Laurent/infrastructure
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

lanzaboot, secureboot

Browse source
This commit is contained in:
Laureηt 2023-04-23 15:38:34 +02:00
parent caf7a87a52
commit 1f3911e5f9
Signed by: Laurent
SSH key fingerprint: SHA256:kZEpW8cMJ54PDeCvOhzreNr4FSh6R13CMGH/POoO8DI
3 changed files with 269 additions and 25 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

263
flake.lock
View file

@ -13,11 +13,11 @@
"rust-overlay": "rust-overlay" "rust-overlay": "rust-overlay"
}, },
"locked": { "locked": {
"lastModified": 1681637229, "lastModified": 1682237245,
"narHash": "sha256-iE4WYI2rozD5sv4bGW+wZ4skIdN79eBWz/qFweLBGxg=", "narHash": "sha256-xbBR7LNK+d5Yi/D6FXQGc1R6u2VV2nwr/Df5iaEbOEQ=",
"owner": "yaxitech", "owner": "yaxitech",
"repo": "ragenix", "repo": "ragenix",
"rev": "4be6d20931f8ea9f0b6bfa710f30c2ad940b1510", "rev": "281f68c3d477904f79ff1cd5807a8c226cd80a50",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -35,11 +35,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1680281360, "lastModified": 1682101079,
"narHash": "sha256-XdLTgAzjJNDhAG2V+++0bHpSzfvArvr2pW6omiFfEJk=", "narHash": "sha256-MdAhtjrLKnk2uiqun1FWABbKpLH090oeqCSiWemtuck=",
"owner": "ryantm", "owner": "ryantm",
"repo": "agenix", "repo": "agenix",
"rev": "e64961977f60388dd0b49572bb0fc453b871f896", "rev": "2994d002dcff5353ca1ac48ec584c7f6589fe447",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -106,11 +106,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1681177078, "lastModified": 1681680516,
"narHash": "sha256-ZNIjBDou2GOabcpctiQykEQVkI8BDwk7TyvlWlI4myE=", "narHash": "sha256-EB8Adaeg4zgcYDJn9sR6UMjN/OHdIiMMK19+3LmmXQY=",
"owner": "ipetkov", "owner": "ipetkov",
"repo": "crane", "repo": "crane",
"rev": "0c9f468ff00576577d83f5019a66c557ede5acf6", "rev": "54b63c8eae4c50172cb50b612946ff1d2bc1c75c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -120,6 +120,39 @@
} }
}, },
"crane_2": { "crane_2": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"rust-overlay": [
"lanzaboote",
"rust-overlay"
]
},
"locked": {
"lastModified": 1680584903,
"narHash": "sha256-uraq+D3jcLzw/UVk0xMHcnfILfIMa0DLrtAEq2nNlxU=",
"owner": "ipetkov",
"repo": "crane",
"rev": "65d3f6a3970cd46bef5eedfd458300f72c56b3c5",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"crane_3": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1670284777, "lastModified": 1670284777,
@ -178,9 +211,9 @@
"inputs": { "inputs": {
"alejandra": "alejandra", "alejandra": "alejandra",
"all-cabal-json": "all-cabal-json", "all-cabal-json": "all-cabal-json",
"crane": "crane_2", "crane": "crane_3",
"devshell": "devshell", "devshell": "devshell",
"flake-parts": "flake-parts", "flake-parts": "flake-parts_2",
"flake-utils-pre-commit": "flake-utils-pre-commit", "flake-utils-pre-commit": "flake-utils-pre-commit",
"ghc-utils": "ghc-utils", "ghc-utils": "ghc-utils",
"gomod2nix": "gomod2nix", "gomod2nix": "gomod2nix",
@ -247,7 +280,44 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": { "flake-parts": {
"inputs": {
"nixpkgs-lib": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1680392223,
"narHash": "sha256-n3g7QFr85lDODKt250rkZj2IFS3i4/8HBU2yKHO3tqw=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "dcc36e45d054d7bb554c9cdab69093debd91a0b5",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_2": {
"inputs": { "inputs": {
"nixpkgs-lib": "nixpkgs-lib" "nixpkgs-lib": "nixpkgs-lib"
}, },
@ -298,6 +368,21 @@
"type": "github" "type": "github"
} }
}, },
"flake-utils_2": {
"locked": {
"lastModified": 1678901627,
"narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flakeCompat": { "flakeCompat": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -330,6 +415,28 @@
"url": "https://gitlab.haskell.org/bgamari/ghc-utils" "url": "https://gitlab.haskell.org/bgamari/ghc-utils"
} }
}, },
"gitignore": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"pre-commit-hooks-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1660459072,
"narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"gomod2nix": { "gomod2nix": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -353,11 +460,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1681746824, "lastModified": 1682203081,
"narHash": "sha256-TRe6SAYqTEyWmHwg5gpAj3arebje/OVi7z9yLqZRYqg=", "narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "ae79840bc756e97f9750fc70448ae0efc1b8dcc3", "rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -366,6 +473,33 @@
"type": "github" "type": "github"
} }
}, },
"lanzaboote": {
"inputs": {
"crane": "crane_2",
"flake-compat": "flake-compat_2",
"flake-parts": "flake-parts",
"flake-utils": "flake-utils_2",
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-test": "nixpkgs-test",
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay_2"
},
"locked": {
"lastModified": 1682256558,
"narHash": "sha256-H+O4yqeePiQcUGvmzXbeZB0fRX1ybAD+LVwP5w3CU/w=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "9bf192bb79e2fbee0b9f12cd314b36d194863059",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "lanzaboote",
"type": "github"
}
},
"mach-nix": { "mach-nix": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -399,11 +533,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1681648924, "lastModified": 1682181988,
"narHash": "sha256-pzi3HISK8+7mpEtv08Yr80wswyHKsz+RP1CROG1Qf6s=", "narHash": "sha256-CYWhlNi16cjGzMby9h57gpYE59quBcsHPXiFgX4Sw5k=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "f294325aed382b66c7a188482101b0f336d1d7db", "rev": "6c43a3495a11e261e5f41e5d7eda2d71dae1b2fe",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -431,6 +565,38 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-stable": {
"locked": {
"lastModified": 1678872516,
"narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-22.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-test": {
"locked": {
"lastModified": 1679009563,
"narHash": "sha256-jizICiQOqUcYFNHRNNOo69bfyNo36iyuRAHem5z68LQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "371d3778c4f9cee7d5cf014e6ce400d57366570f",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "qemu-boot-disk-using-make-disk-image",
"repo": "nixpkgs",
"type": "github"
}
},
"poetry2nix": { "poetry2nix": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -475,11 +641,43 @@
"type": "github" "type": "github"
} }
}, },
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"gitignore": "gitignore",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1680981441,
"narHash": "sha256-Tqr2mCVssUVp1ZXXMpgYs9+ZonaWrZGPGltJz94FYi4=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "2144d9ddcb550d6dce64a2b44facdc8c5ea2e28a",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix", "agenix": "agenix",
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"home-manager": "home-manager", "home-manager": "home-manager",
"lanzaboote": "lanzaboote",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"webcord": "webcord" "webcord": "webcord"
} }
@ -513,11 +711,36 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1681525152, "lastModified": 1682129965,
"narHash": "sha256-KzI+ILcmU03iFWtB+ysPqtNmp8TP8v1BBReTuPP8MJY=", "narHash": "sha256-1KRPIorEL6pLpJR04FwAqqnt4Tzcm4MqD84yhlD+XSk=",
"owner": "oxalica", "owner": "oxalica",
"repo": "rust-overlay", "repo": "rust-overlay",
"rev": "b6f8d87208336d7cb85003b2e439fc707c38f92a", "rev": "2c417c0460b788328220120c698630947547ee83",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"rust-overlay_2": {
"inputs": {
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1682129965,
"narHash": "sha256-1KRPIorEL6pLpJR04FwAqqnt4Tzcm4MqD84yhlD+XSk=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "2c417c0460b788328220120c698630947547ee83",
"type": "github" "type": "github"
}, },
"original": { "original": {

