Drive encryption (#11)

- Add drive encryption with luks
- Refactor Hyprland binds
- Refactor cache
- Minor spelling fixes
- Add firefox stylix profiles

base/common_hardware.nix

@@ -100,6 +100,36 @@ in {
       trusted-users = [username];
       auto-optimise-store = true;
 
+      builders-use-substitutes = true;
+
+      substituters = [
+        "https://hyprland.cachix.org"
+        "https://anyrun.cachix.org"
+        "https://cache.garnix.io"
+        "https://oxipaste.cachix.org"
+        "https://oxinoti.cachix.org"
+        "https://oxishut.cachix.org"
+        "https://oxidash.cachix.org"
+        "https://oxicalc.cachix.org"
+        "https://hyprdock.cachix.org"
+        "https://reset.cachix.org"
+        "https://chaotic-nyx.cachix.org/"
+      ];
+
+      trusted-public-keys = [
+        "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
+        "anyrun.cachix.org-1:pqBobmOjI7nKlsUMV25u9QHa9btJK65/C8vnO3p346s="
+        "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
+        "oxipaste.cachix.org-1:n/oA3N3Z+LJP7eIWOwuoLd9QnPyZXqFjLgkahjsdDGc="
+        "oxinoti.cachix.org-1:dvSoJl2Pjo5HMaNngdBbSaixK9BSf2N8gzjP2MdGvfc="
+        "oxishut.cachix.org-1:axyAGF3XMh1IyMAW4UMbQCdMNovDH0KH6hqLLRJH8jU="
+        "oxidash.cachix.org-1:5K2FNHp7AS8VF7LmQkJAUG/dm6UHCz4ngshBVbjFX30="
+        "oxicalc.cachix.org-1:qF3krFc20tgSmtR/kt6Ku/T5QiG824z79qU5eRCSBTQ="
+        "hyprdock.cachix.org-1:HaROK3fBvFWIMHZau3Vq1TLwUoJE8yRbGLk0lEGzv3Y="
+        "reset.cachix.org-1:LfpnUUdG7QM/eOkN7NtA+3+4Ar/UBeYB+3WH+GjP9Xo="
+        "chaotic-nyx.cachix.org-1:HfnXSw4pj95iI/n17rIDy40agHj12WfF+Gqk6SonIT8="
+      ];
+
       experimental-features = "nix-command flakes pipe-operators";
     };
   };

docs/src/README.md

@@ -5,7 +5,7 @@
 
 </div>
 
-An opinionated flake to bootstrap NixOS systems with default configurations for various programs and services from both NixOS and HomeManger which can be enabled, disabled, configured or replaced at will.
+An opinionated flake to bootstrap NixOS systems with default configurations for various programs and services from both NixOS and HomeManager which can be enabled, disabled, configured or replaced at will.
 
 
 # Usage
@@ -116,7 +116,7 @@ Here is a minimal required configuration.nix (the TODOs mention a required chang
     #   ];
     # or amd, whatever you have
     gpu.nvidia.enable = true;
-    kde_connect.enable = true;
+    kdeConnect.enable = true;
     # login manager:
     # default is greetd
     # greetd = { };

