Drive encryption #11
5 changed files with 292 additions and 257 deletions
|
|
@ -5,7 +5,7 @@
|
||||||
|
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
An opinionated flake to bootstrap NixOS systems with default configurations for various programs and services from both NixOS and HomeManger which can be enabled, disabled, configured or replaced at will.
|
An opinionated flake to bootstrap NixOS systems with default configurations for various programs and services from both NixOS and HomeManager which can be enabled, disabled, configured or replaced at will.
|
||||||
|
|
||||||
|
|
||||||
# Usage
|
# Usage
|
||||||
|
|
@ -116,7 +116,7 @@ Here is a minimal required configuration.nix (the TODOs mention a required chang
|
||||||
# ];
|
# ];
|
||||||
# or amd, whatever you have
|
# or amd, whatever you have
|
||||||
gpu.nvidia.enable = true;
|
gpu.nvidia.enable = true;
|
||||||
kde_connect.enable = true;
|
kdeConnect.enable = true;
|
||||||
# login manager:
|
# login manager:
|
||||||
# default is greetd
|
# default is greetd
|
||||||
# greetd = { };
|
# greetd = { };
|
||||||
|
|
|
||||||
|
|
@ -25,11 +25,6 @@ in {
|
||||||
};
|
};
|
||||||
|
|
||||||
keyboard = null;
|
keyboard = null;
|
||||||
|
|
||||||
#file.".local/share/flatpak/overrides/global".text = lib.mkForce ''
|
|
||||||
# [Context]
|
|
||||||
# filesystems=xdg-config/gtk-3.0;xdg-config/gtk-4.0
|
|
||||||
#'';
|
|
||||||
};
|
};
|
||||||
|
|
||||||
programs.nix-index = {
|
programs.nix-index = {
|
||||||
|
|
|
||||||
|
|
@ -33,7 +33,16 @@
|
||||||
example = true;
|
example = true;
|
||||||
description = ''
|
description = ''
|
||||||
enables secure boot.
|
enables secure boot.
|
||||||
Please don't forget to add your keys.
|
Note: Secure boot is NOT reproducible
|
||||||
|
Here are the necessary steps:
|
||||||
|
+ create your keys with sbctl -> sudo sbctl create-keys
|
||||||
|
+ build with systemd once -> set this to false and build once
|
||||||
|
+ build with secureBoot true
|
||||||
|
+ verify that your keys are signed (note, only systemd and your generations should now be signed): sudo sbtcl verify
|
||||||
|
+ enroll your keys (microsoft is necessary for windows dualboot support, leave it there): sudo sbctl enroll-keys --microsoft
|
||||||
|
+ reboot with secureboot enabled
|
||||||
|
Note: Some motherboards have vendor specific keys for secure boot, this may not necessarily work with our self signed keys
|
||||||
|
You likely have to disable these vendor specific keys (example HP: sure boot)
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -25,6 +25,18 @@
|
||||||
Use swap in drive.
|
Use swap in drive.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
useEncryption = lib.mkOption {
|
||||||
|
default = false;
|
||||||
|
example = true;
|
||||||
|
type = lib.types.bool;
|
||||||
|
description = ''
|
||||||
|
Enables encryption.
|
||||||
|
!WARNING!
|
||||||
|
You need your root drive to be named root exactly!
|
||||||
|
Otherwise there will not be a root crypt!
|
||||||
|
!WARNING!
|
||||||
|
'';
|
||||||
|
};
|
||||||
homeAndRootFsTypes = lib.mkOption {
|
homeAndRootFsTypes = lib.mkOption {
|
||||||
default = "ext4";
|
default = "ext4";
|
||||||
example = "btrfs";
|
example = "btrfs";
|
||||||
|
|
@ -149,6 +161,21 @@
|
||||||
|
|
||||||
config = (
|
config = (
|
||||||
lib.optionalAttrs (options ? fileSystems) {
|
lib.optionalAttrs (options ? fileSystems) {
|
||||||
|
boot.initrd.luks.devices = lib.mkIf (config.mods.drives.variant == "manual" && config.mods.drives.useEncryption) (
|
||||||
|
builtins.listToAttrs (
|
||||||
|
map (
|
||||||
|
{
|
||||||
|
name,
|
||||||
|
drive,
|
||||||
|
}: {
|
||||||
|
cryptstorage.device = lib.mkIf (name != "root") drive?device;
|
||||||
|
cryptoroot.device = lib.mkIf (name == "root") drive?device;
|
||||||
|
}
|
||||||
|
)
|
||||||
|
config.mods.drives.extraDrives
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
fileSystems = lib.mkIf (config.mods.drives.variant == "manual" && !config.conf.wsl) (
|
fileSystems = lib.mkIf (config.mods.drives.variant == "manual" && !config.conf.wsl) (
|
||||||
builtins.listToAttrs (
|
builtins.listToAttrs (
|
||||||
map (
|
map (
|
||||||
|
|
|
||||||
|
|
@ -124,6 +124,8 @@ in {
|
||||||
settings =
|
settings =
|
||||||
if config.mods.hyprland.useDefaultConfig
|
if config.mods.hyprland.useDefaultConfig
|
||||||
then
|
then
|
||||||
|
(
|
||||||
|
lib.recursiveUpdate
|
||||||
{
|
{
|
||||||
"$mod" = "SUPER";
|
"$mod" = "SUPER";
|
||||||
|
|
||||||
|
|
@ -147,7 +149,7 @@ in {
|
||||||
"$mod SUPER,E,exec,nautilus -w"
|
"$mod SUPER,E,exec,nautilus -w"
|
||||||
"$mod SUPER,N,exec,neovide"
|
"$mod SUPER,N,exec,neovide"
|
||||||
"$mod SUPER,M,exec,oxidash"
|
"$mod SUPER,M,exec,oxidash"
|
||||||
"$mod SUPER,R,exec,oxirun"
|
"$mod SUPER,R,exec,anyrun"
|
||||||
"$mod SUPER,G,exec,oxicalc"
|
"$mod SUPER,G,exec,oxicalc"
|
||||||
"$mod SUPER,D,exec,oxishut"
|
"$mod SUPER,D,exec,oxishut"
|
||||||
"$mod SUPER,A,exec,oxipaste-iced"
|
"$mod SUPER,A,exec,oxipaste-iced"
|
||||||
|
|
@ -373,6 +375,7 @@ in {
|
||||||
++ config.mods.hyprland.extraAutostart;
|
++ config.mods.hyprland.extraAutostart;
|
||||||
|
|
||||||
plugin =
|
plugin =
|
||||||
|
lib.recursiveUpdate
|
||||||
{
|
{
|
||||||
hyprspace = lib.mkIf config.mods.hyprland.hyprspaceEnable {
|
hyprspace = lib.mkIf config.mods.hyprland.hyprspaceEnable {
|
||||||
bind = [
|
bind = [
|
||||||
|
|
@ -380,9 +383,10 @@ in {
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
// config.mods.hyprland.pluginConfig;
|
config.mods.hyprland.pluginConfig;
|
||||||
}
|
}
|
||||||
// config.mods.hyprland.customConfig
|
config.mods.hyprland.customConfig
|
||||||
|
)
|
||||||
else lib.mkForce config.mods.hyprland.customConfig;
|
else lib.mkForce config.mods.hyprland.customConfig;
|
||||||
plugins =
|
plugins =
|
||||||
[
|
[
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue