Basic secureboot and khas (laptop) config

2023-09-18 22:42:25 +02:00 · 2023-09-18 22:42:25 +02:00 · e5529fbc37
parent 3f1548eb17
commit e5529fbc37
12 changed files with 538 additions and 67 deletions
--- a/flake.lock
+++ b/flake.lock
@ -7,11 +7,11 @@
        "nixpkgs": "nixpkgs"
      },
      "locked": {
-        "lastModified": 1694793763,
-        "narHash": "sha256-y6gTE1C9mIoSkymRYyzCmv62PFgy+hbZ5j8fuiQK5KI=",
+        "lastModified": 1696767924,
+        "narHash": "sha256-NHw92vrUAZXbtow2iiQsbfwXcDhSElYovXgw9ISocdw=",
        "owner": "ryantm",
        "repo": "agenix",
-        "rev": "572baca9b0c592f71982fca0790db4ce311e3c75",
+        "rev": "e2f339274d806014a6bbf29f643a71da847fa1d6",
        "type": "github"
      },
      "original": {
@ -23,11 +23,11 @@
    "base16-schemes": {
      "flake": false,
      "locked": {
-        "lastModified": 1680729003,
-        "narHash": "sha256-M9LHTL24/W4oqgbYRkz0B2qpNrkefTs98pfj3MxIXnU=",
+        "lastModified": 1689473676,
+        "narHash": "sha256-L0RhUr9+W5EPWBpLcmkKpUeCEWRs/kLzVMF3Vao2ZU0=",
        "owner": "tinted-theming",
        "repo": "base16-schemes",
-        "rev": "dc048afa066287a719ddbab62b3e19e4b5110cf0",
+        "rev": "d95123ca6377cd849cfdce92c0a24406b0c6a789",
        "type": "github"
      },
      "original": {
@ -36,6 +36,27 @@
        "type": "github"
      }
    },
+    "bootspec-secureboot": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1690452988,
+        "narHash": "sha256-E2Ons6JxrThaHq1SYJKvddeoANiqmjgKEpPiT9tuPQI=",
+        "owner": "DeterminateSystems",
+        "repo": "bootspec-secureboot",
+        "rev": "cff36b9eff8b4cc4abe77c87ad2eedb9919b6cd5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "DeterminateSystems",
+        "ref": "main",
+        "repo": "bootspec-secureboot",
+        "type": "github"
+      }
+    },
    "deploy-rs": {
      "inputs": {
        "flake-compat": "flake-compat",
@ -43,11 +64,11 @@
        "utils": "utils"
      },
      "locked": {
-        "lastModified": 1694513707,
-        "narHash": "sha256-wE5kHco3+FQjc+MwTPwLVqYz4hM7uno2CgXDXUFMCpc=",
+        "lastModified": 1695052866,
+        "narHash": "sha256-agn7F9Oww4oU6nPiw+YiYI9Xb4vOOE73w8PAoBRP4AA=",
        "owner": "serokell",
        "repo": "deploy-rs",
-        "rev": "31c32fb2959103a796e07bbe47e0a5e287c343a8",
+        "rev": "e3f41832680801d0ee9e2ed33eb63af398b090e9",
        "type": "github"
      },
      "original": {
@ -98,11 +119,11 @@
        "nixpkgs": "nixpkgs_3"
      },
      "locked": {
-        "lastModified": 1694643239,
-        "narHash": "sha256-pv2k/5FvyirDE8g4TNehzwZ0T4UOMMmqWSQnM/luRtE=",
+        "lastModified": 1696737557,
+        "narHash": "sha256-YD/pjDjj/BNmisEvRdM/vspkCU3xyyeGVAUWhvVSi5Y=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "d9b88b43524db1591fb3d9410a21428198d75d49",
+        "rev": "3c1d8758ac3f55ab96dcaf4d271c39da4b6e836d",
        "type": "github"
      },
      "original": {
@ -117,11 +138,11 @@
        "nixpkgs-lib": "nixpkgs-lib"
      },
      "locked": {
-        "lastModified": 1682108218,
