7FMGVrxR+r657pnI535jEuHfO6S1Go=",
+        "narHash": "sha256-9VYXESOCqGGZ8HHl4LN51k+74Kf5Nf9czoqqIN7IEo0=",
         "ref": "refs/heads/main",
-        "rev": "6702d07d398f1fd676a15b8f727845fb8fe45cfb",
+        "rev": "a6c35c2af9f26599e81002630329054b99efbe79",
-        "revCount": 6,
+        "revCount": 11,
         "type": "git",
         "url": "https://git.lel.lol/patrick/nix-templates.git"
       },

hosts/desktopnix/default.nix

@@ -10,6 +10,7 @@
     ../../modules/graphical
 
     ../../modules/optional/xserver.nix
+    ../../modules/optional/secureboot.nix
 
     ../../modules/hardware/bluetooth.nix
     ../../modules/hardware/intel.nix

modules/config/nix.nix

@@ -1,6 +1,7 @@
 {
   inputs,
   stateVersion,
+  pkgs,
   ...
 }: {
   nix = {
@@ -49,5 +50,6 @@
       templates.flake = inputs.templates;
     };
   };
+  programs.nix-ld.enable = true;
   system.stateVersion = stateVersion;
 }

secrets/smb.cred.age

@@ -1,11 +1,14 @@
 age-encryption.org/v1
--> X25519 3VPtgGs+YkYHBe63OyhOuUVL/fVX//XSizOdLHR3wDI
+-> X25519 g3YIxGyN1eZ+1EBvmDOidwML6GtFdSDZdqmgcoXStkU
-I/a7lYzVFGXLuBGtvn9hbsq6Tb5NMjgb6C0x44AW9hc
+CX8+qiwK+8snDkwzQ4hjP1LvXFuSIGjzGzB8ZXoZFgY
--> piv-p256 XTQkUA A8ttYGbQD9jY7zA2X3SDynQy6WCOsp9qUenalQ0KtbPx
+-> piv-p256 XTQkUA A+v6zX1feVTgp7PcQVxdVb9f+swtpTREyjDfi00AgTEE
-ssWdY0MKCJ33cVLLxR8Kv1wLbEz6F6MrV/yRcZK5fuk
+MVwPR6qqPmNrhStXBN4JqzGLiKaQQkoQBUGzknUpLgs
--> piv-p256 ZFgiIw Aqe9ZNtlViD+o+pMDP0F1FtUGFw35KmHyhjnFB4XVPRK
+-> piv-p256 ZFgiIw A37uVQyzvorE7+GOYcSNpGvwVfxqh1OJYz5lQ5+sIQ+m
-+I0y5TtoxGBla/46dk0tEzBEakHdb//m9ts92QCm7XA
+AJqdNjxgifzfmYTXn5XTPC4DHY3r982xmSQU/HirrrM
--> --grease S[|%w\&o t$efh*] jl8~ cB\tOaM
+-> piv-p256 ZFgiIw Am/nyZaSfikZr+OdP9qhIjhRfUSRwlxUclus3Bahl1Ed
-DpG7+qrkZLPtzRtZ38GatDO2rthpFyT93E/pqizz69QK0OXgv4ZAjA
++IWfzeNXvFO5Q/s8XJkGCJguMHiuTM5dnks9M9pRw/M
---- f7oAB4l0kZpBDfwwwUwH/g76YX7GhbSIw2WCTNcg6dc
+-> qPGW+-grease
-Ó§1øvz´z¾N9Òxt!ÿCr_‡˜ºý·DG³Ø˜Vcrù*Áý[PÇ
Rít…é¶CÅ ï­MR%oïXî@Þá™sf!!b&Î1>±]
+VsuA9wcfbxca5OGjj6gOm2z4sivSF2lzhHM5gOznobFeMZDAbv8i+G0KPepxwalM
+/CAzsYTmY5Qb6abKb2zAFNQ
+--- eJn/i1/7jmP6oCQ6a3oRiAkSf6IKhVnLBIc2Dm1EmeQ
+Ž¸«ůĘ=Ązrs«r°ß·Ż‚ř„p5đÖŽĄ
öÉ˙.+N­qŚÂÂ…ţĽţ)Ně@ľťiQÍ _Ţ™?Â˙·13Č—^Ř&Ú{ă°*,}<7D>zBŠ

users/patrick/default.nix

@@ -65,7 +65,7 @@ lib.optionalAttrs (!minimal) {
       ++ {
         "desktopnix" = [
           ../common/graphical/Xorg
-          #./streamdeck.nix
+          ./streamdeck.nix
           ./smb.nix
         ];
         "patricknix" = [

users/patrick/firefox.nix

@@ -46,6 +46,8 @@
         "browser.tabs.crashReporting.sendReport" = false; # don't send crash reports
         "accessibility.typeaheadfind.enablesound" = false; # No sound in search windows pls
         "general.autoScroll" = true;
+        "browser.translations.automaticallyPopup" = false;
+        "browser.translations.neverTranslateLanguages" = "de";
 
         # Privacy
         "privacy.donottrackheader.enabled" = true;