From 1234d7d4553f65fc84465f077301d09912f3ca3a Mon Sep 17 00:00:00 2001 From: Nikolaos Karaolidis Date: Sat, 9 Aug 2025 18:09:43 +0200 Subject: [PATCH] Add lanzaboote Signed-off-by: Nikolaos Karaolidis --- flake.lock | 167 ++++++++++++++++-- flake.nix | 29 ++- .../configs/system/lanzaboote/default.nix | 22 +++ .../system/nix-install/install.completion.zsh | 1 + .../configs/system/nix-install/install.sh | 59 +++++-- hosts/elara/configs/{git => ssh}/default.nix | 22 ++- hosts/elara/default.nix | 3 +- hosts/himalia/configs/ssh/default.nix | 14 ++ hosts/himalia/default.nix | 3 + hosts/installer/README.md | 14 +- hosts/installer/configs/ssh/default.nix | 14 ++ hosts/installer/default.nix | 3 + hosts/jupiter-vps/configs/ssh/default.nix | 14 ++ hosts/jupiter-vps/default.nix | 1 + hosts/jupiter/configs/ssh/default.nix | 14 ++ hosts/jupiter/default.nix | 2 + secrets | 2 +- 17 files changed, 338 insertions(+), 46 deletions(-) create mode 100644 hosts/common/configs/system/lanzaboote/default.nix rename hosts/elara/configs/{git => ssh}/default.nix (54%) create mode 100644 hosts/himalia/configs/ssh/default.nix create mode 100644 hosts/installer/configs/ssh/default.nix create mode 100644 hosts/jupiter-vps/configs/ssh/default.nix create mode 100644 hosts/jupiter/configs/ssh/default.nix diff --git a/flake.lock b/flake.lock index 29aafe1..8ecb4fd 100644 --- a/flake.lock +++ b/flake.lock @@ -44,6 +44,21 @@ "type": "github" } }, + "crane": { + "locked": { + "lastModified": 1754269165, + "narHash": "sha256-0tcS8FHd4QjbCVoxN9jI+PjHgA4vc/IjkUSp+N3zy0U=", + "owner": "ipetkov", + "repo": "crane", + "rev": "444e81206df3f7d92780680e45858e31d2f07a08", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "disko": { "inputs": { "nixpkgs": [ @@ -65,6 +80,22 @@ "type": "github" } }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1747046372, + "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-input-patcher": { "inputs": { "nixpkgs": [ @@ -90,17 +121,14 @@ }, "flake-parts": { "inputs": { - "nixpkgs-lib": [ - "nur", - "nixpkgs" - ] + "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1733312601, - "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", + "lastModified": 1754487366, + "narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", + "rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18", "type": "github" }, "original": { @@ -129,6 +157,28 @@ "type": "github" } }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "gnim": { "flake": false, "locked": { @@ -165,6 +215,33 @@ "type": "github" } }, + "lanzaboote": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat", + "flake-parts": [ + "flake-parts" + ], + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1754297745, + "narHash": "sha256-aD6/scLN3L4ZszmNbhhd3JQ9Pzv1ScYFphz14wHinfs=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "892cbdca865d6b42f9c0d222fe309f7720259855", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "lanzaboote", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1753694789, @@ -181,9 +258,26 @@ "type": "github" } }, + "nixpkgs-lib": { + "locked": { + "lastModified": 1753579242, + "narHash": "sha256-zvaMGVn14/Zz8hnp4VWT9xVnhc8vuL3TStRqwk22biA=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "0f36c44e01a6129be94e3ade315a5883f0228a6e", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, "nur": { "inputs": { - "flake-parts": "flake-parts", + "flake-parts": [ + "flake-parts" + ], "nixpkgs": [ "nixpkgs" ] @@ -225,6 +319,32 @@ "type": "github" } }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1750779888, + "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "quadlet-nix": { "locked": { "lastModified": 1753321053, @@ -246,8 +366,10 @@ "astal": "astal", "disko": "disko", "flake-input-patcher": "flake-input-patcher", + "flake-parts": "flake-parts", "flake-utils": "flake-utils", "home-manager": "home-manager", + "lanzaboote": "lanzaboote", "nixpkgs": "nixpkgs", "nur": "nur", "nvidia-patch": "nvidia-patch", @@ -259,14 +381,35 @@ "treefmt-nix": "treefmt-nix" } }, + "rust-overlay": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1754189623, + "narHash": "sha256-fstu5eb30UYwsxow0aQqkzxNxGn80UZjyehQVNVHuBk=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "c582ff7f0d8a7ea689ae836dfb1773f1814f472a", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "secrets": { "flake": false, "locked": { - "lastModified": 1754044614, - "narHash": "sha256-+hNFrtcw8KHDYPVePVFWEuiEg6UfyyR4U5SK0DeY9as=", + "lastModified": 1754739960, + "narHash": "sha256-y6L+/e+BduxLUFT5NUXvtBHgCMj+h4+vZ0x/yUWAbeg=", "ref": "refs/heads/main", - "rev": "22a140f2c1a3b36ed97123e1cd5d0f07cdfbfff8", - "revCount": 28, + "rev": "c072cbb08deb0ea741b3c557c5190b5e8121ca10", + "revCount": 29, "type": "git", "url": "https://git.karaolidis.com/karaolidis/nix-secrets.git" }, diff --git a/flake.nix b/flake.nix index cbb1553..d10fd2a 100644 --- a/flake.nix +++ b/flake.nix @@ -17,21 +17,25 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + lanzaboote = { + url = "github:nix-community/lanzaboote"; + inputs = { + nixpkgs.follows = "nixpkgs"; + flake-parts.follows = "flake-parts"; + }; + }; + secrets = { url = "git+https://git.karaolidis.com/karaolidis/nix-secrets.git"; flake = false; }; - systems.url = "github:nix-systems/default"; - nur = { url = "github:nix-community/NUR"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - flake-utils = { - url = "github:numtide/flake-utils"; - inputs.systems.follows = "systems"; + inputs = { + nixpkgs.follows = "nixpkgs"; + flake-parts.follows = "flake-parts"; + }; }; treefmt-nix = { @@ -77,6 +81,15 @@ systems.follows = "systems"; }; }; + + systems.url = "github:nix-systems/default"; + + flake-parts.url = "github:hercules-ci/flake-parts"; + + flake-utils = { + url = "github:numtide/flake-utils"; + inputs.systems.follows = "systems"; + }; }; outputs = diff --git a/hosts/common/configs/system/lanzaboote/default.nix b/hosts/common/configs/system/lanzaboote/default.nix new file mode 100644 index 0000000..a989a16 --- /dev/null +++ b/hosts/common/configs/system/lanzaboote/default.nix @@ -0,0 +1,22 @@ +{ + inputs, + lib, + pkgs, + ... +}: +{ + imports = [ inputs.lanzaboote.nixosModules.lanzaboote ]; + + environment = { + persistence."/persist/state"."/var/lib/sbctl" = { }; + + systemPackages = with pkgs; [ sbctl ]; + }; + + boot.loader.systemd-boot.enable = lib.mkForce false; + + boot.lanzaboote = { + enable = true; + pkiBundle = "/var/lib/sbctl"; + }; +} diff --git a/hosts/common/configs/system/nix-install/install.completion.zsh b/hosts/common/configs/system/nix-install/install.completion.zsh index fc20121..33308a0 100644 --- a/hosts/common/configs/system/nix-install/install.completion.zsh +++ b/hosts/common/configs/system/nix-install/install.completion.zsh @@ -4,6 +4,7 @@ _nix-install_completion() { '-m[Mode: 'install' or 'repair']:mode:(install repair)' '-h[Host to configure]:host:($(_list_hosts))' '-k[Key file to copy to user config]:key:($(_list_keys))' + '-s[Enroll secure boot keys on current device]' '-c[Copy configuration to target]' '-r[Reboot after completion]' ) diff --git a/hosts/common/configs/system/nix-install/install.sh b/hosts/common/configs/system/nix-install/install.sh index a4f8ee8..70758fe 100644 --- a/hosts/common/configs/system/nix-install/install.sh +++ b/hosts/common/configs/system/nix-install/install.sh @@ -1,13 +1,14 @@ # shellcheck shell=bash usage() { - echo "Usage: $0 flake -m install|repair -h host [-k key] [-p password_file] [-c] [-r]" + echo "Usage: $0 flake -m install|repair -h host [-k key] [-p password_file] [-s] [-c] [-r]" echo echo "Options:" echo " flake Directory containing