From 1f3911e5f903a85cef2a317f4bb3d2aeb99c6ff9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Laure=CE=B7t?= Date: Sun, 23 Apr 2023 15:38:34 +0200 Subject: [PATCH] =?UTF-8?q?=E2=9C=A8=20lanzaboot,=20secureboot?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- flake.lock | 263 +++++++++++++++++++++++++++--- flake.nix | 9 +- hosts/neodymium/configuration.nix | 22 ++- 3 files changed, 269 insertions(+), 25 deletions(-) diff --git a/flake.lock b/flake.lock index ae2e7ac..9d9951d 100644 --- a/flake.lock +++ b/flake.lock @@ -13,11 +13,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1681637229, - "narHash": "sha256-iE4WYI2rozD5sv4bGW+wZ4skIdN79eBWz/qFweLBGxg=", + "lastModified": 1682237245, + "narHash": "sha256-xbBR7LNK+d5Yi/D6FXQGc1R6u2VV2nwr/Df5iaEbOEQ=", "owner": "yaxitech", "repo": "ragenix", - "rev": "4be6d20931f8ea9f0b6bfa710f30c2ad940b1510", + "rev": "281f68c3d477904f79ff1cd5807a8c226cd80a50", "type": "github" }, "original": { @@ -35,11 +35,11 @@ ] }, "locked": { - "lastModified": 1680281360, - "narHash": "sha256-XdLTgAzjJNDhAG2V+++0bHpSzfvArvr2pW6omiFfEJk=", + "lastModified": 1682101079, + "narHash": "sha256-MdAhtjrLKnk2uiqun1FWABbKpLH090oeqCSiWemtuck=", "owner": "ryantm", "repo": "agenix", - "rev": "e64961977f60388dd0b49572bb0fc453b871f896", + "rev": "2994d002dcff5353ca1ac48ec584c7f6589fe447", "type": "github" }, "original": { @@ -106,11 +106,11 @@ ] }, "locked": { - "lastModified": 1681177078, - "narHash": "sha256-ZNIjBDou2GOabcpctiQykEQVkI8BDwk7TyvlWlI4myE=", + "lastModified": 1681680516, + "narHash": "sha256-EB8Adaeg4zgcYDJn9sR6UMjN/OHdIiMMK19+3LmmXQY=", "owner": "ipetkov", "repo": "crane", - "rev": "0c9f468ff00576577d83f5019a66c557ede5acf6", + "rev": "54b63c8eae4c50172cb50b612946ff1d2bc1c75c", "type": "github" }, "original": { @@ -120,6 +120,39 @@ } }, "crane_2": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "rust-overlay": [ + "lanzaboote", + "rust-overlay" + ] + }, + "locked": { + "lastModified": 1680584903, + "narHash": "sha256-uraq+D3jcLzw/UVk0xMHcnfILfIMa0DLrtAEq2nNlxU=", + "owner": "ipetkov", + "repo": "crane", + "rev": "65d3f6a3970cd46bef5eedfd458300f72c56b3c5", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, + "crane_3": { "flake": false, "locked": { "lastModified": 1670284777, @@ -178,9 +211,9 @@ "inputs": { "alejandra": "alejandra", "all-cabal-json": "all-cabal-json", - "crane": "crane_2", + "crane": "crane_3", "devshell": "devshell", - "flake-parts": "flake-parts", + "flake-parts": "flake-parts_2", "flake-utils-pre-commit": "flake-utils-pre-commit", "ghc-utils": "ghc-utils", "gomod2nix": "gomod2nix", @@ -247,7 +280,44 @@ "type": "github" } }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1680392223, + "narHash": "sha256-n3g7QFr85lDODKt250rkZj2IFS3i4/8HBU2yKHO3tqw=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "dcc36e45d054d7bb554c9cdab69093debd91a0b5", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { "inputs": { "nixpkgs-lib": "nixpkgs-lib" }, @@ -298,6 +368,21 @@ "type": "github" } }, + "flake-utils_2": { + "locked": { + "lastModified": 1678901627, + "narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "flakeCompat": { "flake": false, "locked": { @@ -330,6 +415,28 @@ "url": "https://gitlab.haskell.org/bgamari/ghc-utils" } }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1660459072, + "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "gomod2nix": { "flake": false, "locked": { @@ -353,11 +460,11 @@ ] }, "locked": { - "lastModified": 1681746824, - "narHash": "sha256-TRe6SAYqTEyWmHwg5gpAj3arebje/OVi7z9yLqZRYqg=", + "lastModified": 1682203081, + "narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=", "owner": "nix-community", "repo": "home-manager", - "rev": "ae79840bc756e97f9750fc70448ae0efc1b8dcc3", + "rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1", "type": "github" }, "original": { @@ -366,6 +473,33 @@ "type": "github" } }, + "lanzaboote": { + "inputs": { + "crane": "crane_2", + "flake-compat": "flake-compat_2", + "flake-parts": "flake-parts", + "flake-utils": "flake-utils_2", + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-test": "nixpkgs-test", + "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "rust-overlay": "rust-overlay_2" + }, + "locked": { + "lastModified": 