9
flake.nix
View file

@ -5,6 +5,11 @@
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
flake-utils.url = "github:numtide/flake-utils"; flake-utils.url = "github:numtide/flake-utils";
lanzaboote = {
url = "github:nix-community/lanzaboote";
inputs.nixpkgs.follows = "nixpkgs";
};
agenix = { agenix = {
url = "github:yaxitech/ragenix"; url = "github:yaxitech/ragenix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
@ -22,7 +27,8 @@
}; };
}; };
outputs = { nixpkgs, flake-utils, agenix, home-manager, webcord, ... }: outputs =
{ nixpkgs, flake-utils, lanzaboote, agenix, home-manager, webcord, ... }:
# Provide colmena # Provide colmena
(flake-utils.lib.eachDefaultSystem (system: (flake-utils.lib.eachDefaultSystem (system:
@ -54,6 +60,7 @@
./hosts/${name}/configuration.nix ./hosts/${name}/configuration.nix
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
agenix.nixosModules.default agenix.nixosModules.default
lanzaboote.nixosModules.lanzaboote
]; ];
home-manager = { home-manager = {
useGlobalPkgs = true; useGlobalPkgs = true;

22
hosts/neodymium/configuration.nix
View file

@ -26,14 +26,28 @@
}; };
}; };
# use bootspec # This should already be here from switching to bootspec earlier.
# It's not required anymore, but also doesn't do any harm.
boot.bootspec.enable = true; boot.bootspec.enable = true;
# use systemd-boot EFI boot loader environment.systemPackages = [
boot.loader.systemd-boot.enable = true; # For debugging and troubleshooting Secure Boot.
boot.loader.efi.canTouchEfiVariables = true; pkgs.sbctl
];
# Lanzaboote currently replaces the systemd-boot module.
# This setting is usually set to true in configuration.nix
# generated at installation time. So we force it to false
# for now.
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
# enable NTFS disk mounting # enable NTFS disk mounting
boot.loader.efi.canTouchEfiVariables = true;
boot.supportedFilesystems = [ "ntfs" ]; boot.supportedFilesystems = [ "ntfs" ];
# clean /tmp at each boot # clean /tmp at each boot