the flake.nix file." echo " -m mode Mode: 'install' or 'repair'." echo " -h host Host to configure." echo " -k key Key file to copy to user config." + echo " -s Enroll secure boot keys on current device." echo " -c Copy configuration to target." echo " -r Reboot after completion." exit 1 @@ -35,7 +36,7 @@ check_flake() { } check_host() { - if ! nix flake show --quiet --json "$flake" 2>/dev/null | jq -e ".nixosConfigurations[\"$host\"]" &>/dev/null; then + if ! nix flake show --allow-import-from-derivation --quiet --json "$flake" 2>/dev/null | jq -e ".nixosConfigurations[\"$host\"]" &>/dev/null; then echo "Host '$host' not found in flake." exit 1 fi @@ -51,6 +52,7 @@ check_key() { set_password_file() { SOPS_AGE_KEY_FILE="$flake/secrets/$key/key.txt" export SOPS_AGE_KEY_FILE + install -m 600 /dev/null /tmp/keyfile sops --decrypt --extract "['luks']" "$flake/secrets/hosts/$host/secrets.yaml" > /tmp/keyfile unset SOPS_AGE_KEY_FILE } @@ -62,7 +64,7 @@ prepare_disk() { disko -m "$disko_mode" --yes-wipe-all-disks --root-mountpoint "$root" "$flake/hosts/$host/format.nix" } -copy_keys() { +copy_sops_keys() { mkdir -p "$root/persist/state/etc/ssh" cp -f "$flake/secrets/hosts/$host/ssh_host_ed25519_key" "$root/persist/state/etc/ssh/ssh_host_ed25519_key" @@ -87,26 +89,46 @@ copy_keys() { done } +copy_secure_boot_keys() { + mkdir -p "$root/persist/state/var/lib/sbctl/keys"/{db,KEK,PK} + + SOPS_AGE_KEY_FILE="$flake/secrets/$key/key.txt" + export SOPS_AGE_KEY_FILE + + sops --decrypt --extract "['guid']" "$flake/secrets/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/GUID" + sops --decrypt --extract "['keys']['kek']['key']" "$flake/secrets/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/KEK/KEK.key" + sops --decrypt --extract "['keys']['kek']['pem']" "$flake/secrets/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/KEK/KEK.pem" + sops --decrypt --extract "['keys']['pk']['key']" "$flake/secrets/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/PK/PK.key" + sops --decrypt --extract "['keys']['pk']['pem']" "$flake/secrets/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/PK/PK.pem" + sops --decrypt --extract "['keys']['db']['key']" "$flake/secrets/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/db/db.key" + sops --decrypt --extract "['keys']['db']['pem']" "$flake/secrets/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/db/db.pem" + + chmod 400 "$root/persist/state/var/lib/sbctl/keys"/*/* + + unset SOPS_AGE_KEY_FILE + + mkdir -p "$root/var/lib/sbctl" + mount --bind -o X-fstrim.notrim,x-gvfs-hide "$root/persist/state/var/lib/sbctl" "$root/var/lib/sbctl" +} + install() { nixos-install --root "$root" --flake "$flake#$host" --no-root-passwd } +enroll_secure_boot() { + sbctl enroll-keys --microsoft +} + copy_config() { echo "Copying configuration..." - mkdir -p "$root/persist/user/etc/nixos" + mkdir -p "$root/persist/user/etc" rm -rf "$root/persist/user/etc/nixos" cp -r "$flake" "$root/persist/user/etc/nixos" } -finish() { - echo "Rebooting system..." - trap - EXIT - cleanup - reboot -} - cleanup() { rm -f /tmp/keyfile + if [[ -d "$root" ]]; then umount "$root/var/lib/sbctl"; fi if [[ -n "$host" ]]; then disko -m "unmount" "$flake/hosts/$host/format.nix"; fi if [[ -d "$root" ]]; then rmdir "$root"; fi } @@ -124,14 +146,16 @@ main() { mode="" host="" key="" + enroll_secure_boot_flag="false" copy_config_flag="false" reboot_flag="false" - while getopts "m:h:k:cr" opt; do + while getopts "m:h:k:scr" opt; do case "$opt" in m) mode="$OPTARG" ;; h) host="$OPTARG" ;; k) key="$OPTARG" ;; + s) enroll_secure_boot_flag="true" ;; c) copy_config_flag="true" ;; r) reboot_flag="true" ;; *) usage ;; @@ -153,10 +177,17 @@ main() { ;; esac - copy_keys + copy_sops_keys + copy_secure_boot_keys + install + + [[ "$enroll_secure_boot_flag" == "true" ]] && enroll_secure_boot [[ "$copy_config_flag" == "true" ]] && copy_config - [[ "$reboot_flag" == "true" ]] && finish + + cleanup + + [[ "$reboot_flag" == "true" ]] && reboot } main "$@" diff --git a/hosts/elara/configs/git/default.nix b/hosts/elara/configs/ssh/default.nix similarity index 54% rename from hosts/elara/configs/git/default.nix rename to hosts/elara/configs/ssh/default.nix index fc98db6..5c17511 100644 --- a/hosts/elara/configs/git/default.nix +++ b/hosts/elara/configs/ssh/default.nix @@ -8,16 +8,28 @@ let selfPkgs = inputs.self.packages.