Price/dots
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(hosts/orion): enable secureboot
Some checks failed
Check Formatting of Files / Check-Formatting (push) Failing after 36s
Details

Browse Source
This commit is contained in:
Price Hiller 2024-09-27 00:36:41 -05:00
parent 50f6fd5f9a
commit 9122b34443
Signed by: Price
GPG Key ID: C3FADDE7A8534BEB
3 changed files with 206 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

189
flake.lock
View File

@ -100,6 +100,27 @@
"type": "github" "type": "github"
} }
}, },
"crane_2": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1721842668,
"narHash": "sha256-k3oiD2z2AAwBFLa4+xfU+7G5fisRXfkvrMTCJrjZzXo=",
"owner": "ipetkov",
"repo": "crane",
"rev": "529c1a0b1f29f0d78fa3086b8f6a134c71ef3aaf",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"darwin": { "darwin": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -174,11 +195,11 @@
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1727411519, "lastModified": 1727412635,
"narHash": "sha256-9xQF78yyNv/dkJ56HKVtJLRM6aoytIk6VPyNlR25Zyk=", "narHash": "sha256-AnqKTwOQLdzfO3qeiwH4E++9NlF35Z7vVHLLf7KzNCM=",
"owner": "nix-community", "owner": "nix-community",
"repo": "emacs-overlay", "repo": "emacs-overlay",
"rev": "a4ee09a79bdebef57ee7b1b74586c6d1f438541a", "rev": "971818ced1e07091530eafe2a0d324913dacfabf",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -219,7 +240,44 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": { "flake-parts": {
"inputs": {
"nixpkgs-lib": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1719994518,
"narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_2": {
"inputs": { "inputs": {
"nixpkgs-lib": [ "nixpkgs-lib": [
"nix", "nix",
@ -360,6 +418,28 @@
"type": "github" "type": "github"
} }
}, },
"gitignore": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"pre-commit-hooks-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"harfbuzz": { "harfbuzz": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -434,6 +514,31 @@
"type": "github" "type": "github"
} }
}, },
"lanzaboote": {
"inputs": {
"crane": "crane_2",
"flake-compat": "flake-compat_2",
"flake-parts": "flake-parts",
"nixpkgs": [
"nixpkgs"
],
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay_2"
},
"locked": {
"lastModified": 1725379389,
"narHash": "sha256-qS1H/5/20ewJIXmf8FN2A5KTOKKU9elWvCPwdBi1P/U=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "e7bd94e0b5ff3c1e686f2101004ebf4fcea9d871",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "lanzaboote",
"type": "github"
}
},
"libgit2": { "libgit2": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -470,8 +575,8 @@
}, },
"nix": { "nix": {
"inputs": { "inputs": {
"flake-compat": "flake-compat_2", "flake-compat": "flake-compat_3",
"flake-parts": "flake-parts", "flake-parts": "flake-parts_2",
"git-hooks-nix": "git-hooks-nix", "git-hooks-nix": "git-hooks-nix",
"libgit2": "libgit2", "libgit2": "libgit2",
"nixpkgs": "nixpkgs_2", "nixpkgs": "nixpkgs_2",
@ -526,11 +631,11 @@
}, },
"nixpkgs-master": { "nixpkgs-master": {
"locked": { "locked": {
"lastModified": 1727412098, "lastModified": 1727413906,
"narHash": "sha256-ujxF8U/dzaIeF5E9oG7INl4xC8pCjoxprTdtGoagjp0=", "narHash": "sha256-QZmaLMl7+pa/LzBsznxIqUcmgu43JpBnuhC2EPpW+bI=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "f9c724d55b077d109a521f90736bfc4095ccd67d", "rev": "5e8bde69b9ba8fc79ecc4c6472b4e2806d5e035c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -571,6 +676,22 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-stable_2": {
"locked": {
"lastModified": 1720386169,
"narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "194846768975b7ad2c4988bdb82572c00222c0d7",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1723688146, "lastModified": 1723688146,
@ -603,6 +724,33 @@
"type": "github" "type": "github"
} }
}, },
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"gitignore": "gitignore",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable_2"
},
"locked": {
"lastModified": 1721042469,
"narHash": "sha256-6FPUl7HVtvRHCCBQne7Ylp4p+dpP3P/OYuzjztZ4s70=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "f451c19376071a90d8c58ab1a953c6e9840527fd",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix", "agenix": "agenix",
@ -614,6 +762,7 @@
"flake-utils": "flake-utils_3", "flake-utils": "flake-utils_3",
"home-manager": "home-manager_2", "home-manager": "home-manager_2",
"impermanence": "impermanence", "impermanence": "impermanence",
"lanzaboote": "lanzaboote",
"nix": "nix", "nix": "nix",
"nixpkgs": "nixpkgs_3", "nixpkgs": "nixpkgs_3",
"nixpkgs-master": "nixpkgs-master", "nixpkgs-master": "nixpkgs-master",
@ -643,6 +792,27 @@
} }
}, },
"rust-overlay_2": { "rust-overlay_2": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1722219664,
"narHash": "sha256-xMOJ+HW4yj6e69PvieohUJ3dBSdgCfvI0nnCEe6/yVc=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "a6fbda5d9a14fb5f7c69b8489d24afeb349c7bb4",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"rust-overlay_3": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"wezterm", "wezterm",
@ -668,7 +838,6 @@
"locked": { "locked": {
"lastModified": 1727412130, "lastModified": 1727412130,
"narHash": "sha256-pifu78oIrAsnU8Iu51iXSPT331mJ6ehHy5iX/ZTQsSE=", "narHash": "sha256-pifu78oIrAsnU8Iu51iXSPT331mJ6ehHy5iX/ZTQsSE=",
"ref": "refs/heads/main",
"rev": "8c078e598aeb9f4ead31cba2e8a62c7e77d75151", "rev": "8c078e598aeb9f4ead31cba2e8a62c7e77d75151",
"revCount": 1, "revCount": 1,
"submodules": true, "submodules": true,
@ -798,7 +967,7 @@
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
"rust-overlay": "rust-overlay_2", "rust-overlay": "rust-overlay_3",
"zlib": "zlib" "zlib": "zlib"
}, },
"locked": { "locked": {

