diff options
author | Soispha <soispha@vhack.eu> | 2023-07-15 20:09:17 +0200 |
---|---|---|
committer | Soispha <soispha@vhack.eu> | 2023-07-15 20:09:55 +0200 |
commit | 59bc28565f102c0ce17d3cf513cdab058608b0dc (patch) | |
tree | 66623f11d41a435790612a4880d5ab05dc2e9716 | |
parent | Fix(system/disks/hibernate): Try to activate it (diff) | |
download | nixos-config-59bc28565f102c0ce17d3cf513cdab058608b0dc.zip |
Feat(system/boot): Enable lanzaboote (and with it secure boot)
-rw-r--r-- | flake.lock | 155 | ||||
-rw-r--r-- | flake.nix | 11 | ||||
-rw-r--r-- | flake/default.nix | 29 | ||||
-rw-r--r-- | home-manager/config/firefox/config/extensions/extensions.json | 6 | ||||
-rw-r--r-- | hosts/apzu/hardware/gpu.nix | 7 | ||||
-rw-r--r-- | system/boot/default.nix | 21 | ||||
-rw-r--r-- | system/impermanence/default.nix | 9 |
7 files changed, 202 insertions, 36 deletions
diff --git a/flake.lock b/flake.lock index bffca00a..877387c9 100644 --- a/flake.lock +++ b/flake.lock @@ -11,11 +11,11 @@ ] }, "locked": { - "lastModified": 1684153753, - "narHash": "sha256-PVbWt3qrjYAK+T5KplFcO+h7aZWfEj1UtyoKlvcDxh0=", + "lastModified": 1689334118, + "narHash": "sha256-djk5AZv1yU84xlKFaVHqFWvH73U7kIRstXwUAnDJPsk=", "owner": "ryantm", "repo": "agenix", - "rev": "db5637d10f797bb251b94ef9040b237f4702cde3", + "rev": "0d8c5325fc81daf00532e3e26c6752f7bcde1143", "type": "github" }, "original": { @@ -82,11 +82,11 @@ ] }, "locked": { - "lastModified": 1688544596, - "narHash": "sha256-/rbDM71Qpj4gMp54r9mQ2AdD10jEMtnrQ3b2Xf+HYTU=", + "lastModified": 1689324677, + "narHash": "sha256-83DCDJwBkulQFQESe37+tG0qUb8JkQLJHJ3Qn7iGx7Q=", "owner": "nix-community", "repo": "disko", - "rev": "fc3c3817c9f1fcd405463c6a7f0f98baab97c692", + "rev": "7eb09408393faa5b8f3b3524c39cb93d938e8d04", "type": "github" }, "original": { @@ -111,6 +111,27 @@ "type": "github" } }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1683560683, + "narHash": "sha256-XAygPMN5Xnk/W2c1aW0jyEa6lfMDZWlQgiNtmHXytPc=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "006c75898cf814ef9497252b022e91c946ba8e17", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "flake-utils": { "inputs": { "systems": [ @@ -118,11 +139,11 @@ ] }, "locked": { - "lastModified": 1687709756, - "narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=", + "lastModified": 1689068808, + "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=", "owner": "numtide", "repo": "flake-utils", - "rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7", + "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4", "type": "github" }, "original": { @@ -218,6 +239,28 @@ "url": "https://codeberg.org/soispha/generate_firefox_extension.git" } }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1660459072, + "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "grades": { "inputs": { "crane": [ @@ -254,11 +297,11 @@ ] }, "locked": { - "lastModified": 1688999869, - "narHash": "sha256-gLD2UI6+Nb9JV5Wh4FnLHAZwLMiY11RHYBKmBZCxLXc=", + "lastModified": 1689432596, + "narHash": "sha256-Vixn4nhjeHjGG3o6hDAnSZbXsYMYA5b39+NwAbUPpi0=", "owner": "nix-community", "repo": "home-manager", - "rev": "a6d1d954b81caf4c9291b8ac35452fef842f289b", + "rev": "346032240c15d8b6034847dc7a5f53312a5a57fc", "type": "github" }, "original": { @@ -283,6 +326,34 @@ "type": "github" } }, + "lanzaboote": { + "inputs": { + "flake-compat": [ + "flake-compat" + ], + "flake-parts": "flake-parts", + "flake-utils": [ + "flake-utils" + ], + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit-hooks-nix": "pre-commit-hooks-nix" + }, + "locked": { + "lastModified": 1687124707, + "narHash": "sha256-BEC2y7zwDI/Saeupr9rijLvwb0OoqTD9vntlcyciyrM=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "c758cdad465e0c8174db57dc493f51a89f0e3372", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "lanzaboote", + "type": "github" + } + }, "neovim_config": { "flake": false, "locked": { @@ -337,11 +408,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1688918189, - "narHash": "sha256-f8ZlJ67LgEUDnN7ZsAyd1/Fyby1VdOXWg4XY/irSGrQ=", + "lastModified": 1689282004, + "narHash": "sha256-VNhuyb10c9SV+3hZOlxwJwzEGytZ31gN9w4nPCnNvdI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "408c0e8c15a1c9cf5c3226931b6f283c9867c484", + "rev": "e74e68449c385db82de3170288a28cd0f608544f", "type": "github" }, "original": { @@ -351,6 +422,53 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1678872516, + "narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1684842236, + "narHash": "sha256-rYWsIXHvNhVQ15RQlBUv67W3YnM+Pd+DuXGMvCBq2IE=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "61e567d6497bc9556f391faebe5e410e6623217f", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "ragenix": { "inputs": { "agenix": [ @@ -428,6 +546,7 @@ "grades": "grades", "home-manager": "home-manager", "impermanence": "impermanence", + "lanzaboote": "lanzaboote", "neovim_config": "neovim_config", "nixos-generators": "nixos-generators", "nixpkgs": "nixpkgs", @@ -456,11 +575,11 @@ ] }, "locked": { - "lastModified": 1688956505, - "narHash": "sha256-6sa19mHTkdOi867lIolhpiS20trMdo0unk5/37859X4=", + "lastModified": 1689388484, + "narHash": "sha256-cR8W4LZTk1SFGhDUGG4RF7qPZP7d9qFmltk7nFi7WMo=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "4acc04c26df84e0a718c3efe4e13021222d23b28", + "rev": "15027511818ee595ca2ae6ec4b5f8f0e96c0fe47", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index d68a4c94..6c6a1c3c 100644 --- a/flake.nix +++ b/flake.nix @@ -86,6 +86,15 @@ crane.follows = "crane"; }; }; + lanzaboote = { + url = "github:nix-community/lanzaboote"; + + inputs = { + flake-compat.follows = "flake-compat"; + flake-utils.follows = "flake-utils"; + nixpkgs.follows = "nixpkgs"; + }; + }; # my configs neovim_config = { @@ -213,6 +222,7 @@ ragenix, serverphone, disko, + lanzaboote, # external dependencies neovim_config, user_js, @@ -253,6 +263,7 @@ ragenix serverphone disko + lanzaboote # external dependencies neovim_config diff --git a/flake/default.nix b/flake/default.nix index e78b957e..45bec03b 100644 --- a/flake/default.nix +++ b/flake/default.nix @@ -13,6 +13,7 @@ ragenix, serverphone, disko, + lanzaboote, # external dependencies neovim_config, user_js, @@ -73,8 +74,9 @@ disko.nixosModules.default - home-manager.nixosModules.home-manager + lanzaboote.nixosModules.lanzaboote + home-manager.nixosModules.home-manager homeManagerConfig impermanence.nixosModules.impermanence @@ -130,17 +132,32 @@ in { devShells."