dreamflasher
root@dma-dreamflasher --------------------- OS: NixOS 26.05.20251130.2d293cb (Yarara) aarch64 Host: ADLINK Ampere Altra Developer Platform Kernel: 6.12.59 Uptime: 5 hours, 11 mins Packages: 504 (nix-system) Shell: bash 5.3.3 Resolution: 1024x768 Terminal: /dev/pts/0 CPU: (128) @ 3.0GHz GPU: ASPEED Technology, Inc. ASPEED Graphics Family Memory: 4.24GiB / 125.19GiB (3%)
- owner:
@ellie - admin:
@diamond,@infra-nixos - mac:
00:30:64:76:4c:b3
Impermanence
This machine runs Impermanence! Specifically, it runs a custom impermanence-inspired module written by @ellie. This means that on every boot, the entire filesystem except for those stated to be persisted in the machine's NixOS configuration will be wiped clean. For more information on the why, read Erase Your Darlings.
Secure Boot Maintenance
This machine uses Secure Boot to ensure that the booted kernel is signed properly. Then from this, TPM2 is used to decrypt the 2 root drives.
Note: We currently don't do mirrored boot properly because Lanzaboote doesn't support it properly. The server almost certainly only boots from one drive currently, despite mirroring root to both via ZFS.
Entering Secure Boot Setup Mode
Note: Guide assumes an already running system. It does not cover resetting the system from scratch.
- Enter BIOS setup by spamming
EscthenDevice Manager - Go into
Secure Boot Configuration - Switch Secure Boot mode to
Custom mode - Go to the list of Secure Boot keys, then
PK, thenDelete PK. Confirm yes. - Go out, then
Boot Manager, then boot into NixOS as usual. - Validate setup mode using
sbctl statusandbootctl status. - Use
sbctl enroll-keys --microsoft. - Validate that you're no longer in setup mode via the above commands.
- Reboot again. Validate that the system boots fine.
- Re-enroll TPM2-backed decryption via Arch wiki guide.