From fcba40c80418b2922b7c20a2ff17230fdc0c3e17 Mon Sep 17 00:00:00 2001 From: Sebastian Fleer Date: Mon, 11 May 2026 10:00:58 +0200 Subject: [PATCH 1/2] update: nix flakes --- flake.lock | 36 +++++++++++++------------- flake.nix | 75 +++++++++++++++++++++++++++++++++--------------------- home.nix | 4 +-- iso.nix | 48 +++++++++++++++++++++------------- 4 files changed, 95 insertions(+), 68 deletions(-) diff --git a/flake.lock b/flake.lock index f6fc874..7ef891e 100644 --- a/flake.lock +++ b/flake.lock @@ -5,11 +5,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1749398372, - "narHash": "sha256-tYBdgS56eXYaWVW3fsnPQ/nFlgWi/Z2Ymhyu21zVM98=", + "lastModified": 1777988971, + "narHash": "sha256-qIoWPDs+0/8JecyYgE3gpKQxW/4bLW/gp45vow9ioCQ=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "9305fe4e5c2a6fcf5ba6a3ff155720fbe4076569", + "rev": "0678d8986be1661af6bb555f3489f2fdfc31f6ff", "type": "github" }, "original": { @@ -25,11 +25,11 @@ ] }, "locked": { - "lastModified": 1751336185, - "narHash": "sha256-ptnVr2x+sl7cZcTuGx/0BOE2qCAIYHTcgfA+/h60ml0=", + "lastModified": 1778444552, + "narHash": "sha256-f18pIiR9q/p1vHY93gmAum7aHhQOG49oGvAB9+lptRo=", "owner": "nix-community", "repo": "home-manager", - "rev": "96354906f58464605ff81d2f6c2ea23211cbf051", + "rev": "dcebe66f958673729896eec2de4abfd86ef22d21", "type": "github" }, "original": { @@ -40,11 +40,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1751285371, - "narHash": "sha256-/hDU+2AUeFFu5qGHO/UyFMc4UG/x5Cw5uXO36KGTk6c=", + "lastModified": 1778458615, + "narHash": "sha256-cY07EsdhBJ8tFXPzDYevgqxRev9ZLxFonuq9wmq5kwg=", "owner": "nixos", "repo": "nixpkgs", - "rev": "b9c03fbbaf84d85bb28eee530c7e9edc4021ca1b", + "rev": "c6e5ca3c836a5f4dd9af9f2c1fc1c38f0fac988a", "type": "github" }, "original": { @@ -56,11 +56,11 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1748740939, - "narHash": "sha256-rQaysilft1aVMwF14xIdGS3sj1yHlI6oKQNBRTF40cc=", + "lastModified": 1777168982, + "narHash": "sha256-GOkGPcboWE9BmGCRMLX3worL4EMnsnG8MyKmXNeYuhQ=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "656a64127e9d791a334452c6b6606d17539476e2", + "rev": "f5901329dade4a6ea039af1433fb087bd9c1fe14", "type": "github" }, "original": { @@ -79,11 +79,11 @@ ] }, "locked": { - "lastModified": 1748196248, - "narHash": "sha256-1iHjsH6/5UOerJEoZKE+Gx1BgAoge/YcnUsOA4wQ/BU=", + "lastModified": 1775856943, + "narHash": "sha256-b7Mp7P+q2Md5AGt4rjHfMcBykzMumFTen10ST++AuTU=", "owner": "nix-community", "repo": "plasma-manager", - "rev": "b7697abe89967839b273a863a3805345ea54ab56", + "rev": "a524a6160e6df89f7673ba293cf7d78b559eb1a5", "type": "github" }, "original": { @@ -104,11 +104,11 @@ "yubikeyGuide": { "flake": false, "locked": { - "lastModified": 1750291111, - "narHash": "sha256-hdZhAIi18jUhDJB7A5yMnoUltnxMGCYAv0N2nU5+nb0=", + "lastModified": 1777165397, + "narHash": "sha256-zsTkDDbZMlbyfvBZtzV1/yTsJ+rFnUzwBZON+HtcTq8=", "owner": "drduh", "repo": "YubiKey-Guide", - "rev": "08a22f8bde48d2d134dbacdf9910c0ca874afbaa", + "rev": "658175d774a68b27e920856b1b52e81bb1e176a9", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index ced6567..3d41acb 100644 --- a/flake.nix +++ b/flake.nix @@ -19,7 +19,15 @@ }; }; - outputs = inputs@{ self, nixpkgs, flake-parts, home-manager, plasma-manager, ... }: + outputs = + inputs@{ + self, + nixpkgs, + flake-parts, + home-manager, + plasma-manager, + ... + }: flake-parts.lib.mkFlake { inherit inputs; } { @@ -30,38 +38,47 @@ "aarch64-linux" ]; - perSystem = { config, pkgs, ... }: { - formatter = pkgs.nixpkgs-fmt; - packages = { - fos-export = pkgs.writeShellScriptBin "fos-export" (builtins.readFile ./fos-export); - fos-flash = pkgs.writeShellScriptBin "fos-flash" (builtins.readFile ./fos-flash); - fos-generate = pkgs.writeShellScriptBin "fos-generate" (builtins.readFile ./fos-generate); - fos-mount = pkgs.writeShellScriptBin "fos-mount" (builtins.readFile ./fos-mount); - fos-partitions = pkgs.writeShellScriptBin "fos-partitions" (builtins.readFile ./fos-partitions); - fos-renew = pkgs.writeShellScriptBin "fos-renew" (builtins.readFile ./fos-renew); - fos-rotate-passwords = pkgs.writeShellScriptBin "fos-rotate-passwords" (builtins.readFile ./fos-rotate-passwords); - fos-sync = pkgs.writeShellScriptBin "fos-sync" (builtins.readFile ./fos-sync); - fos-working-directory = pkgs.writeShellScriptBin "fos-working-directory" (builtins.readFile ./fos-working-directory); - openpgp-ca = pkgs.openpgp-ca.overrideAttrs (prevAttrs: rec { - version = "${prevAttrs.version}-famedly"; - src = pkgs.fetchFromGitHub { - owner = "famedly"; - repo = "openpgp-ca"; - rev = "expose-more-functionality"; - hash = "sha256-+dAwGq3/86A1oLGdjvRHLmS+SiZrv/DqTi+fTRG8uZQ="; - }; - cargoDeps = prevAttrs.cargoDeps.overrideAttrs (pkgs.lib.const { - name = "${prevAttrs.pname}-vendor.tar.gz"; - inherit src; - outputHash = "sha256-hmgWa4pas3qngs6MNPzk3fPG5+jFRph0lGZvtUF4/tA="; + perSystem = + { pkgs, ... }: + { + formatter = pkgs.nixpkgs-fmt; + packages = { + fos-export = pkgs.writeShellScriptBin "fos-export" (builtins.readFile ./fos-export); + fos-flash = pkgs.writeShellScriptBin "fos-flash" (builtins.readFile ./fos-flash); + fos-generate = pkgs.writeShellScriptBin "fos-generate" (builtins.readFile ./fos-generate); + fos-mount = pkgs.writeShellScriptBin "fos-mount" (builtins.readFile ./fos-mount); + fos-partitions = pkgs.writeShellScriptBin "fos-partitions" (builtins.readFile ./fos-partitions); + fos-renew = pkgs.writeShellScriptBin "fos-renew" (builtins.readFile ./fos-renew); + fos-rotate-passwords = pkgs.writeShellScriptBin "fos-rotate-passwords" ( + builtins.readFile ./fos-rotate-passwords + ); + fos-sync = pkgs.writeShellScriptBin "fos-sync" (builtins.readFile ./fos-sync); + fos-working-directory = pkgs.writeShellScriptBin "fos-working-directory" ( + builtins.readFile ./fos-working-directory + ); + openpgp-ca = pkgs.openpgp-ca.overrideAttrs (prevAttrs: rec { + version = "${prevAttrs.version}-famedly"; + src = pkgs.fetchFromGitHub { + owner = "famedly"; + repo = "openpgp-ca"; + rev = "expose-more-functionality"; + hash = "sha256-+dAwGq3/86A1oLGdjvRHLmS+SiZrv/DqTi+fTRG8uZQ="; + }; + cargoDeps = prevAttrs.cargoDeps.overrideAttrs ( + pkgs.lib.const { + name = "${prevAttrs.pname}-vendor.tar.gz"; + inherit src; + outputHash = "sha256-hmgWa4pas3qngs6MNPzk3fPG5+jFRph0lGZvtUF4/tA="; + } + ); }); - }); + }; }; - }; flake = let - mkSystem = system: + mkSystem = + system: nixpkgs.lib.nixosSystem { inherit system; modules = [ @@ -72,7 +89,7 @@ { home-manager.useGlobalPkgs = true; home-manager.useUserPackages = true; - home-manager.sharedModules = [ plasma-manager.homeManagerModules.plasma-manager ]; + home-manager.sharedModules = [ plasma-manager.homeModules.plasma-manager ]; home-manager.users.nixos = import ./home.nix; } ]; diff --git a/home.nix b/home.nix index f9ee515..43b2a03 100644 --- a/home.nix +++ b/home.nix @@ -1,5 +1,3 @@ -{ config, pkgs, ... }: - { # https://nix-community.github.io/home-manager/options.xhtml