${system}; in -# Configured for the root user to allow private builds { - sops.secrets."ssh/sas/ed25519/key" = { - sopsFile = "${inputs.secrets}/sas/secrets.yaml"; - key = "ssh/ed25519/key"; - path = "/root/.ssh/ssh_sas_ed25519_key"; + sops.secrets = { + "ssh/personal/key" = { + sopsFile = "${inputs.secrets}/personal/secrets.yaml"; + key = "ssh/key"; + path = "/root/.ssh/ssh_personal_ed25519_key"; + }; + + "ssh/sas/ed25519/key" = { + sopsFile = "${inputs.secrets}/sas/secrets.yaml"; + key = "ssh/ed25519/key"; + path = "/root/.ssh/ssh_sas_ed25519_key"; + }; }; programs.ssh = { extraConfig = '' + Host karaolidis.com + User git + HostName karaolidis.com + IdentityFile /root/.ssh/ssh_personal_ed25519_key + Host github.com User git HostName github.com diff --git a/hosts/elara/default.nix b/hosts/elara/default.nix index 5cb2b2c..7e7b80d 100644 --- a/hosts/elara/default.nix +++ b/hosts/elara/default.nix @@ -21,6 +21,7 @@ ../common/configs/system/git ../common/configs/system/gpg-agent ../common/configs/system/impermanence + ../common/configs/system/lanzaboote ../common/configs/system/libvirt ../common/configs/system/neovim ../common/configs/system/networkmanager @@ -47,9 +48,9 @@ ../common/configs/system/users ../common/configs/system/zsh - ./configs/git "${inputs.secrets}/hosts/elara/configs/globalprotect" ./configs/pki + ./configs/ssh ./users/nikara ]; diff --git a/hosts/himalia/configs/ssh/default.nix b/hosts/himalia/configs/ssh/default.nix new file mode 100644 index 0000000..fc4236e --- /dev/null +++ b/hosts/himalia/configs/ssh/default.nix @@ -0,0 +1,14 @@ +{ inputs, ... }: +{ + sops.secrets."ssh/key" = { + sopsFile = "${inputs.secrets}/personal/secrets.yaml"; + path = "/root/.ssh/ssh_personal_ed25519_key"; + }; + + programs.ssh.extraConfig = '' + Host karaolidis.com + User git + HostName karaolidis.com + IdentityFile /root/.ssh/ssh_personal_ed25519_key + ''; +} diff --git a/hosts/himalia/default.nix b/hosts/himalia/default.nix index 5b98906..1da62d0 100644 --- a/hosts/himalia/default.nix +++ b/hosts/himalia/default.nix @@ -17,6 +17,7 @@ ../common/configs/system/git ../common/configs/system/gpg-agent ../common/configs/system/impermanence + ../common/configs/system/lanzaboote ../common/configs/system/libvirt ../common/configs/system/neovim ../common/configs/system/networkmanager @@ -43,6 +44,8 @@ ../common/configs/system/users ../common/configs/system/zsh + ./configs/ssh + ./users/nick ]; diff --git a/hosts/installer/README.md b/hosts/installer/README.md index 21f7e73..70ca06e 100644 --- a/hosts/installer/README.md +++ b/hosts/installer/README.md @@ -1,12 +1,16 @@ # installer -I have automated myself out of a job. How to use: +I have automated myself out of a job. Here's how to use the installer to create a new host: -1. Boot into installer +1. Enable Secure Boot Setup Mode on the target device's UEFI menu - this will vary depending on the manufacturer -2. Connect to the internet with `sudo nmcli device wifi connect "" [--ask]` +2. Boot into the installer -3. Run `sudo nix-install /etc/nixos -m install|repair -h host [-k key] [-c] [-r]"` +3. Connect to the internet with `sudo nmcli device wifi connect "" [--ask]` + +4. Run `sudo nix-install /etc/nixos -m install|repair -s -h host [-k