This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. # dreamflasher ``` root@dma-dreamflasher --------------------- OS: NixOS 26.05.20251130.2d293cb (Yarara) aarch64 Host: ADLINK Ampere Altra Developer Platform Kernel: 6.12.59 Uptime: 5 hours, 11 mins Packages: 504 (nix-system) Shell: bash 5.3.3 Resolution: 1024x768 Terminal: /dev/pts/0 CPU: (128) @ 3.0GHz GPU: ASPEED Technology, Inc. ASPEED Graphics Family Memory: 4.24GiB / 125.19GiB (3%) ``` - **owner:** `@ellie` - **admin:** `@diamond`, `@infra-nixos` - **mac:** `00:30:64:76:4c:b3` ## Impermanence This machine runs [Impermanence](https://nixos.wiki/wiki/Impermanence)! Specifically, it runs a custom impermanence-inspired module written by `@ellie`. This means that on every boot, the entire filesystem except for those stated to be persisted in the machine's NixOS configuration will be wiped clean. For more information on the why, read [Erase Your Darlings](https://grahamc.com/blog/erase-your-darlings/). ## Secure Boot Maintenance This machine uses Secure Boot to ensure that the booted kernel is signed properly. Then from this, TPM2 is used to decrypt the 2 root drives. > **Note:** We currently don't do mirrored boot properly because [Lanzaboote] doesn't support it properly. The server almost certainly only boots from one drive currently, despite mirroring root to both via ZFS. [Lanzaboote]: https://github.com/nix-community/lanzaboote ### Entering Secure Boot Setup Mode > **Note:** Guide assumes an already running system. It does not cover resetting the system from scratch. 1. Enter BIOS setup by spamming `Esc` then `Device Manager` 2. Go into `Secure Boot Configuration` 3. Switch Secure Boot mode to `Custom mode` 4. Go to the list of Secure Boot keys, then `PK`, then `Delete PK`. Confirm yes. 5. Go out, then `Boot Manager`, then boot into NixOS as usual. 6. Validate setup mode using `sbctl status` and `bootctl status`. 7. Use `sbctl enroll-keys --microsoft`. 8. Validate that you're no longer in setup mode via the above commands. 9. Reboot again. Validate that the system boots fine. 10. Re-enroll TPM2-backed decryption via [Arch wiki guide](https://wiki.archlinux.org/title/Systemd-cryptenroll#Trusted_Platform_Module).