diff options
author | sils <sils@sils.li> | 2023-06-30 19:35:28 +0200 |
---|---|---|
committer | sils <sils@sils.li> | 2023-06-30 19:35:28 +0200 |
commit | c13a3b624e2653d4d72c278236fd717567dbb59f (patch) | |
tree | ea0c0b0290c1209d33ec4a90d4a80c13fa25010f | |
parent | Feat(sys): Add fwupd (diff) | |
download | nix-config-c13a3b624e2653d4d72c278236fd717567dbb59f.tar.gz nix-config-c13a3b624e2653d4d72c278236fd717567dbb59f.zip |
Feat(hosts/thinklappi): Enable secureboot with lanzaboote
-rw-r--r-- | flake.lock | 249 | ||||
-rw-r--r-- | flake.nix | 11 | ||||
-rw-r--r-- | hosts/thinklappi/basesystem.nix | 15 |
3 files changed, 254 insertions, 21 deletions
diff --git a/flake.lock b/flake.lock index cfda4bb..c69e519 100644 --- a/flake.lock +++ b/flake.lock @@ -31,13 +31,46 @@ }, "crane_2": { "inputs": { - "flake-compat": "flake-compat_3", - "flake-utils": "flake-utils_3", + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "rust-overlay": [ + "lanzaboote", + "rust-overlay" + ] + }, + "locked": { + "lastModified": 1688082682, + "narHash": "sha256-nMG/A7qYm9pyHJowKuaNmNYgo748xZrzMJPqtoGozSA=", + "owner": "ipetkov", + "repo": "crane", + "rev": "4d350bb94fdf8ec9d2e22d68bb13e136d73aa9d8", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, + "crane_3": { + "inputs": { + "flake-compat": "flake-compat_4", + "flake-utils": "flake-utils_4", "nixpkgs": [ "yambar_memory", "nixpkgs" ], - "rust-overlay": "rust-overlay_2" + "rust-overlay": "rust-overlay_3" }, "locked": { "lastModified": 1677642623, @@ -101,8 +134,45 @@ "type": "github" } }, + "flake-compat_4": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { "inputs": { + "nixpkgs-lib": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1683560683, + "narHash": "sha256-XAygPMN5Xnk/W2c1aW0jyEa6lfMDZWlQgiNtmHXytPc=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "006c75898cf814ef9497252b022e91c946ba8e17", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { + "inputs": { "nixpkgs-lib": "nixpkgs-lib" }, "locked": { @@ -140,6 +210,24 @@ } }, "flake-utils_2": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1681202837, + "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "cfacdce06f30d2b68473a46042957675eebb3401", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_3": { "locked": { "lastModified": 1667395993, "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", @@ -154,7 +242,7 @@ "type": "github" } }, - "flake-utils_3": { + "flake-utils_4": { "locked": { "lastModified": 1676283394, "narHash": "sha256-XX2f9c3iySLCw54rJ/CZs+ZK6IQy7GXNY4nSOyu2QG4=", @@ -201,6 +289,28 @@ "gitignore": { "inputs": { "nixpkgs": [ + "lanzaboote", + "pre-commit-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1660459072, + "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "gitignore_2": { + "inputs": { + "nixpkgs": [ "prismlauncher", "pre-commit-hooks", "nixpkgs" @@ -241,6 +351,33 @@ "type": "github" } }, + "lanzaboote": { + "inputs": { + "crane": "crane_2", + "flake-compat": "flake-compat_2", + "flake-parts": "flake-parts", + "flake-utils": "flake-utils_2", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1682802423, + "narHash": "sha256-Fb5TeRTdvUlo/5Yi2d+FC8a6KoRLk2h1VE0/peMhWPs=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "64b903ca87d18cef2752c19c098af275c6e51d63", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "v0.3.0", + "repo": "lanzaboote", + "type": "github" + } + }, "libnbtplusplus": { "flake": false, "locked": { @@ -291,6 +428,22 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1678872516, + "narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_2": { "locked": { "lastModified": 1685012353, @@ -313,8 +466,8 @@ "prismlauncher", "flake-compat" ], - "flake-utils": "flake-utils_2", - "gitignore": "gitignore", + "flake-utils": "flake-utils_3", + "gitignore": "gitignore_2", "nixpkgs": [ "prismlauncher", "nixpkgs" @@ -338,10 +491,41 @@ "type": "github" } }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1684842236, + "narHash": "sha256-rYWsIXHvNhVQ15RQlBUv67W3YnM+Pd+DuXGMvCBq2IE=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "61e567d6497bc9556f391faebe5e410e6623217f", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "prismlauncher": { "inputs": { - "flake-compat": "flake-compat_2", - "flake-parts": "flake-parts", + "flake-compat": "flake-compat_3", + "flake-parts": "flake-parts_2", "libnbtplusplus": "libnbtplusplus", "nixpkgs": "nixpkgs_2", "pre-commit-hooks": "pre-commit-hooks" @@ -398,12 +582,13 @@ "flake-compat": "flake-compat", "flake-utils": "flake-utils", "home-manager": "home-manager", + "lanzaboote": "lanzaboote", "nixpkgs": "nixpkgs", "prismlauncher": "prismlauncher", "river_init_lesser": "river_init_lesser", - "rust-overlay": "rust-overlay", + "rust-overlay": "rust-overlay_2", "shell_library": "shell_library", - "systems": "systems", + "systems": "systems_2", "unstable": "unstable", "yambar_cpu": "yambar_cpu", "yambar_memory": "yambar_memory" @@ -412,6 +597,31 @@ "rust-overlay": { "inputs": { "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1688092301, + "narHash": "sha256-NTgT955DzXWVjHsuBn1t2K0x4hUghY7uE1jG2nGL5R4=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "4c31223801dd0f28ac15d60f2e5ddbd4d51ce17a", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "rust-overlay_2": { + "inputs": { + "flake-utils": [ "flake-utils" ], "nixpkgs": [ @@ -432,7 +642,7 @@ "type": "github" } }, - "rust-overlay_2": { + "rust-overlay_3": { "inputs": { "flake-utils": [ "yambar_memory", @@ -488,6 +698,21 @@ }, "systems": { "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_2": { + "locked": { "lastModified": 1680978846, "narHash": "sha256-Gtqg8b/v49BFDpDetjclCYXm8mAnTrUzR0JnE2nv5aw=", "owner": "nix-systems", @@ -545,7 +770,7 @@ }, "yambar_memory": { "inputs": { - "crane": "crane_2", + "crane": "crane_3", "flake-utils": [ "flake-utils" ], diff --git a/flake.nix b/flake.nix index 4685562..97560f3 100644 --- a/flake.nix +++ b/flake.nix @@ -10,6 +10,10 @@ }; # inputs for following + lanzaboote = { + url = "github:nix-community/lanzaboote/v0.3.0"; + inputs.nixpkgs.follows = "nixpkgs"; + }; systems = { url = "github:nix-systems/x86_64-linux"; # only evaluate for this system }; @@ -97,18 +101,19 @@ yambar_memory, #grades, prismlauncher, + lanzaboote, ... } @ attrs: let system = "x86_64-linux"; pkgs = nixpkgs.legacyPackages."${system}"; - + sysLib = shell_library.lib.${system}; in { nixosConfigurations.thinklappi = nixpkgs.lib.nixosSystem { inherit system; specialArgs = attrs; -#nixpkgs.overlays = [ polymc.overlay ]; modules = [ + lanzaboote.nixosModules.lanzaboote ./hosts/thinklappi home-manager.nixosModules.home-manager { @@ -117,7 +122,7 @@ useUserPackages = true; users.sils = import ./users/sils; extraSpecialArgs = {inherit pkgs system sysLib river_init_lesser yambar_cpu yambar_memory prismlauncher;}; - }; + }; } ]; }; diff --git a/hosts/thinklappi/basesystem.nix b/hosts/thinklappi/basesystem.nix index e5bc5ba..35fd908 100644 --- a/hosts/thinklappi/basesystem.nix +++ b/hosts/thinklappi/basesystem.nix @@ -18,12 +18,10 @@ kernelModules = ["kvm-intel"]; extraModulePackages = []; kernelPackages = pkgs.linuxPackages_latest; - loader = { - systemd-boot = { - enable = true; - configurationLimit = 3; - }; - efi.canTouchEfiVariables = true; + lanzaboote = { + enable = true; + configurationLimit = 3; + pkiBundle = "/etc/secureboot"; }; }; @@ -43,6 +41,11 @@ fsType = "btrfs"; options = ["subvol=networkmanagerconfig" "compress-force=zstd"]; }; + "/etc/secureboot" = { + device = "/dev/disk/by-label/nixos-root"; + fsType = "btrfs"; + options = ["subvol=secureboot" "compress-force=zstd"]; + }; "/etc/nixos" = { device = "/dev/disk/by-label/nixos-root"; fsType = "btrfs"; |