+1 -1

hosts/decryption/default.nix

reviewed

··· 14 14 (flakeRoot + /hardware/gpu/nvidia.nix) 15 15 16 16 (flakeRoot + /modules/common) 17 17 - (flakeRoot + /modules/common/boot/systemd-boot.nix) 17 17 + (flakeRoot + /modules/common/boot/secureboot.nix) 18 18 (flakeRoot + /modules/common/system/audio.nix) 19 19 20 20 (flakeRoot + /modules/desktop/environments/gnome.nix)

+4 -1

hosts/decryption/disks.nix

reviewed

··· 1 1 { 2 2 + boot.initrd.systemd.enable = true; 3 3 + 2 4 disko.devices = { 3 5 disk = { 4 6 main = { ··· 36 38 37 39 settings = { 38 40 crypttabExtraOpts = [ 39 39 - "tpm-device=auto" 41 41 + "tpm2-device=auto" 40 42 "token-timeout=10" 41 43 ]; 42 44 }; ··· 69 71 }; 70 72 71 73 swap = { 74 74 + name = "swap"; 72 75 size = "32G"; 73 76 74 77 content = {

+2

hosts/decryption/users/encode42.nix

reviewed

··· 17 17 (flakeRoot + /packages/desktop/steam.nix) 18 18 ]; 19 19 20 20 + security.pam.services.login.unixAuth = false; 21 21 + 20 22 home-manager.users.encode42 = { 21 23 imports = [ 22 24 ../homes/encode42.nix

+4 -1

modules/common/boot/secureboot.nix

reviewed

··· 1 1 + # note: make sure to create secureboot keys before installation. 2 2 + # https://github.com/nix-community/lanzaboote/blob/b2f781751764ff57d54f7cf1910ae1bbf268ed1c/docs/QUICK_START.md 3 3 + 1 4 { 2 5 lib, 3 6 lanzaboote, ··· 16 19 boot.lanzaboote = { 17 20 enable = true; 18 21 19 19 - pkiBundle = "/etc/secureboot"; 22 22 + pkiBundle = "/var/lib/sbctl"; 20 23 }; 21 24 22 25 environment.systemPackages = with pkgs; [

+2

modules/common/boot/systemd-boot.nix

reviewed

··· 9 9 editor = false; 10 10 configurationLimit = 6; 11 11 }; 12 12 + 13 13 + boot.loader.timeout = 0; 12 14 }

+4

packages/common/yubikey.nix

reviewed

··· 11 11 enable = true; 12 12 }; 13 13 14 14 + security.pam.services = { 15 15 + login.u2fAuth = true; 16 16 + }; 17 17 + 14 18 services.udev.packages = with pkgs; [ 15 19 yubikey-personalization 16 20 ];