tp3: config update, configure sops

.sops.yaml

@@ -1,9 +1,16 @@
 keys:
   - &admin_enno_mb4 age1e6gdd6c0nf5p47jhcq8dvrcyu4vmrzvg2kd75thsgyl7pzqemunq9mfl7e
   - &admin_enno_tp3 age13em7fsrealzue677tdqejgsafc2sfx62h5w03ynkv0urujuc0g0stw209m
+  - &machine_tp3 age1qu4q6xh6nlls25rthygu3zx85dt2kk7p9yehmepekhqg2r5esu6qvy623j
 creation_rules:
   - path_regex: secrets/tp3-home\.(yaml|json|env|ini)$
     key_groups:
       - age:
           - *admin_enno_mb4
           - *admin_enno_tp3
+  - path_regex: secrets/tp3\.(yaml|json|env|ini)$
+    key_groups:
+      - age:
+          - *admin_enno_mb4
+          - *admin_enno_tp3
+          - *machine_tp3

modules/nixos/default.nix

@@ -96,13 +96,13 @@ in
     # sudo systemd-cryptenroll --tpm2-device=/dev/tpmrm0 --tpm2-pcrs=0+7 /dev/nvme0n1p2
     tp3 = nixosSystemFor "x86_64-linux" [
       inputs.disko.nixosModules.disko
-      # inputs.home-manager.nixosModule
+      inputs.home-manager.nixosModule
       inputs.lanzaboote.nixosModules.lanzaboote
-      # inputs.nix95.nixosModules.nix95
+      inputs.nix95.nixosModules.nix95
+      inputs.sops-nix.nixosModules.default
       self.nixosModules.defaults
       self.nixosModules.networkmanager
-      # self.nixosModules.nix-persistent
-      # self.nixosModules.tailscale
+      self.nixosModules.tailscale
       self.nixosModules.users
       ./tp3
     ];

modules/nixos/tp3/default.nix

@@ -1,188 +1,154 @@
-(
-  {
-    config,
-    lib,
-    pkgs,
-    ...
-  }:
-  {
-
-    imports = [
-      # ./nix-security-box/cloud.nix
-      # ./nix-security-box/container.nix
-      # ./nix-security-box/dns.nix
-      # ./nix-security-box/exploits.nix
-      # ./nix-security-box/fuzzers.nix
-      # ./nix-security-box/generic.nix
-      # ./nix-security-box/information-gathering.nix
-      # ./nix-security-box/kubernetes.nix
-      # ./nix-security-box/ldap.nix
-      # ./nix-security-box/load-testing.nix
-      # ./nix-security-box/malware.nix
-      # ./nix-security-box/network.nix
-      # ./nix-security-box/password.nix
-      # ./nix-security-box/port-scanners.nix
-      # ./nix-security-box/proxies.nix
-      # ./nix-security-box/services.nix
-      # ./nix-security-box/tls.nix
-      # ./nix-security-box/traffic.nix
-      # ./nix-security-box/tunneling.nix
-      # ./nix-security-box/web.nix
-      # ./nix-security-box/windows.nix
-      # ./nix-security-box/wireless.nix
-
-      ./modules/disko.nix
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+
+  imports = [
+    ./modules/disko.nix
+  ];
+
+  networking.hostId = "c1acffeb";
+
+  system.stateVersion = "24.11";
+  networking.hostName = "tp3";
+  ptsd.tailscale.enable = true;
+  programs.fish.enable = true;
+  time.timeZone = "Europe/Berlin";
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+  };
+  services.fwupd.enable = true;
+  boot = {
+    kernelParams = [
+      "mitigations=off" # make linux fast again
+      "acpi_backlight=native" # force thinkpad_acpi driver
+      "amd_pstate=active"
     ];
 