5
flake.nix
View File

@ -7,6 +7,10 @@
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
nixpkgs-master.url = "github:nixos/nixpkgs"; nixpkgs-master.url = "github:nixos/nixpkgs";
flake-utils.url = "github:numtide/flake-utils"; flake-utils.url = "github:numtide/flake-utils";
lanzaboote = {
url = "github:nix-community/lanzaboote";
inputs.nixpkgs.follows = "nixpkgs";
};
bob = { bob = {
flake = false; flake = false;
url = "github:MordechaiHadad/bob"; url = "github:MordechaiHadad/bob";
@ -199,6 +203,7 @@
}; };
modules = [ modules = [
./modules/btrfs-rollback.nix ./modules/btrfs-rollback.nix
inputs.lanzaboote.nixosModules.lanzaboote
inputs.impermanence.nixosModules.impermanence inputs.impermanence.nixosModules.impermanence
inputs.agenix.nixosModules.default inputs.agenix.nixosModules.default
inputs.disko.nixosModules.disko inputs.disko.nixosModules.disko

25
hosts/orion/os/boot.nix
View File

@ -1,10 +1,21 @@
{ modulesPath, pkgs, ... }: {
modulesPath,
pkgs,
lib,
...
}:
let
pkiBundlePath = "/etc/secureboot";
in
{ {
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
security.tpm2.enable = true; security.tpm2.enable = true;
environment.systemPackages = with pkgs; [ tpm2-tss ]; environment.systemPackages = with pkgs; [
tpm2-tss
sbctl
];
services.btrfs-rollback = { services.btrfs-rollback = {
enable = true; enable = true;
@ -13,9 +24,17 @@
snapshot = "root-base"; snapshot = "root-base";
}; };
environment.persistence.ephemeral.directories = [
pkiBundlePath
];
boot = { boot = {
lanzaboote = {
enable = true;
pkiBundle = pkiBundlePath;
};
loader = { loader = {
systemd-boot.enable = true; systemd-boot.enable = lib.mkForce false;
efi.canTouchEfiVariables = true; efi.canTouchEfiVariables = true;
}; };
kernelPackages = pkgs.linuxPackages_latest; kernelPackages = pkgs.linuxPackages_latest;