From 83335cf7a289ae6d11aef97ae720e268ec4871b1 Mon Sep 17 00:00:00 2001 From: Charlie Root Date: Sun, 6 Apr 2025 22:09:17 +0200 Subject: [PATCH] lanzaboote: init --- flake.lock | 147 ++++++++++++++++++++++ flake.nix | 6 + modules/system/boot/lanzaboote/module.nix | 30 +++++ modules/system/os/impermanence/module.nix | 1 + 4 files changed, 184 insertions(+) create mode 100644 modules/system/boot/lanzaboote/module.nix diff --git a/flake.lock b/flake.lock index 7f15afc..a2e3009 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,79 @@ { "nodes": { + "crane": { + "locked": { + "lastModified": 1741148495, + "narHash": "sha256-EV8KUaIZ2/CdBXlutXrHoZYbWPeB65p5kKZk71gvDRI=", + "owner": "ipetkov", + "repo": "crane", + "rev": "75390a36cd0c2cdd5f1aafd8a9f827d7107f2e53", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1733328505, + "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1740872218, + "narHash": "sha256-ZaMw0pdoUKigLpv9HiNDH2Pjnosg7NBYMJlHTIsHEUo=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "3876f6b87db82f33775b1ef5ea343986105db764", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "impermanence": { "locked": { "lastModified": 1737831083, @@ -15,6 +89,31 @@ "type": "github" } }, + "lanzaboote": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1741442524, + "narHash": "sha256-tVcxLDLLho8dWcO81Xj/3/ANLdVs0bGyCPyKjp70JWk=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "d8099586d9a84308ffedac07880e7f07a0180ff4", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "lanzaboote", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1742288794, @@ -31,13 +130,61 @@ "type": "github" } }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1740915799, + "narHash": "sha256-JvQvtaphZNmeeV+IpHgNdiNePsIpHD5U/7QN5AeY44A=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "42b1ba089d2034d910566bf6b40830af6b8ec732", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "root": { "inputs": { "impermanence": "impermanence", + "lanzaboote": "lanzaboote", "nixpkgs": "nixpkgs", "systems": "systems" } }, + "rust-overlay": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1741228283, + "narHash": "sha256-VzqI+k/eoijLQ5am6rDFDAtFAbw8nltXfLBC6SIEJAE=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "38e9826bc4296c9daf18bc1e6aa299f3e932a403", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1689347949, diff --git a/flake.nix b/flake.nix index ab87d7b..03d8bb6 100644 --- a/flake.nix +++ b/flake.nix @@ -37,5 +37,11 @@ systems.url = "github:nix-systems/default-linux"; impermanence.url = "github:nix-community/impermanence"; + + # secure booting + lanzaboote = { + url = "github:nix-community/lanzaboote"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; } diff --git a/modules/system/boot/lanzaboote/module.nix b/modules/system/boot/lanzaboote/module.nix new file mode 100644 index 0000000..e7fd7a5 --- /dev/null +++ b/modules/system/boot/lanzaboote/module.nix @@ -0,0 +1,30 @@ +{ + config, + inputs, + lib, + pkgs, + ... +}: let + inherit (lib.modules) mkIf; +in { + imports = [ + inputs.lanzaboote.nixosModules.lanzaboote + ]; + + config = mkIf false { + boot = { + lanzaboote = { + enable = true; + pkiBundle = "/var/lib/sbctl"; + }; + + # Lanzaboote currently replaces the systemd-boot module. + # This setting is usually set to true in configuration.nix + # generated at installation time. So we force it to false + # for now. + loader.systemd-boot.enable = lib.mkForce false; + }; + + environment.systemPackages = [pkgs.sbctl]; + }; +} diff --git a/modules/system/os/impermanence/module.nix b/modules/system/os/impermanence/module.nix index acd8f4e..e5e67f4 100644 --- a/modules/system/os/impermanence/module.nix +++ b/modules/system/os/impermanence/module.nix @@ -36,6 +36,7 @@ in { "/var/lib/nixos" "/var/lib/pipewire" "/var/lib/systemd/coredump" + "/etc/secureboot" ]; users.cr = {