faukah/nichts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

lanzaboote: init

Browse source
This commit is contained in:
Charlie Root 2025-04-06 22:09:17 +02:00
commit 83335cf7a2
Signed by: faukah
SSH key fingerprint: SHA256:Uj2AXqvtdCA4hn5Hq0ZonhIAyUqI1q4w2sMG3Z1TH7E
4 changed files with 184 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

147
flake.lock generated
View file

@ -1,5 +1,79 @@
{ {
"nodes": { "nodes": {
"crane": {
"locked": {
"lastModified": 1741148495,
"narHash": "sha256-EV8KUaIZ2/CdBXlutXrHoZYbWPeB65p5kKZk71gvDRI=",
"owner": "ipetkov",
"repo": "crane",
"rev": "75390a36cd0c2cdd5f1aafd8a9f827d7107f2e53",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1733328505,
"narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1740872218,
"narHash": "sha256-ZaMw0pdoUKigLpv9HiNDH2Pjnosg7NBYMJlHTIsHEUo=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "3876f6b87db82f33775b1ef5ea343986105db764",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"pre-commit-hooks-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"impermanence": { "impermanence": {
"locked": { "locked": {
"lastModified": 1737831083, "lastModified": 1737831083,
@ -15,6 +89,31 @@
"type": "github" "type": "github"
} }
}, },
"lanzaboote": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"nixpkgs": [
"nixpkgs"
],
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1741442524,
"narHash": "sha256-tVcxLDLLho8dWcO81Xj/3/ANLdVs0bGyCPyKjp70JWk=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "d8099586d9a84308ffedac07880e7f07a0180ff4",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "lanzaboote",
"type": "github"
}
},
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1742288794, "lastModified": 1742288794,
@ -31,13 +130,61 @@
"type": "github" "type": "github"
} }
}, },
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"gitignore": "gitignore",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1740915799,
"narHash": "sha256-JvQvtaphZNmeeV+IpHgNdiNePsIpHD5U/7QN5AeY44A=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "42b1ba089d2034d910566bf6b40830af6b8ec732",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"impermanence": "impermanence", "impermanence": "impermanence",
"lanzaboote": "lanzaboote",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"systems": "systems" "systems": "systems"
} }
}, },
"rust-overlay": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1741228283,
"narHash": "sha256-VzqI+k/eoijLQ5am6rDFDAtFAbw8nltXfLBC6SIEJAE=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "38e9826bc4296c9daf18bc1e6aa299f3e932a403",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"systems": { "systems": {
"locked": { "locked": {
"lastModified": 1689347949, "lastModified": 1689347949,

6
flake.nix
View file

@ -37,5 +37,11 @@
systems.url = "github:nix-systems/default-linux"; systems.url = "github:nix-systems/default-linux";
impermanence.url = "github:nix-community/impermanence"; impermanence.url = "github:nix-community/impermanence";
# secure booting
lanzaboote = {
url = "github:nix-community/lanzaboote";
inputs.nixpkgs.follows = "nixpkgs";
};
}; };
} }

30
modules/system/boot/lanzaboote/module.nix Normal file
View file

@ -0,0 +1,30 @@
{
config,
inputs,
lib,
pkgs,
...
}: let
inherit (lib.modules) mkIf;
in {
imports = [
inputs.lanzaboote.nixosModules.lanzaboote
];
config = mkIf false {
boot = {
lanzaboote = {
enable = true;
pkiBundle = "/var/lib/sbctl";
};
# Lanzaboote currently replaces the systemd-boot module.
# This setting is usually set to true in configuration.nix
# generated at installation time. So we force it to false
# for now.
loader.systemd-boot.enable = lib.mkForce false;
};
environment.systemPackages = [pkgs.sbctl];
};
}

1
modules/system/os/impermanence/module.nix
View file

@ -36,6 +36,7 @@ in {
"/var/lib/nixos" "/var/lib/nixos"
"/var/lib/pipewire" "/var/lib/pipewire"
"/var/lib/systemd/coredump" "/var/lib/systemd/coredump"
"/etc/secureboot"
]; ];
users.cr = { users.cr = {