From 89fde794b88cdbf60728b85b42df04b5b8c666fa Mon Sep 17 00:00:00 2001 From: Andreas Schaafsma Date: Sun, 20 Apr 2025 23:20:04 +0200 Subject: [PATCH] rdp and lanzaboot --- flake.lock | 189 ++++++++++++++++-- flake.nix | 25 ++- .../drivebystation-nix/configuration.nix | 60 +++--- .../drivebystation-nix/default.nix | 4 +- 4 files changed, 234 insertions(+), 44 deletions(-) diff --git a/flake.lock b/flake.lock index 834f31e..04d1970 100644 --- a/flake.lock +++ b/flake.lock @@ -1,6 +1,37 @@ { "nodes": { + "crane": { + "locked": { + "lastModified": 1731098351, + "narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=", + "owner": "ipetkov", + "repo": "crane", + "rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { "flake": false, "locked": { "lastModified": 1717312683, @@ -16,7 +47,7 @@ "type": "github" } }, - "flake-compat_2": { + "flake-compat_3": { "flake": false, "locked": { "lastModified": 1733328505, @@ -32,7 +63,7 @@ "type": "github" } }, - "flake-compat_3": { + "flake-compat_4": { "flake": false, "locked": { "lastModified": 1650374568, @@ -48,6 +79,27 @@ "type": "github" } }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1730504689, + "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "506278e768c2a08bec68eb62932193e341f55c90", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "flake-utils": { "inputs": { "systems": "systems" @@ -121,6 +173,28 @@ "type": "github" } }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -141,12 +215,38 @@ "type": "github" } }, + "lanzaboote": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1737639419, + "narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "a65905a09e2c43ff63be8c0e86a93712361f871e", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "v0.4.2", + "repo": "lanzaboote", + "type": "github" + } + }, "nixos-cosmic": { "inputs": { - "flake-compat": "flake-compat", + "flake-compat": "flake-compat_2", "nixpkgs": "nixpkgs_2", - "nixpkgs-stable": "nixpkgs-stable", - "rust-overlay": "rust-overlay" + "nixpkgs-stable": "nixpkgs-stable_2", + "rust-overlay": "rust-overlay_2" }, "locked": { "lastModified": 1735608992, @@ -164,7 +264,7 @@ }, "nixos-wsl": { "inputs": { - "flake-compat": "flake-compat_2", + "flake-compat": "flake-compat_3", "flake-utils": "flake-utils", "nixpkgs": "nixpkgs_3" }, @@ -200,6 +300,22 @@ } }, "nixpkgs-stable": { + "locked": { + "lastModified": 1730741070, + "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable_2": { "locked": { "lastModified": 1735531152, "narHash": "sha256-As8I+ebItDKtboWgDXYZSIjGlKeqiLBvjxsQHUmAf1Q=", @@ -279,10 +395,38 @@ "type": "github" } }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1731363552, + "narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "root": { "inputs": { "game-of-life": "game-of-life", "home-manager": "home-manager", + "lanzaboote": "lanzaboote", "nixos-cosmic": "nixos-cosmic", "nixos-wsl": "nixos-wsl", "nixpkgs": "nixpkgs_4", @@ -293,6 +437,27 @@ } }, "rust-overlay": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1731897198, + "narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "0be641045af6d8666c11c2c40e45ffc9667839b5", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "rust-overlay_2": { "inputs": { "nixpkgs": [ "nixos-cosmic", @@ -315,7 +480,7 @@ }, "snowfall-lib": { "inputs": { - "flake-compat": "flake-compat_3", + "flake-compat": "flake-compat_4", "flake-utils-plus": "flake-utils-plus", "nixpkgs": [ "nixpkgs" @@ -406,15 +571,15 @@ "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1727721329, - "narHash": "sha256-QYlWZwUSwrM7BuO+dXclZIwoPvBIuJr6GpFKv9XKFPI=", - "owner": "MarceColl", + "lastModified": 1736824652, + "narHash": "sha256-8J56ngRvKVvCxdY3iDtol/9UAJfwCh0k96DnyNchUCA=", + "owner": "0xc000022070", "repo": "zen-browser-flake", - "rev": "e6ab73f405e9a2896cce5956c549a9cc359e5fcc", + "rev": "a17923b5fd758700c67afdaae2a1d3123381f96b", "type": "github" }, "original": { - "owner": "MarceColl", + "owner": "0xc000022070", "repo": "zen-browser-flake", "type": "github" } diff --git a/flake.nix b/flake.nix index 01696ac..a4cf364 100644 --- a/flake.nix +++ b/flake.nix @@ -17,12 +17,18 @@ url = "github:mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs"; }; - zen-browser.url = "github:MarceColl/zen-browser-flake"; + zen-browser.url = "github:0xc000022070/zen-browser-flake"; home-manager = { url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; }; trilium-next-pr.url = "github:FliegendeWurst/nixpkgs/trilium-next"; + lanzaboote = { + url = "github:nix-community/lanzaboote/v0.4.2"; + + # Optional but recommended to limit the size of your system closure. + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = inputs: @@ -79,6 +85,23 @@ systems.modules.nixos = with inputs; [ # my-input.nixosModules.my-module + lanzaboote.nixosModules.lanzaboote ({ pkgs, lib, ... }: { + environment.systemPackages = [ + # For debugging and troubleshooting Secure Boot. + pkgs.sbctl + ]; + + # Lanzaboote currently replaces the systemd-boot module. + # This setting is usually set to true in configuration.nix + # generated at installation time. So we force it to false + # for now. + boot.loader.systemd-boot.enable = lib.mkForce false; + + boot.lanzaboote = { + enable = true; + pkiBundle = "/var/lib/sbctl"; + }; + }) ]; # The attribute set specified here will be passed directly to NixPkgs when diff --git a/systems/x86_64-linux/drivebystation-nix/configuration.nix b/systems/x86_64-linux/drivebystation-nix/configuration.nix index efc6a43..97af8ce 100644 --- a/systems/x86_64-linux/drivebystation-nix/configuration.nix +++ b/systems/x86_64-linux/drivebystation-nix/configuration.nix @@ -5,10 +5,10 @@ { config, pkgs, ... }: { - imports = - [ - ./hardware/hardware-configuration.nix - ]; + imports = [ + ./hardware/hardware-configuration.nix + ]; + # Bootloader. boot.loader.systemd-boot.enable = true; @@ -54,36 +54,36 @@ - # services.xserver.config = lib.mkForce '' - # Section "ServerLayout" - # Identifier "layout" - # Screen 0 "amdgpu" - # Inactive "nvidia" - # Option "AllowNVIDIAGPUScreens" - # EndSection + # services.xserver.config = lib.mkForce '' + # Section "ServerLayout" + # Identifier "layout" + # Screen 0 "amdgpu" + # Inactive "nvidia" + # Option "AllowNVIDIAGPUScreens" + # EndSection - # Section "Device" - # Identifier "nvidia" - # Driver "nvidia" - # BusID "PCI:01:0:0" - # EndSection + # Section "Device" + # Identifier "nvidia" + # Driver "nvidia" + # BusID "PCI:01:0:0" + # EndSection - # Section "Screen" - # Identifier "nvidia" - # Device "nvidia" - # EndSection + # Section "Screen" + # Identifier "nvidia" + # Device "nvidia" + # EndSection - # Section "Device" - # Identifier "amdgpu" - # Driver "amdgpu" - # BusID "PCI:50:0:0" - # EndSection + # Section "Device" + # Identifier "amdgpu" + # Driver "amdgpu" + # BusID "PCI:50:0:0" + # EndSection - # Section "Screen" - # Identifier "amdgpu" - # Device "amdgpu" - # EndSection - # ''; + # Section "Screen" + # Identifier "amdgpu" + # Device "amdgpu" + # EndSection + # ''; desktopManager = { # Disable xterm diff --git a/systems/x86_64-linux/drivebystation-nix/default.nix b/systems/x86_64-linux/drivebystation-nix/default.nix index 52095d2..e5f92ce 100644 --- a/systems/x86_64-linux/drivebystation-nix/default.nix +++ b/systems/x86_64-linux/drivebystation-nix/default.nix @@ -135,8 +135,10 @@ in services.xrdp.enable = true; - services.xrdp.defaultWindowManager = "${pkgs.gnome-session}/bin/gnome-session"; + # services.xrdp.defaultWindowManager = "${pkgs.gnome-session}/bin/gnome-session"; + services.xrdp.defaultWindowManager = "startxfce4"; services.xrdp.openFirewall = true; + services.xrdp.audio.enable = false; # Disable the GNOME3/GDM auto-suspend feature that cannot be disabled in GUI!