-        "narHash": "sha256-tMr7BbxualFQlN+XopS8rMMgf2XR9ZfRuwIZtjsWmfI=",
+        "lastModified": 1695388192,
+        "narHash": "sha256-2jelpE7xK+4M7jZNyWL7QYOYegQLYBDQS5bvdo8XRUQ=",
        "owner": "misterio77",
        "repo": "nix-colors",
-        "rev": "b92df8f5eb1fa20d8e09810c03c9dc0d94ef2820",
+        "rev": "37227f274b34a3b51649166deb94ce7fec2c6a4c",
        "type": "github"
      },
      "original": {
@ -155,11 +176,11 @@
        "nixpkgs": "nixpkgs_5"
      },
      "locked": {
-        "lastModified": 1694921880,
-        "narHash": "sha256-yU36cs5UdzhTwsM9bUWUz43N//ELzQ1ro69C07pU/8E=",
+        "lastModified": 1696736548,
+        "narHash": "sha256-Dg0gJ9xVXud55sAbXspMapFYZOpVAldQQo7MFp91Vb0=",
        "owner": "Mic92",
        "repo": "nix-index-database",
-        "rev": "9d2bcc47110b3b6217dfebd6761ba20bc78aedf2",
+        "rev": "2902dc66f64f733bfb45754e984e958e9fe7faf9",
        "type": "github"
      },
      "original": {
@ -186,11 +207,11 @@
    },
    "nixpkgs-lib": {
      "locked": {
-        "lastModified": 1680397293,
-        "narHash": "sha256-wBpJ73+tJ8fZSWb4tzNbAVahC4HSo2QG3nICDy4ExBQ=",
+        "lastModified": 1694911725,
+        "narHash": "sha256-8YqI+YU1DGclEjHsnrrGfqsQg3Wyga1DfTbJrN3Ud0c=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
-        "rev": "b18d328214ca3c627d3cc3f51fd9d1397fdbcd7a",
+        "rev": "819180647f428a3826bfc917a54449da1e532ce0",
        "type": "github"
      },
      "original": {
@ -217,11 +238,11 @@
    },
    "nixpkgs_3": {
      "locked": {
-        "lastModified": 1694422566,
-        "narHash": "sha256-lHJ+A9esOz9vln/3CJG23FV6Wd2OoOFbDeEs4cMGMqc=",
+        "lastModified": 1696604326,
+        "narHash": "sha256-YXUNI0kLEcI5g8lqGMb0nh67fY9f2YoJsILafh6zlMo=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "3a2786eea085f040a66ecde1bc3ddc7099f6dbeb",
+        "rev": "87828a0e03d1418e848d3dd3f3014a632e4a4f64",
        "type": "github"
      },
      "original": {
@ -249,11 +270,11 @@
    },
    "nixpkgs_5": {
      "locked": {
-        "lastModified": 1694767346,
-        "narHash": "sha256-5uH27SiVFUwsTsqC5rs3kS7pBoNhtoy9QfTP9BmknGk=",
+        "lastModified": 1696604326,
+        "narHash": "sha256-YXUNI0kLEcI5g8lqGMb0nh67fY9f2YoJsILafh6zlMo=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "ace5093e36ab1e95cb9463863491bee90d5a4183",
+        "rev": "87828a0e03d1418e848d3dd3f3014a632e4a4f64",
        "type": "github"
      },
      "original": {
@ -265,11 +286,11 @@
    },
    "nixpkgs_6": {
      "locked": {
-        "lastModified": 1694978972,
-        "narHash": "sha256-DkVh+UNzPvd7x2r/FO3Q59Pj30vEiWu57nvpJkzbpiU=",
+        "lastModified": 1696604326,
+        "narHash": "sha256-YXUNI0kLEcI5g8lqGMb0nh67fY9f2YoJsILafh6zlMo=",
        "owner": "arachnist",
        "repo": "nixpkgs",
-        "rev": "d6e32b32aa4d891b580e3367509da2d3949df006",
+        "rev": "87828a0e03d1418e848d3dd3f3014a632e4a4f64",
        "type": "github"
      },
      "original": {
@ -314,6 +335,7 @@
    "root": {
      "inputs": {
        "agenix": "agenix",
+        "bootspec-secureboot": "bootspec-secureboot",
