From 93f2da8b1fe77a069f0d5950ff4d932d7560fcf9 Mon Sep 17 00:00:00 2001 From: coolneng Date: Mon, 8 Jan 2024 03:06:19 +0100 Subject: [PATCH] Set up Secure Boot --- configuration.nix | 16 ++- flake.lock | 229 ++++++++++++++++++++++++++++++++++++++- flake.nix | 9 +- secrets/soundcloud_token | Bin 56 -> 56 bytes 4 files changed, 241 insertions(+), 13 deletions(-) diff --git a/configuration.nix b/configuration.nix index 83c5d73..9e49742 100644 --- a/configuration.nix +++ b/configuration.nix @@ -19,16 +19,20 @@ with pkgs; # Device firmware updates services.fwupd.enable = true; - # Bootloader configuration + # Secure boot using lanzaboote boot.loader = { efi.canTouchEfiVariables = true; systemd-boot = { - enable = true; + enable = false; configurationLimit = 50; editor = false; }; timeout = 3; }; + boot.lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + }; # Run Nix garbage collector and enable flakes nix = { @@ -102,13 +106,7 @@ with pkgs; enable = true; dates = "22:30"; flake = "/home/coolneng/Projects/panacea"; - flags = [ - "--update-input" - "agenix" - "--update-input" - "nixpkgs" - "--commit-lock-file" - ]; + flags = [ "update" "--commit-lock-file" ]; }; # Add required dependencies to the auto-upgrade service diff --git a/flake.lock b/flake.lock index 242b861..78bbf8b 100644 --- a/flake.lock +++ b/flake.lock @@ -23,6 +23,39 @@ "type": "github" } }, + "crane": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "rust-overlay": [ + "lanzaboote", + "rust-overlay" + ] + }, + "locked": { + "lastModified": 1681177078, + "narHash": "sha256-ZNIjBDou2GOabcpctiQykEQVkI8BDwk7TyvlWlI4myE=", + "owner": "ipetkov", + "repo": "crane", + "rev": "0c9f468ff00576577d83f5019a66c557ede5acf6", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "cyrus-sasl-xoauth2": { "flake": false, "locked": { @@ -61,7 +94,62 @@ "type": "github" } }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1680392223, + "narHash": "sha256-n3g7QFr85lDODKt250rkZj2IFS3i4/8HBU2yKHO3tqw=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "dcc36e45d054d7bb554c9cdab69093debd91a0b5", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "flake-utils": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1681202837, + "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "cfacdce06f30d2b68473a46042957675eebb3401", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { "locked": { "lastModified": 1622445595, "narHash": "sha256-m+JRe6Wc5OZ/mKw2bB3+Tl0ZbtyxxxfnAWln8Q5qs+Y=", @@ -76,6 +164,28 @@ "type": "github" } }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1660459072, + "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -97,6 +207,33 @@ "type": "github" } }, + "lanzaboote": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1682802423, + "narHash": "sha256-Fb5TeRTdvUlo/5Yi2d+FC8a6KoRLk2h1VE0/peMhWPs=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "64b903ca87d18cef2752c19c098af275c6e51d63", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "v0.3.0", + "repo": "lanzaboote", + "type": "github" + } + }, "local-bitwig": { "flake": false, "locked": { @@ -181,15 +318,31 @@ "type": "indirect" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1678872516, + "narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, "openconnect-sso": { "inputs": { - "flake-utils": "flake-utils", + "flake-utils": "flake-utils_2", "nix-github-actions": "nix-github-actions", "nixpkgs": [ "nixpkgs" ], "poetry2nix": "poetry2nix", - "systems": "systems_2", + "systems": "systems_3", "treefmt-nix": "treefmt-nix" }, "locked": { @@ -244,10 +397,42 @@ "type": "github" } }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1681413034, + "narHash": "sha256-/t7OjNQcNkeWeSq/CFLYVBfm+IEnkjoSm9iKvArnUUI=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "d3de8f69ca88fb6f8b09e5b598be5ac98d28ede5", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "root": { "inputs": { "agenix": "agenix", "cyrus-sasl-xoauth2": "cyrus-sasl-xoauth2", + "lanzaboote": "lanzaboote", "local-bitwig": "local-bitwig", "nix-index-database": "nix-index-database", "nixos-hardware": "nixos-hardware", @@ -255,6 +440,31 @@ "openconnect-sso": "openconnect-sso" } }, + "rust-overlay": { + "inputs": { + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1682129965, + "narHash": "sha256-1KRPIorEL6pLpJR04FwAqqnt4Tzcm4MqD84yhlD+XSk=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "2c417c0460b788328220120c698630947547ee83", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, @@ -285,6 +495,21 @@ "type": "github" } }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "treefmt-nix": { "inputs": { "nixpkgs": [ diff --git a/flake.nix b/flake.nix index ce15297..4d52fd6 100644 --- a/flake.nix +++ b/flake.nix @@ -28,14 +28,18 @@ url = "github:Mic92/nix-index-database"; inputs.nixpkgs.follows = "nixpkgs"; }; + lanzaboote = { + url = "github:nix-community/lanzaboote/v0.3.0"; + inputs.nixpkgs.follows = "nixpkgs"; + }; local-bitwig = { url = "path:/home/coolneng/Projects/panacea/assets/bitwig"; flake = false; }; }; - outputs = - { self, nixpkgs, nixos-hardware, agenix, nix-index-database, ... }@inputs: + outputs = { self, nixpkgs, nixos-hardware, agenix, nix-index-database + , lanzaboote, ... }@inputs: let system = "x86_64-linux"; @@ -61,6 +65,7 @@ nixos-hardware.nixosModules.lenovo-thinkpad-e14-amd agenix.nixosModules.age nix-index-database.nixosModules.nix-index + lanzaboote.nixosModules.lanzaboote ]; specialArgs = { inherit inputs; diff --git a/secrets/soundcloud_token b/secrets/soundcloud_token index df524f2c1893e2b9a73b03d06c993aed408274e1..eeb67e998ca2e08479d83436239f41a975c73bd5 100644 GIT binary patch literal 56 zcmV-80LT9TM@dveQdv+`0G3iBsWe7!>F?K;P4IcqEvTioIntebhIZPWD2b OoC^;1&n>+Br3RwZM;p@s literal 56 zcmV-80LT9TM@dveQdv+`07-Pl5oI;GeZ7`y_4y8yphF!8Ws+A|-0-@}pKn5FSON(4 OPOlg=c