From cd0e067dad413e846b7bf1043a942d59a742b3a1 Mon Sep 17 00:00:00 2001 From: Callum Leslie Date: Thu, 12 Sep 2024 17:11:34 +0100 Subject: [PATCH] secure boot --- flake.lock | 273 ++++++++++++++++++++--- flake.nix | 11 +- hosts/artemis/configuration.nix | 1 + hosts/artemis/hardware-configuration.nix | 6 + 4 files changed, 256 insertions(+), 35 deletions(-) diff --git a/flake.lock b/flake.lock index da43051..f967239 100644 --- a/flake.lock +++ b/flake.lock @@ -184,6 +184,27 @@ } }, "crane": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1717535930, + "narHash": "sha256-1hZ/txnbd/RmiBPNUs7i8UQw2N89uAK3UzrGAWdnFfU=", + "owner": "ipetkov", + "repo": "crane", + "rev": "55e7754ec31dac78980c8be45f8a28e80e370946", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, + "crane_2": { "locked": { "lastModified": 1725409566, "narHash": "sha256-PrtLmqhM6UtJP7v7IGyzjBFhbG4eOAHT6LPYOFmYfbk=", @@ -198,7 +219,7 @@ "type": "github" } }, - "crane_2": { + "crane_3": { "inputs": { "nixpkgs": [ "omnix", @@ -371,6 +392,22 @@ } }, "flake-compat_4": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_5": { "locked": { "lastModified": 1696426674, "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", @@ -384,7 +421,7 @@ "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz" } }, - "flake-compat_5": { + "flake-compat_6": { "flake": false, "locked": { "lastModified": 1688025799, @@ -400,7 +437,7 @@ "type": "github" } }, - "flake-compat_6": { + "flake-compat_7": { "flake": false, "locked": { "lastModified": 1673956053, @@ -416,7 +453,7 @@ "type": "github" } }, - "flake-compat_7": { + "flake-compat_8": { "flake": false, "locked": { "lastModified": 1673956053, @@ -453,6 +490,27 @@ } }, "flake-parts_2": { + "inputs": { + "nixpkgs-lib": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1717285511, + "narHash": "sha256-iKzJcpdXih14qYVcZ9QC9XuZYnPc6T8YImb6dX166kw=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_3": { "inputs": { "nixpkgs-lib": "nixpkgs-lib" }, @@ -470,7 +528,7 @@ "type": "github" } }, - "flake-parts_3": { + "flake-parts_4": { "inputs": { "nixpkgs-lib": [ "nixvim", @@ -492,7 +550,7 @@ "type": "github" } }, - "flake-parts_4": { + "flake-parts_5": { "inputs": { "nixpkgs-lib": [ "nixvim", @@ -514,7 +572,7 @@ "type": "indirect" } }, - "flake-parts_5": { + "flake-parts_6": { "inputs": { "nixpkgs-lib": "nixpkgs-lib_2" }, @@ -596,6 +654,24 @@ } }, "flake-utils_3": { + "inputs": { + "systems": "systems_3" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_4": { "locked": { "lastModified": 1667395993, "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", @@ -610,7 +686,7 @@ "type": "github" } }, - "flake-utils_4": { + "flake-utils_5": { "inputs": { "systems": [ "stylix", @@ -649,8 +725,8 @@ }, "git-hooks": { "inputs": { - "flake-compat": "flake-compat_3", - "gitignore": "gitignore", + "flake-compat": "flake-compat_4", + "gitignore": "gitignore_2", "nixpkgs": [ "nixvim", "neovim-nightly-overlay", @@ -683,7 +759,7 @@ "nixvim", "flake-compat" ], - "gitignore": "gitignore_2", + "gitignore": "gitignore_3", "nixpkgs": [ "nixvim", "nixvim", @@ -710,6 +786,28 @@ } }, "gitignore": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "gitignore_2": { "inputs": { "nixpkgs": [ "nixvim", @@ -732,7 +830,7 @@ "type": "github" } }, - "gitignore_2": { + "gitignore_3": { "inputs": { "nixpkgs": [ "nixvim", @@ -755,7 +853,7 @@ "type": "github" } }, - "gitignore_3": { + "gitignore_4": { "inputs": { "nixpkgs": [ "pre-commit-hooks", @@ -795,7 +893,7 @@ }, "hercules-ci-effects": { "inputs": { - "flake-parts": "flake-parts_4", + "flake-parts": "flake-parts_5", "nixpkgs": [ "nixvim", "neovim-nightly-overlay", @@ -880,6 +978,33 @@ "type": "github" } }, + "lanzaboote": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat_2", + "flake-parts": "flake-parts_2", + "flake-utils": "flake-utils_2", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1718178907, + "narHash": "sha256-eSZyrQ9uoPB9iPQ8Y5H7gAmAgAvCw3InStmU3oEjqsE=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "b627ccd97d0159214cee5c7db1412b75e4be6086", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "v0.4.1", + "repo": "lanzaboote", + "type": "github" + } + }, "libgit2": { "flake": false, "locked": { @@ -898,8 +1023,8 @@ }, "neovim-nightly-overlay": { "inputs": { - "flake-compat": "flake-compat_2", - "flake-parts": "flake-parts_3", + "flake-compat": "flake-compat_3", + "flake-parts": "flake-parts_4", "git-hooks": "git-hooks", "hercules-ci-effects": "hercules-ci-effects", "neovim-src": "neovim-src", @@ -938,7 +1063,7 @@ "nish": { "inputs": { "advisory-db": "advisory-db", - "crane": "crane", + "crane": "crane_2", "fenix": "fenix", "flake-parts": [ "flake-parts" @@ -972,7 +1097,7 @@ }, "nix": { "inputs": { - "flake-compat": "flake-compat_6", + "flake-compat": "flake-compat_7", "flake-parts": [ "omnix", "flake-parts" @@ -1136,6 +1261,22 @@ } }, "nixpkgs-stable": { + "locked": { + "lastModified": 1710695816, + "narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "614b4613980a522ba49f0d194531beddbb7220d3", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable_2": { "locked": { "lastModified": 1720386169, "narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=", @@ -1201,7 +1342,7 @@ }, "nixvim": { "inputs": { - "flake-parts": "flake-parts_2", + "flake-parts": "flake-parts_3", "neovim-nightly-overlay": "neovim-nightly-overlay", "nixpkgs": [ "unstable" @@ -1225,7 +1366,7 @@ "nixvim_2": { "inputs": { "devshell": "devshell", - "flake-compat": "flake-compat_4", + "flake-compat": "flake-compat_5", "flake-parts": [ "nixvim", "flake-parts" @@ -1286,7 +1427,7 @@ }, "nuschtosSearch": { "inputs": { - "flake-utils": "flake-utils_2", + "flake-utils": "flake-utils_3", "nixpkgs": [ "nixvim", "nixvim", @@ -1350,7 +1491,7 @@ "omnix", "nix" ], - "flake-utils": "flake-utils_3", + "flake-utils": "flake-utils_4", "gitignore": [ "omnix", "nix" @@ -1380,16 +1521,43 @@ "type": "github" } }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1717664902, + "narHash": "sha256-7XfBuLULizXjXfBYy/VV+SpYMHreNRHk9nKMsm1bgb4=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "cc4d466cb1254af050ff7bdf47f6d404a7c646d1", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "pre-commit-hooks_2": { "inputs": { "flake-compat": [ "flake-compat" ], - "gitignore": "gitignore_3", + "gitignore": "gitignore_4", "nixpkgs": [ "nixpkgs" ], - "nixpkgs-stable": "nixpkgs-stable" + "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { "lastModified": 1725513492, @@ -1429,6 +1597,7 @@ "flake-compat": "flake-compat", "flake-parts": "flake-parts", "home-manager": "home-manager_2", + "lanzaboote": "lanzaboote", "nish": "nish", "nixinate": "nixinate", "nixpkgs": "nixpkgs", @@ -1437,7 +1606,7 @@ "omnix": "omnix", "pre-commit-hooks": "pre-commit-hooks_2", "stylix": "stylix", - "systems": "systems_4", + "systems": "systems_5", "treefmt-nix": "treefmt-nix_3", "unstable": "unstable" } @@ -1461,12 +1630,12 @@ }, "rust-flake": { "inputs": { - "crane": "crane_2", + "crane": "crane_3", "nixpkgs": [ "omnix", "nixpkgs" ], - "rust-overlay": "rust-overlay" + "rust-overlay": "rust-overlay_2" }, "locked": { "lastModified": 1725522236, @@ -1484,6 +1653,31 @@ } }, "rust-overlay": { + "inputs": { + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1717813066, + "narHash": "sha256-wqbRwq3i7g5EHIui0bIi84mdqZ/It1AXBSLJ5tafD28=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "6dc3e45fe4aee36efeed24d64fc68b1f989d5465", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "rust-overlay_2": { "flake": false, "locked": { "lastModified": 1725243956, @@ -1501,8 +1695,8 @@ }, "sbomnix": { "inputs": { - "flake-compat": "flake-compat_5", - "flake-parts": "flake-parts_5", + "flake-compat": "flake-compat_6", + "flake-parts": "flake-parts_6", "flake-root": "flake-root", "nix-visualize": "nix-visualize", "nixpkgs": "nixpkgs_3", @@ -1532,8 +1726,8 @@ "base16-kitty": "base16-kitty", "base16-tmux": "base16-tmux", "base16-vim": "base16-vim", - "flake-compat": "flake-compat_7", - "flake-utils": "flake-utils_4", + "flake-compat": "flake-compat_8", + "flake-utils": "flake-utils_5", "gnome-shell": "gnome-shell", "home-manager": [ "home-manager" @@ -1541,7 +1735,7 @@ "nixpkgs": [ "unstable" ], - "systems": "systems_3" + "systems": "systems_4" }, "locked": { "lastModified": 1725290973, @@ -1617,6 +1811,21 @@ "type": "github" } }, + "systems_5": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "treefmt-nix": { "inputs": { "nixpkgs": [ diff --git a/flake.nix b/flake.nix index 1064831..4813367 100644 --- a/flake.nix +++ b/flake.nix @@ -20,8 +20,8 @@ nixpkgs.config.allowUnfree = true; nixpkgs.overlays = [self.overlays.default]; } - mod ] + ++ mod ++ mods.sharedModules; }; in @@ -38,8 +38,8 @@ inherit (mods) homeManagerModules nixosModules; # TODO: use ./hosts/ nixosConfigurations = { - artemis = mkLinuxSystem ./hosts/artemis; - hermes = mkLinuxSystem ./hosts/hermes; + artemis = mkLinuxSystem [./hosts/artemis inputs.lanzaboote.nixosModules.lanzaboote]; + hermes = mkLinuxSystem [./hosts/hermes]; }; diskoConfigurations = {}; # maybe? om.health.default = {nix-version.min-required = "2.18.5";}; @@ -160,6 +160,11 @@ treefmt-nix.url = "github:numtide/treefmt-nix"; treefmt-nix.inputs.nixpkgs.follows = "nixpkgs"; + lanzaboote = { + url = "github:nix-community/lanzaboote/v0.4.1"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + # my custom programs nish = { url = "github:callumio/nish"; diff --git a/hosts/artemis/configuration.nix b/hosts/artemis/configuration.nix index 13ce697..e2e7c38 100644 --- a/hosts/artemis/configuration.nix +++ b/hosts/artemis/configuration.nix @@ -37,6 +37,7 @@ killall gcc pkg-config + sbctl nish nsbm ]; diff --git a/hosts/artemis/hardware-configuration.nix b/hosts/artemis/hardware-configuration.nix index ea07f90..3263411 100644 --- a/hosts/artemis/hardware-configuration.nix +++ b/hosts/artemis/hardware-configuration.nix @@ -13,6 +13,12 @@ kernelModules = ["kvm-intel"]; extraModulePackages = []; #kernelPackages = pkgs.linuxPackages_latest; + + loader.systemd-boot.enable = lib.mkForce false; + lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + }; }; hardware = { bluetooth = {