1682256558, + "narHash": "sha256-H+O4yqeePiQcUGvmzXbeZB0fRX1ybAD+LVwP5w3CU/w=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "9bf192bb79e2fbee0b9f12cd314b36d194863059", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "lanzaboote", + "type": "github" + } + }, "mach-nix": { "flake": false, "locked": { @@ -399,11 +533,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1681648924, - "narHash": "sha256-pzi3HISK8+7mpEtv08Yr80wswyHKsz+RP1CROG1Qf6s=", + "lastModified": 1682181988, + "narHash": "sha256-CYWhlNi16cjGzMby9h57gpYE59quBcsHPXiFgX4Sw5k=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "f294325aed382b66c7a188482101b0f336d1d7db", + "rev": "6c43a3495a11e261e5f41e5d7eda2d71dae1b2fe", "type": "github" }, "original": { @@ -431,6 +565,38 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1678872516, + "narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-test": { + "locked": { + "lastModified": 1679009563, + "narHash": "sha256-jizICiQOqUcYFNHRNNOo69bfyNo36iyuRAHem5z68LQ=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "371d3778c4f9cee7d5cf014e6ce400d57366570f", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "qemu-boot-disk-using-make-disk-image", + "repo": "nixpkgs", + "type": "github" + } + }, "poetry2nix": { "flake": false, "locked": { @@ -475,11 +641,43 @@ "type": "github" } }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1680981441, + "narHash": "sha256-Tqr2mCVssUVp1ZXXMpgYs9+ZonaWrZGPGltJz94FYi4=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "2144d9ddcb550d6dce64a2b44facdc8c5ea2e28a", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "root": { "inputs": { "agenix": "agenix", "flake-utils": "flake-utils", "home-manager": "home-manager", + "lanzaboote": "lanzaboote", "nixpkgs": "nixpkgs", "webcord": "webcord" } @@ -513,11 +711,36 @@ ] }, "locked": { - "lastModified": 1681525152, - "narHash": "sha256-KzI+ILcmU03iFWtB+ysPqtNmp8TP8v1BBReTuPP8MJY=", + "lastModified": 1682129965, + "narHash": "sha256-1KRPIorEL6pLpJR04FwAqqnt4Tzcm4MqD84yhlD+XSk=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "b6f8d87208336d7cb85003b2e439fc707c38f92a", + "rev": "2c417c0460b788328220120c698630947547ee83", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "rust-overlay_2": { + "inputs": { + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1682129965, + "narHash": "sha256-1KRPIorEL6pLpJR04FwAqqnt4Tzcm4MqD84yhlD+XSk=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "2c417c0460b788328220120c698630947547ee83", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 3f79fac..887d109 100644 --- a/flake.nix +++ b/flake.nix @@ -5,6 +5,11 @@ nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; flake-utils.url = "github:numtide/flake-utils"; + lanzaboote = { + url = "github:nix-community/lanzaboote"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + agenix = { url = "github:yaxitech/ragenix"; inputs.nixpkgs.follows = "nixpkgs"; @@ -22,7 +27,8 @@ }; }; - outputs = { nixpkgs, flake-utils, agenix, home-manager, webcord, ... }: + outputs = + { nixpkgs, flake-utils, lanzaboote, agenix, home-manager, webcord, ... }: # Provide colmena (flake-utils.lib.eachDefaultSystem (system: @@ -54,6 +60,7 @@ ./hosts/${name}/configuration.nix home-manager.nixosModules.home-manager agenix.nixosModules.default + lanzaboote.nixosModules.lanzaboote ]; home-manager = { useGlobalPkgs = true; diff --git a/hosts/neodymium/configuration.nix b/hosts/neodymium/configuration.nix index fea9a47..5bb0417 100644 --- a/hosts/neodymium/configuration.nix +++ b/hosts/neodymium/configuration.nix @@ -26,14 +26,28 @@ }; }; - # use bootspec + # This should already be here from switching to bootspec earlier. + # It's not required anymore, but also doesn't do any harm. boot.bootspec.enable = true; - # use systemd-boot EFI boot loader - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; + environment.systemPackages = [ + # For debugging and troubleshooting Secure Boot. + pkgs.sbctl + ]; + + # Lanzaboote currently replaces the systemd-boot module. + # This setting is usually set to true in configuration.nix + # generated at installation time. So we force it to false + # for now. + boot.loader.systemd-boot.enable = lib.mkForce false; + + boot.lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + }; # enable NTFS disk mounting + boot.loader.efi.canTouchEfiVariables = true; boot.supportedFilesystems = [ "ntfs" ]; # clean /tmp at each boot