diff options
| author | KJ Tsanaktsidis <kj@kjtsanaktsidis.id.au> | 2026-01-07 19:27:59 +1100 |
|---|---|---|
| committer | KJ Tsanaktsidis <kj@kjtsanaktsidis.id.au> | 2026-01-07 19:27:59 +1100 |
| commit | 6f11c79d88e692bebb69b2e12bfde9f52f8df55c (patch) | |
| tree | aa01ecda312b1910428b9128335e62d86402732b | |
| parent | 2e6a6722c29a8d6345ab81dd72354ea41a8474ac (diff) | |
use facter good
| -rw-r--r-- | flake.lock | 188 | ||||
| -rw-r--r-- | flake.nix | 19 | ||||
| -rw-r--r-- | labsrv01/configuration.nix | 26 |
3 files changed, 177 insertions, 56 deletions
@@ -1,5 +1,20 @@ { "nodes": { + "crane": { + "locked": { + "lastModified": 1765145449, + "narHash": "sha256-aBVHGWWRzSpfL++LubA0CwOOQ64WNLegrYHwsVuVN7A=", + "owner": "ipetkov", + "repo": "crane", + "rev": "69f538cdce5955fcd47abfed4395dc6d5194c1c5", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "disko": { "inputs": { "nixpkgs": [ @@ -7,15 +22,16 @@ ] }, "locked": { - "lastModified": 1766150702, - "narHash": "sha256-P0kM+5o+DKnB6raXgFEk3azw8Wqg5FL6wyl9jD+G5a4=", + "lastModified": 1746728054, + "narHash": "sha256-eDoSOhxGEm2PykZFa/x9QG5eTH0MJdiJ9aR00VAofXE=", "owner": "nix-community", "repo": "disko", - "rev": "916506443ecd0d0b4a0f4cf9d40a3c22ce39b378", + "rev": "ff442f5d1425feb86344c028298548024f21256d", "type": "github" }, "original": { "owner": "nix-community", + "ref": "v1.12.0", "repo": "disko", "type": "github" } @@ -42,6 +58,22 @@ "type": "github" } }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1761588595, + "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": [ @@ -63,26 +95,73 @@ "type": "github" } }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ - "nixpkgs-unstable" + "nixpkgs-stable" ] }, "locked": { - "lastModified": 1767688629, - "narHash": "sha256-kX1BVq5zoowePHssEjmpc6FNT3vVZNZaCXd7mfvCsxg=", + "lastModified": 1767619900, + "narHash": "sha256-KpoCBPvwHz3gAQtIUkohE2InRBFK3r0/FM6z5SPWfvM=", "owner": "nix-community", "repo": "home-manager", - "rev": "bfaba198af72338b8dbda59887859d7a30c6643c", + "rev": "6bd04da47cfb48dfd15eabf08364b78ad894f5b2", "type": "github" }, "original": { "owner": "nix-community", + "ref": "release-25.11", "repo": "home-manager", "type": "github" } }, + "lanzaboote": { + "inputs": { + "crane": "crane", + "nixpkgs": [ + "nixpkgs-stable" + ], + "pre-commit": "pre-commit", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1765382359, + "narHash": "sha256-RJmgVDzjRI18BWVogG6wpsl1UCuV6ui8qr4DJ1LfWZ8=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "e8c096ade12ec9130ff931b0f0e25d2f1bc63607", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "v1.0.0", + "repo": "lanzaboote", + "type": "github" + } + }, "nix-vm-test": { "inputs": { "nixpkgs": [ @@ -117,34 +196,20 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1766503044, - "narHash": "sha256-DdJ0OIngRjekqXJauSQ8y9vyDO24dX8v7DiaWmxk7PU=", + "lastModified": 1763045507, + "narHash": "sha256-61zO8zsFE8C104hCTv04z6a4H8U03OEMrRAXtGsszkE=", "owner": "nix-community", "repo": "nixos-anywhere", - "rev": "e86fad431cf9161ca39747972bd255897572dc3b", + "rev": "bad98b0685cf47eaeadcaf6787da8b51cf025693", "type": "github" }, "original": { "owner": "nix-community", + "ref": "1.13.0", "repo": "nixos-anywhere", "type": "github" } }, - "nixos-facter-modules": { - "locked": { - "lastModified": 1766558141, - "narHash": "sha256-Ud9v49ZPsoDBFuyJSQ2Mpw1ZgAH/aMwUwwzrVoetNus=", - "owner": "numtide", - "repo": "nixos-facter-modules", - "rev": "e796d536e3d83de74267069e179dc620a608ed7d", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "nixos-facter-modules", - "type": "github" - } - }, "nixos-images": { "inputs": { "nixos-stable": [ @@ -186,49 +251,58 @@ "type": "github" } }, - "nixpkgs": { + "nixpkgs-stable": { "locked": { - "lastModified": 1767364772, - "narHash": "sha256-fFUnEYMla8b7UKjijLnMe+oVFOz6HjijGGNS1l7dYaQ=", + "lastModified": 1767634882, + "narHash": "sha256-2GffSfQxe3sedHzK+sTKlYo/NTIAGzbFCIsNMUPAAnk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "16c7794d0a28b5a37904d55bcca36003b9109aaa", + "rev": "3c9db02515ef1d9b6b709fc60ba9a540957f661c", "type": "github" }, "original": { - "id": "nixpkgs", - "type": "indirect" + "owner": "NixOS", + "ref": "nixos-25.11", + "repo": "nixpkgs", + "type": "github" } }, - "nixpkgs-stable": { + "nixpkgs-unstable": { "locked": { - "lastModified": 1764521362, - "narHash": "sha256-M101xMtWdF1eSD0xhiR8nG8CXRlHmv6V+VoY65Smwf4=", + "lastModified": 