diff --git a/configuration.nix b/configuration.nix index 2ba4f73..381d69b 100644 --- a/configuration.nix +++ b/configuration.nix @@ -32,8 +32,14 @@ # ═══════════════════════════════════════════════════════════════ # BOOT # ═══════════════════════════════════════════════════════════════ - boot.loader.systemd-boot.enable = true; + + # ─── Bootloader: Limine with Secure Boot ─── + boot.loader.systemd-boot.enable = false; # Disabled - using Limine + boot.loader.limine.enable = true; + boot.loader.limine.secureBoot.enable = true; boot.loader.efi.canTouchEfiVariables = true; + + # ─── Kernel ─── boot.kernelPackages = pkgs.cachyosKernels.linuxPackages-cachyos-latest-x86_64-v3; # Kernel parameters (consolidated from modules) @@ -42,6 +48,28 @@ "amdgpu.ppfeaturemask=0xffffffff" # Full AMD GPU power features (from gpu-amd.nix) ]; + # ─── Full Disk Encryption (LUKS) ─── + boot.initrd.luks.devices = { + "cryptroot" = { + device = "/dev/disk/by-label/cryptroot"; + allowDiscards = true; # Enable TRIM for SSD performance + }; + "cryptswap" = { + device = "/dev/disk/by-label/cryptswap"; + allowDiscards = true; + keyFile = "/swap.key"; # Auto-unlock with keyfile after root is decrypted + }; + }; + + # Include swap keyfile in initrd (encrypted, only accessible during boot) + boot.initrd.secrets = { + "/swap.key" = /var/lib/secrets/swap.key; + }; + + # ─── Hibernation ─── + boot.resumeDevice = "/dev/mapper/cryptswap"; + + # ─── Scheduler ─── # sched-ext scheduler for gaming performance services.scx.enable = true; services.scx.scheduler = "scx_lavd"; # Low-latency scheduler, good for gaming @@ -184,6 +212,9 @@ wget curl + # Secure Boot management + sbctl + # Nix tools nil # Nix LSP nixd diff --git a/scripts/install-fde.sh b/scripts/install-fde.sh new file mode 100755 index 0000000..a505399 --- /dev/null +++ b/scripts/install-fde.sh @@ -0,0 +1,161 @@ +#!/usr/bin/env bash +# NixOS Installation Script - Full Disk Encryption with Limine +# Target: /dev/nvme0n1 +# Layout: 1GB EFI + 34GB encrypted swap + remaining encrypted root +# Filesystems: FAT32 (EFI), XFS (root), swap + +set -euo pipefail + +# ═══════════════════════════════════════════════════════════════ +# CONFIGURATION +# ═══════════════════════════════════════════════════════════════ +DISK="/dev/nvme0n1" +EFI_PART="${DISK}p1" +SWAP_PART="${DISK}p2" +ROOT_PART="${DISK}p3" + +EFI_SIZE="1GiB" +SWAP_SIZE="35GiB" # 1GiB + 34GiB = 35GiB end point + +# ═══════════════════════════════════════════════════════════════ +# SAFETY CHECK +# ═══════════════════════════════════════════════════════════════ +echo "WARNING: This will DESTROY all data on ${DISK}" +echo "" +echo "Partition layout:" +echo " ${EFI_PART} - 1GB EFI System Partition (FAT32)" +echo " ${SWAP_PART} - 34GB Encrypted swap (LUKS2)" +echo " ${ROOT_PART} - Rest Encrypted root (LUKS2 + XFS)" +echo "" +read -p "Type 'YES' to continue: " confirm + +if [[ "$confirm" != "YES" ]]; then + echo "Aborted." + exit 1 +fi + +# ═══════════════════════════════════════════════════════════════ +# PHASE 1: PARTITIONING +# ═══════════════════════════════════════════════════════════════ +echo "" +echo "═══ Phase 1: Partitioning ${DISK} ═══" + +parted "${DISK}" -- mklabel gpt +parted "${DISK}" -- mkpart ESP fat32 1MiB "${EFI_SIZE}" +parted "${DISK}" -- set 1 esp on +parted "${DISK}" -- mkpart swap "${EFI_SIZE}" "${SWAP_SIZE}" +parted "${DISK}" -- mkpart root "${SWAP_SIZE}" 100% + +echo "Partitioning complete." +sleep 1 + +# ═══════════════════════════════════════════════════════════════ +# PHASE 2: FORMAT EFI +# ═══════════════════════════════════════════════════════════════ +echo "" +echo "═══ Phase 2: Formatting EFI partition ═══" + +mkfs.fat -F 32 -n BOOT "${EFI_PART}" + +echo "EFI partition