        "deploy-rs": "deploy-rs",
        "home-manager": "home-manager_2",
        "nix-colors": "nix-colors",
--- a/flake.nix
+++ b/flake.nix
@ -3,6 +3,10 @@

  inputs = {
    nixpkgs.url = "github:arachnist/nixpkgs/ar-patchset-unstable";
+    bootspec-secureboot = {
+      url = "github:DeterminateSystems/bootspec-secureboot/main";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
    home-manager.url = "github:nix-community/home-manager";
    nix-colors.url = "github:misterio77/nix-colors";
    nix-formatter-pack.url = "github:Gerschtli/nix-formatter-pack";
@ -14,8 +18,8 @@
    };
  };

-  outputs = { self, nixpkgs, nix-formatter-pack, nix-index-database, deploy-rs
-    , agenix, ... }:
+  outputs = { self, nixpkgs, bootspec-secureboot, nix-formatter-pack
+    , nix-index-database, deploy-rs, agenix, ... }:
    let forAllSystems = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ];
    in {
      # forAllSystems (system: nixpkgs.legacyPackages.${system}.nixfmt);
@ -36,13 +40,63 @@
          };
        });

-      nixosConfigurations = {
+      nixosModules = with self.nixosModules; {
+        nibylandia-boot.imports = [ ./modules/boot.nix ];
+
+        nibylandia-secureboot.imports = [
+          bootspec-secureboot.nixosModules.bootspec-secureboot
+
+          ({ config, lib, ... }: {
+            age.secrets = {
+              secureboot-cert.file = ./secrets/secureboot-cert.age;
+              secureboot-key.file = ./secrets/secureboot-key.age;
+            };
+
+            boot.loader.secureboot = {
+              enable = true;
+              signingKeyPath = "${config.age.secrets.secureboot-key.path}";
+              signingCertPath = "${config.age.secrets.secureboot-cert.path}";
+            };
+            nibylandia-boot.uefi.enable = lib.mkForce false;
+          })
+        ];
+
+        nibylandia-common.imports = [
+          nix-index-database.nixosModules.nix-index
+          agenix.nixosModules.default
+
+          nibylandia-boot
+
+          ./modules/common.nix
+        ];
+
+        nibylandia-graphical.imports = [
+          nibylandia-common
+
+          ./modules/graphical.nix
+        ];
+
+        nibylandia-laptop.imports = [ ./modules/laptop.nix ];
+      };
+
+      nixosConfigurations = with self.nixosModules; {
        scylla = nixpkgs.lib.nixosSystem {
          system = "aarch64-linux";
          modules = [
-            nix-index-database.nixosModules.nix-index
-            agenix.nixosModules.default
-            ./nixos/scylla/configuration.nix
+            nibylandia-common
+
+            ./nixos/scylla
+          ];
+        };
+
+        khas = nixpkgs.lib.nixosSystem {
+          system = "x86_64-linux";
+          modules = [
+            nibylandia-graphical
+            nibylandia-laptop
+            nibylandia-secureboot
+
+            ./nixos/khas
          ];
        };
      };
--- a/modules/boot.nix
+++ b/modules/boot.nix
@ -0,0 +1,24 @@
+{ config, lib, pkgs, ... }:
+
+let cfg = config.nibylandia-boot;
+in {
+  options.nibylandia-boot = {
+    uefi.enable = lib.mkEnableOption "Boot via UEFI";
