0xa/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

first stab at secure boot

Browse source
This commit is contained in:
Grigory Shipunov 2023-04-23 01:03:53 +02:00
parent ad9ced3250
commit 7e815dd5d0
Signed by: 0xa
GPG key ID: 91FA5E5BF9AA901C
4 changed files with 263 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

263
flake.lock generated
View file

@ -1,5 +1,38 @@
{ {
"nodes": { "nodes": {
"crane": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"rust-overlay": [
"lanzaboote",
"rust-overlay"
]
},
"locked": {
"lastModified": 1680584903,
"narHash": "sha256-uraq+D3jcLzw/UVk0xMHcnfILfIMa0DLrtAEq2nNlxU=",
"owner": "ipetkov",
"repo": "crane",
"rev": "65d3f6a3970cd46bef5eedfd458300f72c56b3c5",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"fenix": { "fenix": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -8,11 +41,11 @@
"rust-analyzer-src": "rust-analyzer-src" "rust-analyzer-src": "rust-analyzer-src"
}, },
"locked": { "locked": {
"lastModified": 1682144464, "lastModified": 1682230876,
"narHash": "sha256-HlVJU4p1OED3HJNOoXrxR6qabKWMtGq0wbYhroumuVc=", "narHash": "sha256-vCnd1pZRQKCdNvivQBD7WzaOlU1GcN91OCAz1rnoe5M=",
"owner": "nix-community", "owner": "nix-community",
"repo": "fenix", "repo": "fenix",
"rev": "6424d70f13761c203dada9de6ce417fc9f22712d", "rev": "378f052d9f1cd90060ec4329f81782fee80490a4",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -21,6 +54,43 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1680392223,
"narHash": "sha256-n3g7QFr85lDODKt250rkZj2IFS3i4/8HBU2yKHO3tqw=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "dcc36e45d054d7bb554c9cdab69093debd91a0b5",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-utils": { "flake-utils": {
"inputs": { "inputs": {
"systems": "systems" "systems": "systems"
@ -54,9 +124,73 @@
"type": "github" "type": "github"
} }
}, },
"flake-utils_3": {
"locked": {
"lastModified": 1678901627,
"narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"pre-commit-hooks-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1660459072,
"narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"lanzaboote": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"flake-utils": "flake-utils_2",
"nixpkgs": [
"nixpkgs-unstable"
],
"nixpkgs-test": "nixpkgs-test",
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1682256558,
"narHash": "sha256-H+O4yqeePiQcUGvmzXbeZB0fRX1ybAD+LVwP5w3CU/w=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "9bf192bb79e2fbee0b9f12cd314b36d194863059",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "lanzaboote",
"type": "github"
}
},
"microvm": { "microvm": {
"inputs": { "inputs": {
"flake-utils": "flake-utils_2", "flake-utils": "flake-utils_3",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
] ]
@ -77,11 +211,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1681932375, "lastModified": 1682173319,
"narHash": "sha256-tSXbYmpnKSSWpzOrs27ie8X3I0yqKA6AuCzCYNtwbCU=", "narHash": "sha256-tPhOpJJ+wrWIusvGgIB2+x6ILfDkEgQMX0BTtM5vd/4=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "3d302c67ab8647327dba84fbdb443cdbf0e82744", "rev": "ee7ec1c71adc47d2e3c2d5eb0d6b8fbbd42a8d1c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -93,11 +227,27 @@
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1681613598, "lastModified": 1678872516,
"narHash": "sha256-Ogkoma0ytYcDoMR2N7CZFABPo+i0NNo26dPngru9tPc=", "narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "1040ce5f652b586da95dfd80d48a745e107b9eac", "rev": "9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-22.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable_2": {
"locked": {
"lastModified": 1682173319,
"narHash": "sha256-tPhOpJJ+wrWIusvGgIB2+x6ILfDkEgQMX0BTtM5vd/4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ee7ec1c71adc47d2e3c2d5eb0d6b8fbbd42a8d1c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -107,13 +257,29 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-test": {
"locked": {
"lastModified": 1679009563,
"narHash": "sha256-jizICiQOqUcYFNHRNNOo69bfyNo36iyuRAHem5z68LQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "371d3778c4f9cee7d5cf014e6ce400d57366570f",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "qemu-boot-disk-using-make-disk-image",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1681920287, "lastModified": 1682181988,
"narHash": "sha256-+/d6XQQfhhXVfqfLROJoqj3TuG38CAeoT6jO1g9r1k0=", "narHash": "sha256-CYWhlNi16cjGzMby9h57gpYE59quBcsHPXiFgX4Sw5k=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "645bc49f34fa8eff95479f0345ff57e55b53437e", "rev": "6c43a3495a11e261e5f41e5d7eda2d71dae1b2fe",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -123,10 +289,42 @@
"type": "github" "type": "github"
} }
}, },
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"gitignore": "gitignore",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1680981441,
"narHash": "sha256-Tqr2mCVssUVp1ZXXMpgYs9+ZonaWrZGPGltJz94FYi4=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "2144d9ddcb550d6dce64a2b44facdc8c5ea2e28a",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"fenix": "fenix", "fenix": "fenix",
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"lanzaboote": "lanzaboote",
"microvm": "microvm", "microvm": "microvm",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable", "nixpkgs-unstable": "nixpkgs-unstable",
@ -137,11 +335,11 @@
"rust-analyzer-src": { "rust-analyzer-src": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1682101542, "lastModified": 1682163822,
"narHash": "sha256-CHSbpvLZf0joKD1cU+Hg02uIYvV3xkvwcx+0oBWL0CQ=", "narHash": "sha256-u7vaRlI6rYiutytoTk8lyOtNKO/rz5Q63Z6S6QzYCtU=",
"owner": "rust-lang", "owner": "rust-lang",
"repo": "rust-analyzer", "repo": "rust-analyzer",
"rev": "af3b6a0893cc3a05b5ddc1e9d31b2c454b480426", "rev": "2feabc4dc462644287372922928110eea4c60ca7",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -151,19 +349,44 @@
"type": "github" "type": "github"
} }
}, },
"rust-overlay": {
"inputs": {
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1682129965,
"narHash": "sha256-1KRPIorEL6pLpJR04FwAqqnt4Tzcm4MqD84yhlD+XSk=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "2c417c0460b788328220120c698630947547ee83",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"sops-nix": { "sops-nix": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable_2"
}, },
"locked": { "locked": {
"lastModified": 1681821695, "lastModified": 1682218555,
"narHash": "sha256-uwyBGo/9IALi97AfMuzkJroQQhV6hkybaZVdw6pRNG4=", "narHash": "sha256-kojMklCNBnPe8KtRvJvBtFGU/gPAqRKYpZEqyehHfn4=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "5698b06b0731a2c15ff8c2351644427f8ad33993", "rev": "8a95e6f8cd160a05c2b560e66f702432a53b59ac",
"type": "github" "type": "github"
}, },
"original": { "original": {