flake.nix

@@ -124,36 +124,4 @@
     modules = ./modules;
     iso = dashNixLib.buildIso.config.system.build.isoImage;
   };
-
-  nixConfig = {
-    builders-use-substitutes = true;
-
-    extra-substituters = [
-      "https://hyprland.cachix.org"
-      "https://anyrun.cachix.org"
-      "https://cache.garnix.io"
-      "https://oxipaste.cachix.org"
-      "https://oxinoti.cachix.org"
-      "https://oxishut.cachix.org"
-      "https://oxidash.cachix.org"
-      "https://oxicalc.cachix.org"
-      "https://hyprdock.cachix.org"
-      "https://reset.cachix.org"
-      "https://chaotic-nyx.cachix.org/"
-    ];
-
-    extra-trusted-public-keys = [
-      "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
-      "anyrun.cachix.org-1:pqBobmOjI7nKlsUMV25u9QHa9btJK65/C8vnO3p346s="
-      "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
-      "oxipaste.cachix.org-1:n/oA3N3Z+LJP7eIWOwuoLd9QnPyZXqFjLgkahjsdDGc="
-      "oxinoti.cachix.org-1:dvSoJl2Pjo5HMaNngdBbSaixK9BSf2N8gzjP2MdGvfc="
-      "oxishut.cachix.org-1:axyAGF3XMh1IyMAW4UMbQCdMNovDH0KH6hqLLRJH8jU="
-      "oxidash.cachix.org-1:5K2FNHp7AS8VF7LmQkJAUG/dm6UHCz4ngshBVbjFX30="
-      "oxicalc.cachix.org-1:qF3krFc20tgSmtR/kt6Ku/T5QiG824z79qU5eRCSBTQ="
-      "hyprdock.cachix.org-1:HaROK3fBvFWIMHZau3Vq1TLwUoJE8yRbGLk0lEGzv3Y="
-      "reset.cachix.org-1:LfpnUUdG7QM/eOkN7NtA+3+4Ar/UBeYB+3WH+GjP9Xo="
-      "chaotic-nyx.cachix.org-1:HfnXSw4pj95iI/n17rIDy40agHj12WfF+Gqk6SonIT8="
-    ];
-  };
 }

home/common.nix

@@ -25,11 +25,6 @@ in {
     };
 
     keyboard = null;
-
-    #file.".local/share/flatpak/overrides/global".text = lib.mkForce ''
-    #  [Context]
-    #  filesystems=xdg-config/gtk-3.0;xdg-config/gtk-4.0
-    #'';
   };
 
   programs.nix-index = {

modules/conf.nix

@@ -33,7 +33,16 @@
       example = true;
       description = ''
         enables secure boot.
-        Please don't forget to add your keys.
+        Note: Secure boot is NOT reproducible
+        Here are the necessary steps:
+        + create your keys with sbctl -> sudo sbctl create-keys
+        + build with systemd once -> set this to false and build once
+        + build with secureBoot true
+        + verify that your keys are signed (note, only systemd and your generations should now be signed): sudo sbtcl verify
+        + enroll your keys (microsoft is necessary for windows dualboot support, leave it there): sudo sbctl enroll-keys --microsoft
+        + reboot with secureboot enabled
+        Note: Some motherboards have vendor specific keys for secure boot, this may not necessarily work with our self signed keys
+        You likely have to disable these vendor specific keys (example HP: sure boot)
       '';
     };
 

modules/programs/browser/firefox.nix

@@ -80,6 +80,12 @@
   };
   config = lib.mkIf (config.mods.browser.firefox.enable || config.mods.homePackages.browser == "firefox") (
     lib.optionalAttrs (options ? programs.firefox.profiles) {
+      stylix.targets.firefox.profileNames =
+        map (
+          {name, ...}:
+            name
+        )
+        config.mods.browser.firefox.profiles;
       programs.firefox = {
         enable = true;
         policies = config.mods.browser.firefox.configuration;

modules/programs/drives.nix

@@ -25,6 +25,18 @@
         Use swap in drive.
       '';
     };
+    useEncryption = lib.mkOption {
+      default = false;
+      example = true;
+      type = lib.types.bool;
+      description = ''
+        Enables encryption.
+        !WARNING!
+        You need your root drive to be named root exactly!
+        Otherwise there will not be a root crypt!
+        !WARNING!
+      '';
+    };
     homeAndRootFsTypes = lib.mkOption {
       default = "ext4";
       example = "btrfs";
@@ -149,6 +161,21 @@
 
   config = (
     lib.optionalAttrs (options ? fileSystems) {
+      boot.initrd.luks.devices = lib.mkIf (config.mods.drives.variant == "manual" && config.mods.drives.useEncryption) (
+        builtins.listToAttrs (
+          map (
+            {
+              name,
+              drive,
+            }: {
+              cryptstorage.device = lib.mkIf (name != "root") drive?device;
+              cryptoroot.device = lib.mkIf (name == "root") drive?device;
+            }
+          )
+          config.mods.drives.extraDrives
+        )
+      );
+
       fileSystems = lib.mkIf (config.mods.drives.variant == "manual" && !config.conf.wsl) (
         builtins.listToAttrs (
           map (