+    ryzen.enable = lib.mkEnableOption "Enable AMD Ryzen-specific options";
+  };
+
+  config = lib.mkMerge [
+    (lib.mkIf cfg.uefi.enable {
+      boot.loader.systemd-boot.enable = true;
+      boot.loader.efi.canTouchEfiVariables = true;
+    })
+    (lib.mkIf cfg.ryzen.enable {
+      boot = {
+        extraModulePackages = with config.boot.kernelPackages; [ zenpower ];
+        blacklistedKernelModules = [ "k10temp" ];
+        kernelModules = [ "zenpower" "kvm-amd" ];
+      };
+    })
+    { boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; }
+  ];
+}
--- a/modules/common.nix
+++ b/modules/common.nix
@ -0,0 +1,86 @@
+{ config, lib, pkgs, ... }:
+
+{
+  config = {
+    programs.command-not-found.enable = false;
+    system.stateVersion = "23.11";
+    services.openssh = {
+      enable = true;
+      openFirewall = true;
+      settings.PasswordAuthentication = false;
+    };
+    programs = {
+      mtr.enable = true;
+      neovim = {
+        enable = true;
+        defaultEditor = true;
+        viAlias = true;
+        vimAlias = true;
+      };
+      zsh = {
+        enable = true;
+        enableBashCompletion = true;
+        autosuggestions.enable = true;
+        syntaxHighlighting.enable = true;
+        ohMyZsh.enable = true;
+      };
+      tmux = {
+        enable = true;
+        terminal = "screen256-color";
+        clock24 = true;
+      };
+      bash.enableCompletion = true;
+      mosh.enable = true;
+    };
+
+    nix = {
+      package = pkgs.nixUnstable;
+      extraOptions = ''
+        experimental-features = nix-command flakes
+      '';
+    };
+
+    nixpkgs.config.allowUnfree = true;
+    nixpkgs.config.allowBroken = true;
+
+    environment.systemPackages = with pkgs; [
+      deploy-rs
+      file
+      git
+      go
+      libarchive
+      lm_sensors
+      lshw
+      lsof
+      pciutils
+      pry
+      pv
+      strace
+      usbutils
+      wget
+      zip
+      config.boot.kernelPackages.perf
+      age
+      sshfs
+      dig
+      dstat
+      htop
+      iperf
+      whois
+      xxd
+      tcpdump
+      traceroute
+      age
+      cfssl
+      gomuks
+    ];
+
+    documentation = {
+      man.enable = true;
+      doc.enable = true;
+      dev.enable = true;
+      info.enable = true;
+      nixos.enable = true;
+    };
+  };
+}
--- a/modules/graphical.nix
+++ b/modules/graphical.nix
@ -0,0 +1,194 @@
+{ config, lib, pkgs, ... }:
+
+{
+  boot = {
+    extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ];
+    extraModprobeConfig = ''
+      options v4l2loopback devices=4 exclusive_caps=1
+    '';
+    kernel.sysctl = { "vm.swappiness" = 160; };
+  };
+
+  zramSwap.enable = true;
+
+  sound.enable = true;
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa = {
+      enable = true;
+      support32Bit = true;
+    };
+    jack.enable = true;
+    pulse.enable = true;
+  };
+
+  networking.networkmanager.enable = true;
+  networking.networkmanager.wifi.backend = "wpa_supplicant";
+  hardware.glasgow.enable = true;
+  hardware.nitrokey.enable = true;
+  hardware.steam-hardware.enable = true;