home.username = "nixos"; @@ -69,7 +67,7 @@ ]; kscreenlocker = { lockOnResume = false; - passwordRequired = false; + passwordRequired = false; }; powerdevil = { AC.autoSuspend.action = "nothing"; diff --git a/iso.nix b/iso.nix index 4060013..3a71156 100644 --- a/iso.nix +++ b/iso.nix @@ -10,7 +10,12 @@ # The above copyright notice and this permission notice shall be included in all # copies or substantial portions of the Software. -{ lib, pkgs, flake, ... }: +{ + lib, + pkgs, + flake, + ... +}: let viewYubikeyGuide = pkgs.writeShellScriptBin "view-yubikey-guide" '' viewer="$(type -P xdg-open || true)" @@ -30,13 +35,15 @@ let }; yubikeyGuide = pkgs.symlinkJoin { name = "yubikey-guide"; - paths = [ viewYubikeyGuide shortcut ]; + paths = [ + viewYubikeyGuide + shortcut + ]; }; in { + image.fileName = "fos.iso"; isoImage = { - isoName = "fos.iso"; - makeEfiBootable = true; makeUsbBootable = true; }; @@ -45,7 +52,9 @@ in boot = { tmp.cleanOnBoot = true; - kernel.sysctl = { "kernel.unprivileged_bpf_disabled" = 1; }; + kernel.sysctl = { + "kernel.unprivileged_bpf_disabled" = 1; + }; }; services = { @@ -63,7 +72,7 @@ in user = "nixos"; }; default_session = { - command = "${pkgs.greetd.greetd}/bin/agreety --cmd startplasma-wayland"; + command = "${pkgs.greetd}/bin/agreety --cmd startplasma-wayland"; user = "greeter"; }; }; @@ -93,7 +102,10 @@ in users.users = { nixos = { isNormalUser = true; - extraGroups = [ "wheel" "video" ]; + extraGroups = [ + "wheel" + "video" + ]; initialHashedPassword = ""; }; root.initialHashedPassword = ""; @@ -126,7 +138,7 @@ in yubikeyGuide cfssl - flake.packages.${system}.openpgp-ca # openpgp-ca with famedly patches + flake.packages.${stdenv.hostPlatform.system}.openpgp-ca # openpgp-ca with famedly patches git htop jq @@ -135,7 +147,7 @@ in nano neovim openpgp-card-tools - pcsctools + pcsc-tools pwgen rusty-diceware sequoia-sq @@ -145,15 +157,15 @@ in wl-clipboard # Famedly OpenPGP Scripts - flake.packages.${system}.fos-export - flake.packages.${system}.fos-flash - flake.packages.${system}.fos-generate - flake.packages.${system}.fos-mount - flake.packages.${system}.fos-partitions - flake.packages.${system}.fos-renew - flake.packages.${system}.fos-rotate-passwords - flake.packages.${system}.fos-sync - flake.packages.${system}.fos-working-directory + flake.packages.${stdenv.hostPlatform.system}.fos-export + flake.packages.${stdenv.hostPlatform.system}.fos-flash + flake.packages.${stdenv.hostPlatform.system}.fos-generate + flake.packages.${stdenv.hostPlatform.system}.fos-mount + flake.packages.${stdenv.hostPlatform.system}.fos-partitions + flake.packages.${stdenv.hostPlatform.system}.fos-renew + flake.packages.${stdenv.hostPlatform.system}.fos-rotate-passwords + flake.packages.${stdenv.hostPlatform.system}.fos-sync + flake.packages.${stdenv.hostPlatform.system}.fos-working-directory ]; environment.plasma6.excludePackages = with pkgs.kdePackages; [ From 489a4ec70b3b1f40eb161adda4a850d6fc4bb2bd Mon Sep 17 00:00:00 2001 From: Sebastian Fleer Date: Mon, 11 May 2026 12:53:19 +0200 Subject: [PATCH 2/2] feat: add certstrap --- iso.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/iso.nix b/iso.nix index 3a71156..1f47769 100644 --- a/iso.nix +++ b/iso.nix @@ -137,6 +137,9 @@ in # to open it in a non-graphical environment). yubikeyGuide + # certstrap for managing the mTLS root CA + certstrap + cfssl flake.packages.${stdenv.hostPlatform.system}.openpgp-ca # openpgp-ca with famedly patches git