diff --git a/flake.lock b/flake.lock index 984ba8f..ef9df2a 100644 --- a/flake.lock +++ b/flake.lock @@ -124,6 +124,21 @@ "type": "github" } }, + "crane": { + "locked": { + "lastModified": 1754269165, + "narHash": "sha256-0tcS8FHd4QjbCVoxN9jI+PjHgA4vc/IjkUSp+N3zy0U=", + "owner": "ipetkov", + "repo": "crane", + "rev": "444e81206df3f7d92780680e45858e31d2f07a08", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "disko": { "inputs": { "nixpkgs": [ @@ -162,6 +177,22 @@ } }, "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1747046372, + "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { "flake": false, "locked": { "lastModified": 1751685974, @@ -177,7 +208,7 @@ "url": "https://git.lix.systems/lix-project/flake-compat.git" } }, - "flake-compat_2": { + "flake-compat_3": { "flake": false, "locked": { "lastModified": 1696426674, @@ -194,6 +225,27 @@ } }, "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1754091436, + "narHash": "sha256-XKqDMN1/Qj1DKivQvscI4vmHfDfvYR2pfuFOJiCeewM=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "67df8c627c2c39c41dbec76a1f201929929ab0bd", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { "inputs": { "nixpkgs-lib": [ "nvf", @@ -214,7 +266,7 @@ "type": "github" } }, - "flake-parts_2": { + "flake-parts_3": { "inputs": { "nixpkgs-lib": [ "stylix", @@ -268,8 +320,8 @@ }, "git-hooks": { "inputs": { - "flake-compat": "flake-compat_2", - "gitignore": "gitignore", + "flake-compat": "flake-compat_3", + "gitignore": "gitignore_2", "nixpkgs": [ "slippi", "nixpkgs" @@ -290,6 +342,28 @@ } }, "gitignore": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "gitignore_2": { "inputs": { "nixpkgs": [ "slippi", @@ -390,6 +464,32 @@ "type": "github" } }, + "lanzaboote": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1762205063, + "narHash": "sha256-If6vQ+KvtKs3ARBO9G3l+4wFSCYtRBrwX1z+I+B61wQ=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "88b8a563ff5704f4e8d8e5118fb911fa2110ca05", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "v0.4.3", + "repo": "lanzaboote", + "type": "github" + } + }, "mnw": { "locked": { "lastModified": 1758834834, @@ -531,8 +631,8 @@ }, "nvf": { "inputs": { - "flake-compat": "flake-compat", - "flake-parts": "flake-parts", + "flake-compat": "flake-compat_2", + "flake-parts": "flake-parts_2", "mnw": "mnw", "nixpkgs": [ "nixpkgs" @@ -554,6 +654,32 @@ "type": "github" } }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1750779888, + "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "root": { "inputs": { "autoaspm": "autoaspm", @@ -561,6 +687,7 @@ "disko": "disko", "home-manager": "home-manager", "home-manager-unstable": "home-manager-unstable", + "lanzaboote": "lanzaboote", "nix-darwin": "nix-darwin", "nix-flatpak": "nix-flatpak", "nix-homebrew": "nix-homebrew", @@ -573,6 +700,27 @@ "vpn-confinement": "vpn-confinement" } }, + "rust-overlay": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1761791894, + "narHash": "sha256-myRIDh+PxaREz+z9LzbqBJF+SnTFJwkthKDX9zMyddY=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "59c45eb69d9222a4362673141e00ff77842cd219", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "slippi": { "inputs": { "git-hooks": "git-hooks", @@ -622,7 +770,7 @@ "base16-helix": "base16-helix", "base16-vim": "base16-vim", "firefox-gnome-theme": "firefox-gnome-theme", - "flake-parts": "flake-parts_2", + "flake-parts": "flake-parts_3", "gnome-shell": "gnome-shell", "nixpkgs": [ "nixpkgs-unstable" diff --git a/flake.nix b/flake.nix index d45d3c6..1938a5b 100644 --- a/flake.nix +++ b/flake.nix @@ -28,6 +28,10 @@ url = "github:nix-community/disko/latest"; inputs.nixpkgs.follows = "nixpkgs"; }; + lanzaboote = { + url = "github:nix-community/lanzaboote/v0.4.3"; + inputs.nixpkgs.follows = "nixpkgs"; + }; vpn-confinement = { url = "github:Maroka-chan/VPN-Confinement"; }; diff --git a/hosts/nixos/yveltal/configuration.nix b/hosts/nixos/yveltal/configuration.nix index 54abd9c..f41be6e 100644 --- a/hosts/nixos/yveltal/configuration.nix +++ b/hosts/nixos/yveltal/configuration.nix @@ -20,6 +20,7 @@ # home grown nixos modules system = { + secure_boot.enable = true; ssh.enable = true; sops.enable = true; yubikey.enable = true; diff --git a/modules/system/default.nix b/modules/system/default.nix index b8730e3..0d3c1ef 100644 --- a/modules/system/default.nix +++ b/modules/system/default.nix @@ -16,6 +16,7 @@ ./syncthing ./graphics ./flatpak + ./secure_boot ]; system.ssh.enable = lib.mkDefault true; diff --git a/modules/system/secure_boot/default.nix b/modules/system/secure_boot/default.nix new file mode 100644 index 0000000..d21c796 --- /dev/null +++ b/modules/system/secure_boot/default.nix @@ -0,0 +1,31 @@ +{ + pkgs, + inputs, + config, + lib, + ... +}: let + cfg = config.system.secure_boot; +in { + options.system.secure_boot = { + enable = lib.mkEnableOption "enables secureboot with lanzaboote"; + }; + + imports = [inputs.lanzaboote.nixosModules.lanzaboote]; + + config = lib.mkIf cfg.enable { + + # install userspace secureboot tools + environment.systemPackages = with pkgs; [ + sbctl + ]; + + # force disable systemd-boot so lanzaboote can be used + boot.loader.systemd-boot.enable = lib.mkForce false; + + boot.lanzaboote = { + enable = true; + pkiBundle = "/var/lib/sbctl"; + }; + }; +}