+  hardware.bluetooth = {
+    enable = true;
+    package = pkgs.bluez;
+  };
+  hardware.opengl = {
+    enable = true;
+    driSupport32Bit = true;
+  };
+
+  services.xserver = {
+    enable = true;
+    desktopManager.plasma5 = {
+      enable = true;
+      runUsingSystemd = true;
+    };
+    displayManager = {
+      sddm = {
+        enable = true;
+        wayland.enable = true;
+        settings.Wayland.SessionDir =
+          "/run/current-system/sw/share/wayland-sessions";
+        settings.X11.SessionDir = lib.mkForce "";
+      };
+      defaultSession = "plasmawayland";
+    };
+
+    layout = "pl";
+    xkbOptions = "ctrl:nocaps";
+    libinput.enable = true;
+  };
+
+  fonts = {
+    enableDefaultPackages = true;
+    packages = with pkgs; [
+      nerdfonts
+      terminus_font
+      terminus_font_ttf
+      noto-fonts-cjk
+      noto-fonts-emoji
+      noto-fonts-emoji-blob-bin
+      joypixels
+      twemoji-color-font
+      carlito
+      meslo-lgs-nf
+      fira-code
+      fira-code-symbols
+    ];
+  };
+
+  i18n.inputMethod = {
+    enabled = "ibus";
+    ibus.engines = with pkgs.ibus-engines; [ uniemoji ];
+  };
+
+  services.printing = {
+    enable = true;
+    drivers = with pkgs; [ cups-dymo ];
+  };
+
+  services.avahi = {
+    enable = true;
+    nssmdns = true;
+  };
+
+  services.flatpak.enable = true;
+
+  programs = {
+    gnupg.agent = {
+      enable = true;
+      enableSSHSupport = true;
+    };
+    adb.enable = true;
+    fuse.userAllowOther = true;
+    dconf.enable = true;
+    mosh.enable = true;
+    kdeconnect.enable = true;
+    sway.enable = true;
+    hyprland.enable = true;
+  };
+
+  nixpkgs.config = {
+    firefox = {
+      enablePlasmaBrowserIntegration = true;
+      enableBrowserpass = true;
+    };
+    joypixels.acceptLicense = true;
+  };
+
+  environment.systemPackages = with pkgs; [
+    chromium
+    electrum
+    ffmpeg-full
+    firefox
+    imagemagick
+    inkscape
+    kate
+    keybase-gui
+    kolourpaint
+    nixfmt
+    okular
+    paprefs
+    pavucontrol
+    (signal-desktop.overrideAttrs (old: {
+      preFixup = (old.preFixup or "")
+        + "  gappsWrapperArgs+=(\n    --add-flags --use-tray-icon\n  )\n";
+    }))
+    solvespace
+    spotify
+    youtube-dl
+    morph
+    mpv
+    gphoto2
+    minicom
+    maim
+    thunderbird
+    feh
+    virt-manager
+    cura
+    ncdu
+    nixos-option
+    yt-dlp
+    lsix
+    element-desktop
+    oneko
+    cinny-desktop
+    vagrant
+    vokoscreen-ng
+    appimage-run
+    protonup-ng
+    scrcpy
+    krita
+    vlc
+    # mastodon-update-script
+    libreoffice-qt
+    tokodon
+
+    glasgow
+    freecad
+
+    (vscode-with-extensions.override {
+      vscodeExtensions = with vscode-extensions; [
+        bbenoist.nix
+        bierner.emojisense
+        bierner.markdown-checkbox
+        bierner.markdown-emoji
+        bodil.file-browser
+        golang.go
+        ms-vscode.cpptools
+        ms-vscode.cmake-tools
+        ms-vscode.anycode
+        ms-toolsai.jupyter
+        ms-toolsai.jupyter-renderers