modules/programs/gpu.nix

@@ -87,7 +87,7 @@
           (lib.mkIf config.mods.gpu.vapi.enable pkgs.libvdpau-va-gl)
           (lib.mkIf config.mods.gpu.vapi.enable pkgs.libva)
           (lib.mkIf config.mods.gpu.vapi.enable pkgs.vaapiVdpau)
-          (lib.mkIf (config.mods.gpu.intelgpu.enable || config.mods.gpu.amdgpu.enable) pkgs.mesa.drivers)
+          (lib.mkIf (config.mods.gpu.intelgpu.enable || config.mods.gpu.amdgpu.enable) pkgs.mesa)
         ];
         rocmPackages = [
           pkgs.rocmPackages.clr.icd

modules/programs/hyprland/anyrun.nix

@@ -10,8 +10,8 @@
     hyprland = {
       anyrun = {
         enable = lib.mkOption {
-          default = true;
-          example = false;
+          default = false;
+          example = true;
           type = lib.types.bool;
           description = "Enables anyrun";
         };

modules/programs/hyprland/hyprland.nix

@@ -124,6 +124,8 @@ in {
         settings =
           if config.mods.hyprland.useDefaultConfig
           then
+            lib.mkMerge
+            [
               {
                 "$mod" = "SUPER";
 
@@ -146,12 +148,13 @@ in {
                   "$mod SUPER,T,exec,kitty -1"
                   "$mod SUPER,E,exec,nautilus -w"
                   "$mod SUPER,N,exec,neovide"
-                "$mod SUPER,M,exec,oxidash"
-                "$mod SUPER,R,exec,oxirun"
-                "$mod SUPER,G,exec,oxicalc"
-                "$mod SUPER,D,exec,oxishut"
-                "$mod SUPER,A,exec,oxipaste-iced"
-                "$mod SUPERSHIFT,P,exec,hyprdock --gui"
+                  (lib.mkIf (config.mods.hyprland.anyrun.enable) "$mod SUPER,R,exec,anyrun")
+                  (lib.mkIf (config.mods.oxi.oxirun.enable) "$mod SUPER,R,exec,oxirun")
+                  (lib.mkIf (config.mods.oxi.oxidash.enable) "$mod SUPER,M,exec,oxidash")
+                  (lib.mkIf (config.mods.oxi.oxicalc.enable) "$mod SUPER,G,exec,oxicalc")
+                  (lib.mkIf (config.mods.oxi.oxishut.enable) "$mod SUPER,D,exec,oxishut")
+                  (lib.mkIf (config.mods.oxi.oxipaste.enable) "$mod SUPER,A,exec,oxipaste-iced")
+                  (lib.mkIf (config.mods.oxi.hyprdock.enable) "$mod SUPERSHIFT,P,exec,hyprdock --gui")
                   "$mod SUPERSHIFT,L,exec, playerctl -a pause & hyprlock & systemctl suspend"
                   "$mod SUPERSHIFT,K,exec, playerctl -a pause & hyprlock & systemctl hibernate"
 
@@ -373,6 +376,8 @@ in {
                   ++ config.mods.hyprland.extraAutostart;
 
                 plugin =
+                  lib.mkMerge
+                  [
                     {
                       hyprspace = lib.mkIf config.mods.hyprland.hyprspaceEnable {
                         bind = [
@@ -380,9 +385,11 @@ in {
                         ];
                       };
                     }
-                // config.mods.hyprland.pluginConfig;
+                    config.mods.hyprland.pluginConfig
+                  ];
               }
-            // config.mods.hyprland.customConfig
+              config.mods.hyprland.customConfig
+            ]
           else lib.mkForce config.mods.hyprland.customConfig;
         plugins =
           [