formatted." + +# ═══════════════════════════════════════════════════════════════ +# PHASE 3: LUKS ENCRYPTION +# ═══════════════════════════════════════════════════════════════ +echo "" +echo "═══ Phase 3: Setting up LUKS encryption ═══" + +echo "" +echo "─── Encrypting ROOT partition (${ROOT_PART}) ───" +echo "You will be prompted to create a passphrase." +cryptsetup luksFormat --type luks2 --label cryptroot "${ROOT_PART}" +cryptsetup open "${ROOT_PART}" cryptroot + +echo "" +echo "─── Encrypting SWAP partition (${SWAP_PART}) ───" +echo "You will be prompted to create a passphrase (can be same as root)." +cryptsetup luksFormat --type luks2 --label cryptswap "${SWAP_PART}" +cryptsetup open "${SWAP_PART}" cryptswap + +echo "LUKS encryption configured." + +# ═══════════════════════════════════════════════════════════════ +# PHASE 4: GENERATE SWAP KEYFILE +# ═══════════════════════════════════════════════════════════════ +echo "" +echo "═══ Phase 4: Generating swap keyfile ═══" + +dd bs=4096 count=1 if=/dev/random of=/tmp/swap.key iflag=fullblock +chmod 600 /tmp/swap.key + +echo "Adding keyfile to swap LUKS volume..." +cryptsetup luksAddKey "${SWAP_PART}" /tmp/swap.key + +echo "Keyfile generated and added to swap." + +# ═══════════════════════════════════════════════════════════════ +# PHASE 5: FORMAT ENCRYPTED VOLUMES +# ═══════════════════════════════════════════════════════════════ +echo "" +echo "═══ Phase 5: Formatting encrypted volumes ═══" + +mkfs.xfs -L nixos /dev/mapper/cryptroot +mkswap -L swap /dev/mapper/cryptswap + +echo "Filesystems created." + +# ═══════════════════════════════════════════════════════════════ +# PHASE 6: MOUNT +# ═══════════════════════════════════════════════════════════════ +echo "" +echo "═══ Phase 6: Mounting filesystems ═══" + +mount /dev/mapper/cryptroot /mnt +mkdir -p /mnt/boot +mkdir -p /mnt/var/lib/secrets +mount "${EFI_PART}" /mnt/boot +swapon /dev/mapper/cryptswap + +# Store keyfile securely +mv /tmp/swap.key /mnt/var/lib/secrets/swap.key +chmod 600 /mnt/var/lib/secrets/swap.key +chown root:root /mnt/var/lib/secrets/swap.key + +echo "Filesystems mounted." +echo "" +echo "Mount layout:" +lsblk -o NAME,SIZE,TYPE,MOUNTPOINT "${DISK}" + +# ═══════════════════════════════════════════════════════════════ +# PHASE 7: GENERATE HARDWARE CONFIG +# ═══════════════════════════════════════════════════════════════ +echo "" +echo "═══ Phase 7: Generating NixOS hardware configuration ═══" + +nixos-generate-config --root /mnt + +echo "Hardware configuration generated at /mnt/etc/nixos/" + +# ═══════════════════════════════════════════════════════════════ +# NEXT STEPS +# ═══════════════════════════════════════════════════════════════ +echo "" +echo "═══════════════════════════════════════════════════════════════" +echo " DISK SETUP COMPLETE!" +echo "═══════════════════════════════════════════════════════════════" +echo "" +echo "Next steps:" +echo "" +echo "1. Copy your NixOS configuration to /mnt/etc/nixos/" +echo " Example: cp -r ~/nixos/* /mnt/etc/nixos/" +echo "" +echo "2. IMPORTANT: Verify hardware-configuration.nix has correct mounts:" +echo " - fileSystems.\"/\" = { device = \"/dev/mapper/cryptroot\"; fsType = \"xfs\"; }" +echo " - fileSystems.\"/boot\" = { device = \"/dev/disk/by-label/BOOT\"; fsType = \"vfat\"; }" +echo " - swapDevices = [ { device = \"/dev/mapper/cryptswap\"; } ]" +echo "" +echo "3. Run the installation:" +echo " nixos-install --flake /mnt/etc/nixos#nixos" +echo "" +echo "4. After reboot, run the Secure Boot setup script." +echo "" diff --git a/scripts/setup-secureboot.sh b/scripts/setup-secureboot.sh new file mode 100755 index 0000000..5ce7915 --- /dev/null +++ b/scripts/setup-secureboot.sh @@ -0,0 +1,125 @@ +#!