7
flake.nix
View file

@ -25,12 +25,18 @@
url = "github:tmux-plugins/tmux-yank"; url = "github:tmux-plugins/tmux-yank";
flake = false; flake = false;
}; };
lanzaboote = {
url = "github:nix-community/lanzaboote";
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
}; };
outputs = outputs =
inputs@{ self inputs@{ self
, fenix , fenix
, flake-utils , flake-utils
, lanzaboote
, microvm , microvm
, nixpkgs , nixpkgs
, nixpkgs-unstable , nixpkgs-unstable
@ -60,6 +66,7 @@
specialArgs = { inherit inputs; }; specialArgs = { inherit inputs; };
modules = [ modules = [
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
lanzaboote.nixosModules.lanzaboote
./hosts/toaster ./hosts/toaster

1
hosts/toaster/default.nix
View file

@ -6,6 +6,7 @@
./network-vpns.nix ./network-vpns.nix
./network.nix ./network.nix
./secrets.nix ./secrets.nix
./secure-boot.nix
./zfs.nix ./zfs.nix
]; ];

12
hosts/toaster/secure-boot.nix Normal file
View file

@ -0,0 +1,12 @@
{ pkgs, lib, ... }: {
boot = {
bootspec.enable = true;
loader.systemd-boot.enable = lib.mkForce false;
lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
};
environment.systemPackages = [ pkgs.sbctl ];
}