key] [-c] [-r]"` + +5. Enable Secure Boot on the device's UEFI menu. ## Reinstalling the Installer @@ -65,4 +69,4 @@ I have automated myself out of a job. How to use: 6. I really hope you had a backup of the keys, because you must copy them to the repository before the next step. -7. Run `nix --experimental-features "nix-command flakes" shell nixpkgs#disko nixpkgs#jq -c bash hosts/common/configs/system/nix-install/install.sh nix -m install -h installer -k personal -c` +7. Run `nix --experimental-features "nix-command flakes" shell nixpkgs#disko nixpkgs#sbctl nixpkgs#jq -c bash hosts/common/configs/system/nix-install/install.sh . -m install -h installer -k personal -c` diff --git a/hosts/installer/configs/ssh/default.nix b/hosts/installer/configs/ssh/default.nix new file mode 100644 index 0000000..fc4236e --- /dev/null +++ b/hosts/installer/configs/ssh/default.nix @@ -0,0 +1,14 @@ +{ inputs, ... }: +{ + sops.secrets."ssh/key" = { + sopsFile = "${inputs.secrets}/personal/secrets.yaml"; + path = "/root/.ssh/ssh_personal_ed25519_key"; + }; + + programs.ssh.extraConfig = '' + Host karaolidis.com + User git + HostName karaolidis.com + IdentityFile /root/.ssh/ssh_personal_ed25519_key + ''; +} diff --git a/hosts/installer/default.nix b/hosts/installer/default.nix index 90616af..2ab5420 100644 --- a/hosts/installer/default.nix +++ b/hosts/installer/default.nix @@ -15,6 +15,7 @@ ../common/configs/system/git ../common/configs/system/gpg-agent ../common/configs/system/impermanence + ../common/configs/system/lanzaboote ../common/configs/system/neovim ../common/configs/system/networkmanager ../common/configs/system/nix @@ -35,6 +36,8 @@ ../common/configs/system/users ../common/configs/system/zsh + ./configs/ssh + ./users/nick ]; diff --git a/hosts/jupiter-vps/configs/ssh/default.nix b/hosts/jupiter-vps/configs/ssh/default.nix new file mode 100644 index 0000000..fc4236e --- /dev/null +++ b/hosts/jupiter-vps/configs/ssh/default.nix @@ -0,0 +1,14 @@ +{ inputs, ... }: +{ + sops.secrets."ssh/key" = { + sopsFile = "${inputs.secrets}/personal/secrets.yaml"; + path = "/root/.ssh/ssh_personal_ed25519_key"; + }; + + programs.ssh.extraConfig = '' + Host karaolidis.com + User git + HostName karaolidis.com + IdentityFile /root/.ssh/ssh_personal_ed25519_key + ''; +} diff --git a/hosts/jupiter-vps/default.nix b/hosts/jupiter-vps/default.nix index 757c4e4..2aa2c29 100644 --- a/hosts/jupiter-vps/default.nix +++ b/hosts/jupiter-vps/default.nix @@ -23,6 +23,7 @@ ./configs/boot ./configs/podman + ./configs/ssh ./configs/wireguard ]; diff --git a/hosts/jupiter/configs/ssh/default.nix b/hosts/jupiter/configs/ssh/default.nix new file mode 100644 index 0000000..fc4236e --- /dev/null +++ b/hosts/jupiter/configs/ssh/default.nix @@ -0,0 +1,14 @@ +{ inputs, ... }: +{ + sops.secrets."ssh/key" = { + sopsFile = "${inputs.secrets}/personal/secrets.yaml"; + path = "/root/.ssh/ssh_personal_ed25519_key"; + }; + + programs.ssh.extraConfig = '' + Host karaolidis.com + User git + HostName karaolidis.com + IdentityFile /root/.ssh/ssh_personal_ed25519_key + ''; +} diff --git a/hosts/jupiter/default.nix b/hosts/jupiter/default.nix index 9fafdfd..09162ce 100644 --- a/hosts/jupiter/default.nix +++ b/hosts/jupiter/default.nix @@ -14,6 +14,7 @@ ../common/configs/system/documentation ../common/configs/system/git ../common/configs/system/impermanence + ../common/configs/system/lanzaboote ../common/configs/system/neovim ../common/configs/system/networkmanager ../common/configs/system/nix @@ -32,6 +33,7 @@ ../common/configs/system/zsh ./configs/btrbk + ./configs/ssh ./configs/tv ./configs/wireguard diff --git a/secrets b/secrets index 22a140f..c072cbb 160000 --- a/secrets +++ b/secrets @@ -1 +1 @@ -Subproject commit 22a140f2c1a3b36ed97123e1cd5d0f07cdfbfff8 +Subproject commit c072cbb08deb0ea741b3c557c5190b5e8121ca10