-    networking.hostId = "c1acffeb";
-
-    #config.permittedInsecurePackages = [
-    #  "tightvnc-1.3.10"
-    #  "python-2.7.18.6"
-    #];
-
-    system.stateVersion = "24.11";
-    networking.hostName = "tp3";
-    # services.getty.autologinUser = config.users.users.mainUser.name;
-    ptsd.tailscale.enable = true;
-    # disko.devices = import ./disko/luks-lvm-immutable.nix { inherit lib; };
-    programs.fish.enable = true;
-    # fileSystems = {
-    #   "/" = {
-    #     fsType = "tmpfs";
-    #     options = [
-    #       "size=4G"
-    #       "mode=1755"
-    #     ];
-    #   };
+    # lanzaboote = {
+    #   enable = true;
+    #   pkiBundle = "/nix/persistent/etc/secureboot";
+    #   configurationLimit = 7;
     # };
-    # swapDevices = [ { device = "/dev/pool/swap"; } ];
-    time.timeZone = "Europe/Berlin";
-    services.pipewire = {
-      enable = true;
-      alsa.enable = true;
-      alsa.support32Bit = true;
-      pulse.enable = true;
-    };
-    services.fwupd.enable = true;
-    boot = {
-      kernelParams = [
-        "mitigations=off" # make linux fast again
-        "acpi_backlight=native" # force thinkpad_acpi driver
-        "amd_pstate=active"
-      ];
-
-      # resumeDevice = "/dev/pool/swap";
-
-      # lanzaboote = {
-      #   enable = true;
-      #   pkiBundle = "/nix/persistent/etc/secureboot";
-      #   configurationLimit = 7;
-      # };
 
-      loader = {
-        systemd-boot.enable = true;
-        # systemd-boot.enable = lib.mkForce false; # replaced by lanzaboote
-        systemd-boot.editor = false;
-        efi.canTouchEfiVariables = true;
-      };
-      initrd = {
-        availableKernelModules = [
-          "ahci"
-          "ata_piix"
-          "ehci_pci"
-          "hid_microsoft"
-          "ntfs3"
-          "nvme"
-          "ohci_pci"
-          "sd_mod"
-          "sr_mod"
-          "uhci_hcd"
-          "usb_storage"
-          "usbhid"
-          "xhci_pci"
-        ];
-
-        kernelModules = [ "amdgpu" ];
-
-        systemd = {
-          enable = true;
-          emergencyAccess = true;
-          network.wait-online.timeout = 0;
-        };
-      };
-      kernelPackages = pkgs.linuxPackages_latest;
-      kernelModules = [
-        "kvm-amd"
-        "acpi_call"
-      ];
-      extraModulePackages = [ config.boot.kernelPackages.acpi_call ];
+    loader = {
+      systemd-boot.enable = true;
+      # systemd-boot.enable = lib.mkForce false; # replaced by lanzaboote
+      systemd-boot.editor = false;
+      efi.canTouchEfiVariables = true;
     };
-    systemd.network.wait-online.timeout = 0;
-    services.fstrim.enable = true;
-    services.xserver.videoDrivers = [ "modesetting" ];
-    # programs.steam.enable = true;
-
-    hardware.bluetooth.enable = true;
-    hardware.bluetooth.powerOnBoot = true;
-    services.blueman.enable = true;
-
-    hardware.graphics = {
-      enable = true;
-      enable32Bit = true;
-      extraPackages = with pkgs; [
-        amdvlk
-        rocmPackages.clr.icd
+    initrd = {
+      availableKernelModules = [
+        "ahci"
+        "ata_piix"
+        "ehci_pci"
+        "hid_microsoft"
+        "ntfs3"
+        "nvme"
+        "ohci_pci"
+        "sd_mod"
+        "sr_mod"
+        "uhci_hcd"
+        "usb_storage"
+        "usbhid"
+        "xhci_pci"
       ];
-      extraPackages32 = with pkgs; [ driversi686Linux.amdvlk ];
-    };
 
-    services.xbanish.enable = true;
+      kernelModules = [ "amdgpu" ];
 
-    nix.settings = {
-      trusted-users = [ config.users.users.mainUser.name ];
+      systemd = {
+        enable = true;
+        emergencyAccess = true;
+        network.wait-online.timeout = 0;
+      };
     };
-    services.getty.autologinUser = "root";
-
-    console.font = "${pkgs.spleen}/share/consolefonts/spleen-8x16.psfu";
-    powerManagement.cpuFreqGovernor = "schedutil";
-    powerManagement.powertop.enable = true;
-    hardware.cpu.amd.updateMicrocode = true;
-    environment.systemPackages = [
-      pkgs.alsa-utils
-      pkgs.btop
-      pkgs.file
-      pkgs.git
-      # pkgs.glxinfo
-      # pkgs.gnome-disk-utility
-      pkgs.gptfdisk
-      pkgs.home-manager
-      pkgs.libcanberra-gtk3
-      pkgs.powertop
-      pkgs.python3 # required by proton (steam)
-      pkgs.sbctl
-      pkgs.vulkan-tools
-      pkgs.wirelesstools
+    kernelPackages = pkgs.linuxPackages_latest;
+    kernelModules = [
+      "kvm-amd"
+      "acpi_call"
+    ];
+    extraModulePackages = [ config.boot.kernelPackages.acpi_call ];
+  };
+  systemd.network.wait-online.timeout = 0;
+  services.fstrim.enable = true;
+  services.xserver.videoDrivers = [ "modesetting" ];
+  # programs.steam.enable = true;
+
+  hardware.bluetooth.enable = true;
+  hardware.bluetooth.powerOnBoot = true;
+  services.blueman.enable = true;
+
+  hardware.graphics = {
+    enable = true;
+    enable32Bit = true;
+    extraPackages = with pkgs; [
+      amdvlk
+      rocmPackages.clr.icd
     ];
+    extraPackages32 = with pkgs; [ driversi686Linux.amdvlk ];
+  };
+
+  services.xbanish.enable = true;
+
+  nix.settings = {
+    trusted-users = [ config.users.users.mainUser.name ];
+  };
+  services.getty.autologinUser = "root";
+
+  console.font = "${pkgs.spleen}/share/consolefonts/spleen-8x16.psfu";
+  powerManagement.cpuFreqGovernor = "schedutil";
+  powerManagement.powertop.enable = true;
+  hardware.cpu.amd.updateMicrocode = true;
+  environment.systemPackages = [
+    pkgs.alsa-utils
+    pkgs.btop
+    pkgs.file
+    pkgs.git
+    # pkgs.glxinfo
+    # pkgs.gnome-disk-utility
+    pkgs.gptfdisk
+    pkgs.home-manager
+    pkgs.libcanberra-gtk3
+    pkgs.powertop
+    pkgs.python3 # required by proton (steam)
+    pkgs.sbctl
+    pkgs.vulkan-tools
+    pkgs.wirelesstools
+  ];
+
+  # virtualisation.podman.enable = true;
+  # virtualisation.virtualbox.host.enable = true;
+
+  systemd.services.tailscaled.wantedBy = lib.mkForce [ ]; # manual start to reduce battery usage (frequent wakeups)
+
+  security.tpm2 = {
+    enable = true;
+    pkcs11.enable = true;
+    tctiEnvironment.enable = true;
+  };
+
+  # syncthing
+  networking.firewall = {
+    allowedTCPPorts = [ 22000 ];
+    allowedUDPPorts = [
+      21027
+      22000
+    ];
+  };
 
-    # virtualisation.podman.enable = true;
-    # virtualisation.virtualbox.host.enable = true;
+  sops = {
+    defaultSopsFile = ../../../secrets/tp3.yaml;
+    secrets."mainuser.passwd".neededForUsers = true;
+    secrets."root.passwd".neededForUsers = true;
+  };
 
-    systemd.services.tailscaled.wantedBy = lib.mkForce [ ]; # manual start to reduce battery usage (frequent wakeups)
+  users.users.mainUser.hashedPasswordFile = config.sops.secrets."mainuser.passwd".path;
+  users.users.root.hashedPasswordFile = config.sops.secrets."root.passwd".path;
 
-    security.tpm2 = {
-      enable = true;
-      pkcs11.enable = true;
-      tctiEnvironment.enable = true;
-    };
-
-    # syncthing
-    networking.firewall = {
-      allowedTCPPorts = [ 22000 ];
-      allowedUDPPorts = [
-        21027
-        22000
-      ];
-    };
-  }
-)
+}