+        ms-vscode.makefile-tools
+        redhat.vscode-yaml
+        rust-lang.rust-analyzer
+        shardulm94.trailing-spaces
+        arrterian.nix-env-selector
+        jnoortheen.nix-ide
+      ];
+    })
+
+    prusa-slicer
+  ];
+}
--- a/modules/laptop.nix
+++ b/modules/laptop.nix
@ -0,0 +1,20 @@
+{ config, lib, pkgs, ... }:
+
+{
+  services.power-profiles-daemon.enable = true;
+  services.upower.enable = true;
+  powerManagement = {
+    enable = true;
+    powertop.enable = true;
+    cpuFreqGovernor = "ondemand";
+  };
+  programs.light.enable = true;
+  services.fwupd.enable = true;
+  services.fwupd.extraRemotes = [ "lvfs-testing" "vendor" "vendor-directory" ];
+  services.fwupd.daemonSettings.OnlyTrusted = false;
+  #services.fwupd.package = (pkgs.fwupd.overrideAttrs (oldAttrs: {
+  #  patches = (oldAttrs.patches or []) ++ [
+  #    ./disable-secureboot-checks.patch
+  #  ];
+  #}));
+}
--- a/nixos/khas/default.nix
+++ b/nixos/khas/default.nix
@ -0,0 +1,11 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports = [ ./hardware-configuration.nix ];
+
+  nibylandia-boot.ryzen.enable = true;
+
+  virtualisation.docker = { enable = true; };
+
+  networking.firewall.allowedTCPPorts = [ 8000 8080 ];
+}
--- a/nixos/khas/hardware-configuration.nix
+++ b/nixos/khas/hardware-configuration.nix
@ -0,0 +1,83 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  # imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+
+  boot.initrd.availableKernelModules =
+    [ "nvme" "ehci_pci" "xhci_pci" "rtsx_pci_sdmmc" ];
+
+  boot.initrd.luks.devices."nixos".device =
+    "/dev/disk/by-uuid/f676b705-5ae7-4f71-abf9-b1aac0ac2363";
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/1FA4-9D1F";
+    fsType = "vfat";
+  };
+
+  fileSystems."/" = {
+    device = "none";
+    fsType = "tmpfs";
+    options = [ "defaults" "size=8G" "mode=755" ];
+  };
+
+  fileSystems."/tmp" = {
+    device = "/dev/disk/by-uuid/364a4679-1512-4b57-9f31-a4dc4fd192b1";
+    fsType = "btrfs";
+    options = [ "subvol=tmp" ];
+  };
+
+  fileSystems."/nix" = {
+    device = "/dev/disk/by-uuid/364a4679-1512-4b57-9f31-a4dc4fd192b1";
+    fsType = "btrfs";
+    options = [ "subvol=nix" ];
+  };
+
+  fileSystems."/home" = {
+    device = "/dev/disk/by-uuid/364a4679-1512-4b57-9f31-a4dc4fd192b1";
+    fsType = "btrfs";
+    options = [ "subvol=home" ];
+  };
+
+  fileSystems."/etc/NetworkManager" = {
+    device = "/dev/disk/by-uuid/364a4679-1512-4b57-9f31-a4dc4fd192b1";
+    fsType = "btrfs";
+    options = [ "subvol=etc_NetworkManager" ];
+  };
+
+  fileSystems."/var/log" = {
+    device = "/dev/disk/by-uuid/364a4679-1512-4b57-9f31-a4dc4fd192b1";
+    fsType = "btrfs";
+    options = [ "subvol=var_log" ];
+  };
+
+  fileSystems."/var/lib/NetworkManager" = {
+    device = "/dev/disk/by-uuid/364a4679-1512-4b57-9f31-a4dc4fd192b1";
+    fsType = "btrfs";
+    options = [ "subvol=var_lib_NetworkManager" ];
+  };
+
+  fileSystems."/var/lib/bluetooth" = {
+    device = "/dev/disk/by-uuid/364a4679-1512-4b57-9f31-a4dc4fd192b1";
+    fsType = "btrfs";
+    options = [ "subvol=var_lib_bluetooth" ];