/usr/bin/env bash +# Secure Boot Setup Script for NixOS with Limine +# Run this AFTER first successful boot into NixOS + +set -euo pipefail + +echo "═══════════════════════════════════════════════════════════════" +echo " NixOS Secure Boot Setup" +echo "═══════════════════════════════════════════════════════════════" +echo "" + +# ═══════════════════════════════════════════════════════════════ +# CHECK PREREQUISITES +# ═══════════════════════════════════════════════════════════════ +if [[ $EUID -ne 0 ]]; then + echo "ERROR: This script must be run as root (use sudo)" + exit 1 +fi + +if ! command -v sbctl &> /dev/null; then + echo "ERROR: sbctl not found. Ensure your NixOS config includes it." + echo "Add to configuration.nix: environment.systemPackages = [ pkgs.sbctl ];" + exit 1 +fi + +# ═══════════════════════════════════════════════════════════════ +# STEP 1: CHECK CURRENT STATUS +# ═══════════════════════════════════════════════════════════════ +echo "─── Step 1: Checking current Secure Boot status ───" +echo "" + +sbctl status || true +echo "" + +# ═══════════════════════════════════════════════════════════════ +# STEP 2: CREATE SECURE BOOT KEYS +# ═══════════════════════════════════════════════════════════════ +echo "─── Step 2: Creating Secure Boot keys ───" +echo "" + +if [[ -d /etc/secureboot/keys ]]; then + echo "Keys already exist at /etc/secureboot/keys" + read -p "Regenerate keys? (y/N): " regen + if [[ "$regen" == "y" || "$regen" == "Y" ]]; then + sbctl create-keys + fi +else + sbctl create-keys +fi + +echo "" +echo "Keys created successfully." + +# ═══════════════════════════════════════════════════════════════ +# STEP 3: VERIFY WHAT NEEDS SIGNING +# ═══════════════════════════════════════════════════════════════ +echo "" +echo "─── Step 3: Checking files that need signing ───" +echo "" + +sbctl verify + +echo "" + +# ═══════════════════════════════════════════════════════════════ +# STEP 4: ENROLL KEYS +# ═══════════════════════════════════════════════════════════════ +echo "" +echo "─── Step 4: Enrolling Secure Boot keys ───" +echo "" +echo "IMPORTANT: Before this step, you must:" +echo " 1. Reboot into UEFI/BIOS settings" +echo " 2. Find Secure Boot settings" +echo " 3. Clear existing keys OR put Secure Boot in 'Setup Mode'" +echo " 4. Save and boot back to NixOS" +echo "" +read -p "Have you put Secure Boot in Setup Mode? (y/N): " setup_mode + +if [[ "$setup_mode" != "y" && "$setup_mode" != "Y" ]]; then + echo "" + echo "Please reboot into UEFI and enable Setup Mode first." + echo "Then run this script again." + exit 0 +fi + +echo "" +echo "Enrolling keys with Microsoft keys included (for hardware compatibility)..." +sbctl enroll-keys -m + +echo "" +echo "Keys enrolled successfully." + +# ═══════════════════════════════════════════════════════════════ +# STEP 5: REBUILD NIXOS TO SIGN EVERYTHING +# ═══════════════════════════════════════════════════════════════ +echo "" +echo "─── Step 5: Rebuilding NixOS to sign bootloader and kernel ───" +echo "" + +nixos-rebuild switch --flake ~/nixos#nixos + +echo "" +echo "NixOS rebuilt with signed binaries." + +# ═══════════════════════════════════════════════════════════════ +# STEP 6: FINAL VERIFICATION +# ═══════════════════════════════════════════════════════════════ +echo "" +echo "─── Step 6: Final verification ───" +echo "" + +sbctl verify + +echo "" +echo "═══════════════════════════════════════════════════════════════" +echo " SECURE BOOT SETUP COMPLETE!" +echo "═══════════════════════════════════════════════════════════════" +echo "" +echo "Next steps:" +echo " 1. Reboot into UEFI/BIOS" +echo " 2. Enable Secure Boot" +echo " 3. Save and boot" +echo "" +echo "After reboot, verify with: sbctl status" +echo ""