${system}" = { default = pkgs.mkShell { packages = with pkgs; [ - alejandra + # secure boot + sbctl + # spells + ltex-ls + + # other cocogitto - generate_firefox_extensions.packages."${system}".default # needed for the firefox extension update script git-bug - ltex-ls + + # nix + alejandra nil + statix + + # yaml + yamllint + + # secrets ragenix.packages."${system}".default + + # shell shellcheck shfmt - statix - yamllint + + # update + generate_firefox_extensions.packages."${system}".default # needed for the firefox extension update script ]; }; }; diff --git a/home-manager/config/firefox/config/extensions/extensions.json b/home-manager/config/firefox/config/extensions/extensions.json index 45977803..5c0992c1 100644 --- a/home-manager/config/firefox/config/extensions/extensions.json +++ b/home-manager/config/firefox/config/extensions/extensions.json @@ -9,9 +9,9 @@ "keepassxc-browser": { "addonId": "keepassxc-browser@keepassxc.org", "pname": "keepassxc-browser", - "sha256": "sha256:ce2275eb1f0a4b0ce2342204d00d62033f81f6dcb9e021cff38f51273e614f20", - "url": "https://addons.mozilla.org/firefox/downloads/file/4094964/keepassxc_browser-1.8.6.1.xpi", - "version": "1.8.6.1" + "sha256": "sha256:deb1c3c29fabe90dd811536d434d64c200caab9a9f7febc3428aa170eefec5f2", + "url": "https://addons.mozilla.org/firefox/downloads/file/4134768/keepassxc_browser-1.8.7.xpi", + "version": "1.8.7" }, "libredirect": { "addonId": "7esoorv3@alefvanoon.anonaddy.me", diff --git a/hosts/apzu/hardware/gpu.nix b/hosts/apzu/hardware/gpu.nix index 180695e8..4a3805b8 100644 --- a/hosts/apzu/hardware/gpu.nix +++ b/hosts/apzu/hardware/gpu.nix @@ -1,9 +1,4 @@ -{ - config, - pkgs, - lib, - ... -}: { +{pkgs, ...}: { # hardware.opengl.extraPackages = with pkgs; [ # rocm-opencl-icd # open-cl # amdvlk # or directly through mesa diff --git a/system/boot/default.nix b/system/boot/default.nix index 410bf143..9606c7b3 100644 --- a/system/boot/default.nix +++ b/system/boot/default.nix @@ -1,4 +1,8 @@ -{pkgs, ...}: { +{ + pkgs, + lib, + ... +}: { boot = { initrd = { #compressor = "lz4"; @@ -7,14 +11,27 @@ }; kernelPackages = pkgs.linuxPackages_latest; + + lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + }; + loader = { + # Lanzaboote currently replaces the systemd-boot module. + # This setting is usually set to true in configuration.nix + # generated at installation time. So we force it to false + # for now. + systemd-boot.enable = lib.mkForce false; + grub = { - enable = true; + enable = false; # theme = pkgs.nixos-grub2-theme; splashImage = ./boot_pictures/gnu.png; efiSupport = true; device = "nodev"; # only for efi }; + efi = { canTouchEfiVariables = true; efiSysMountPoint = "/boot"; diff --git a/system/impermanence/default.nix b/system/impermanence/default.nix index 126e9e10..8e6d81fb 100644 --- a/system/impermanence/default.nix +++ b/system/impermanence/default.nix @@ -5,6 +5,12 @@ "/etc/NetworkManager" # store the networkmanager configs ] else []; + secureboot = + if config.boot.lanzaboote.enable + then [ + "/etc/secureboot" + ] + else []; directories = [ "/etc/nixos" @@ -14,7 +20,8 @@ #"/var/lib/nixos" #"/var/lib/systemd/coredump" ] - ++ networkmanager; + ++ networkmanager + ++ secureboot; in { # needed for the hm impermanence config programs.fuse.userAllowOther = true; |