+  };
+
+  fileSystems."/var/lib/libvirt" = {
+    device = "/dev/disk/by-uuid/364a4679-1512-4b57-9f31-a4dc4fd192b1";
+    fsType = "btrfs";
+    options = [ "subvol=var_lib_libvirt" ];
+  };
+
+  fileSystems."/var/lib/flatpak" = {
+    device = "/dev/disk/by-uuid/364a4679-1512-4b57-9f31-a4dc4fd192b1";
+    fsType = "btrfs";
+    options = [ "subvol=var_lib_flatpak" ];
+  };
+
+  fileSystems."/var/lib/tpm" = {
+    device = "/dev/disk/by-uuid/364a4679-1512-4b57-9f31-a4dc4fd192b1";
+    fsType = "btrfs";
+    options = [ "subvol=var_lib_tpm" ];
+  };
+
+}
--- a/nixos/scylla/configuration.nix
+++ b/nixos/scylla/configuration.nix
@ -22,8 +22,7 @@ let
 in {
  imports = [ ./hardware-configuration.nix ];

-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
+  nibylandia-boot.uefi.enable = true;

  boot = {
    kernelPackages = pkgs.linuxPackages_latest;
@ -408,7 +407,9 @@ in {
    checkConfig = false;
    config = builtins.readFile ./bird/bird2.conf;
  };
-  environment.etc."bird/peers/w1kl4s.conf" = { source = ./bird/peers_w1kl4s.conf; };
+  environment.etc."bird/peers/w1kl4s.conf" = {
+    source = ./bird/peers_w1kl4s.conf;
+  };
  systemd.timers.dn42-roa = {
    description = "Trigger a ROA table update";

@ -466,36 +467,8 @@ in {
    config.boot.kernelPackages.perf
  ];

-  programs = {
-    mtr.enable = true;
-    mosh.enable = true;
-    neovim = {
-      enable = true;
-      defaultEditor = true;
-      viAlias = true;
-      vimAlias = true;
-    };
-    zsh = {
-      enable = true;
-      enableBashCompletion = true;
-      autosuggestions.enable = true;
-      syntaxHighlighting.enable = true;
-    };
-    command-not-found.enable = false;
-  };
-
-  nix = {
-    package = pkgs.nixUnstable;
-    extraOptions = ''
-      experimental-features = nix-command flakes
-    '';
-  };
-
  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGfIRe1nH6vwjQTjqHNnkKAdr1VYqGEeQnqInmf3A6UN ar@khas"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO6rEwERSm/Fj4KO4SxFIo0BUvi9YNyf8PSL1FteMcMt arachnist@monolith"
  ];
-
-  services.openssh.enable = true;
-  system.stateVersion = "23.11";
 }
--- a/secrets.nix
+++ b/secrets.nix
@ -7,12 +7,16 @@ let

  scylla =
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN1X7EaPNfLhWH32IAyaZj2dhJz+QLnyGuXPCZUYRTjg";
+  khas =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO6VxPqJHYKmVB5d7bd6vuRqBNKXV1fo2R/WvdSF77xa";
  zorigami =
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM/7CsIWlJH2F0VQpgsGgZOQeAd7Zh98WpCvmTyXCTty";
  stereolith =
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEVuDOcKE8ANKGjd6kfFH1qLLzLwg91o0exJ0isIEw4O";
 in {

+  "secrets/secureboot-key.age".publicKeys = ar ++ [ khas ];
+  "secrets/secureboot-cert.age".publicKeys = ar ++ [ khas ];
  "secrets/wg/nibylandia_scylla.age".publicKeys = ar ++ [ scylla ];
  "secrets/wg/dn42_w1kl4s_scylla.age".publicKeys = ar ++ [ scylla ];
  "secrets/lan/nibylandia-ddns-kea.age".publicKeys = ar ++ [ scylla ];
--- a/secrets/secureboot-cert.age
+++ b/secrets/secureboot-cert.age
--- a/secrets/secureboot-key.age
+++ b/secrets/secureboot-key.age