1767640445, + "narHash": "sha256-UWYqmD7JFBEDBHWYcqE6s6c77pWdcU/i+bwD6XxMb8A=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "871b9fd269ff6246794583ce4ee1031e1da71895", + "rev": "9f0c42f8bc7151b8e7e5840fb3bd454ad850d8c5", "type": "github" }, "original": { "owner": "NixOS", - "ref": "25.11", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } }, - "nixpkgs-unstable": { + "pre-commit": { + "inputs": { + "flake-compat": "flake-compat", + "gitignore": "gitignore", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, "locked": { - "lastModified": 1767379071, - "narHash": "sha256-EgE0pxsrW9jp9YFMkHL9JMXxcqi/OoumPJYwf+Okucw=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "fb7944c166a3b630f177938e478f0378e64ce108", + "lastModified": 1765016596, + "narHash": "sha256-rhSqPNxDVow7OQKi4qS5H8Au0P4S3AYbawBSmJNUtBQ=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "548fc44fca28a5e81c5d6b846e555e6b9c2a5a3c", "type": "github" }, "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", "type": "github" } }, @@ -236,14 +310,34 @@ "inputs": { "disko": "disko", "home-manager": "home-manager", + "lanzaboote": "lanzaboote", "nixos-anywhere": "nixos-anywhere", - "nixos-facter-modules": "nixos-facter-modules", - "nixpkgs": "nixpkgs", "nixpkgs-stable": "nixpkgs-stable", "nixpkgs-unstable": "nixpkgs-unstable", "sops-nix": "sops-nix" } }, + "rust-overlay": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1765075567, + "narHash": "sha256-KFDCdQcHJ0hE3Nt5Gm5enRIhmtEifAjpxgUQ3mzSJpA=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "769156779b41e8787a46ca3d7d76443aaf68be6f", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "sops-nix": { "inputs": { "nixpkgs": [ @@ -1,20 +1,22 @@ { description = "NixOS configurations development environment"; - inputs.nixpkgs-stable.url = "github:NixOS/nixpkgs/25.11"; + inputs.nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-25.11"; inputs.nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; - inputs.disko.url = "github:nix-community/disko"; + inputs.disko.url = "github:nix-community/disko/v1.12.0"; inputs.disko.inputs.nixpkgs.follows = "nixpkgs-stable"; - inputs.nixos-facter-modules.url = "github:numtide/nixos-facter-modules"; inputs.sops-nix.url = "github:Mic92/sops-nix"; inputs.sops-nix.inputs.nixpkgs.follows = "nixpkgs-stable"; - inputs.nixos-anywhere.url = "github:nix-community/nixos-anywhere"; + inputs.nixos-anywhere.url = "github:nix-community/nixos-anywhere/1.13.0"; inputs.nixos-anywhere.inputs.nixpkgs.follows = "nixpkgs-stable"; - inputs.home-manager.url = "github:nix-community/home-manager"; - inputs.home-manager.inputs.nixpkgs.follows = "nixpkgs-unstable"; + inputs.home-manager.url = "github:nix-community/home-manager/release-25.11"; + inputs.home-manager.inputs.nixpkgs.follows = "nixpkgs-stable"; + inputs.lanzaboote.url = "github:nix-community/lanzaboote/v1.0.0"; + inputs.lanzaboote.inputs.nixpkgs.follows = "nixpkgs-stable"; - outputs = { self, nixpkgs, nixpkgs-stable, nixos-anywhere, ... }@inputs: + outputs = { self, nixpkgs-stable, nixos-anywhere, ... }@inputs: let + nixpkgs = nixpkgs-stable; systems = [ "x86_64-linux" "x86_64-darwin" "aarch64-linux" "aarch64-darwin" ]; forAllSystems = nixpkgs.lib.genAttrs systems; in @@ -25,7 +27,6 @@ modules = [ inputs.disko.nixosModules.disko ./labsrv01/configuration.nix - inputs.nixos-facter-modules.nixosModules.facter inputs.sops-nix.nixosModules.sops inputs.home-manager.nixosModules.home-manager { @@ -41,7 +42,7 @@ packages = forAllSystems (system: let - pkgs = nixpkgs-stable.legacyPackages.${system}; + pkgs = nixpkgs.legacyPackages.${system}; ruby = pkgs.ruby.withPackages (ps: [ pkgs.rubyPackages.tty-command ]); diff --git a/labsrv01/configuration.nix b/labsrv01/configuration.nix index 9d37f38..81dae08 100644 --- a/labsrv01/configuration.nix +++ b/labsrv01/configuration.nix @@ -10,6 +10,7 @@ imports = [ ./disk-config.nix ]; + hardware.facter.reportPath = ./facter.json; nix = { extraOptions = '' @@ -134,4 +135,29 @@ RemainAfterExit = true; }; }; + + # Create and enroll Secure Boot keys on first boot + systemd.services.sbctl-setup = { + description = "Create and enroll Secure Boot keys"; + wantedBy = [ "multi-user.target" ]; + unitConfig.ConditionPathExists = "!/var/lib/sbctl/GUID"; + + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + + script = '' + echo "Creating Secure Boot keys..." + ${pkgs.sbctl}/bin/sbctl create-keys + + # Check if we're in Setup Mode + if ${pkgs.sbctl}/bin/sbctl status | grep -q "Setup Mode"; then + echo "UEFI is in Setup Mode, enrolling keys..." + ${pkgs.sbctl}/bin/sbctl enroll-keys --microsoft + else + echo "WARNING: UEFI is not in Setup Mode. Please clear Secure Boot keys in UEFI and reboot." + fi + ''; + }; } |