diff --git a/flake.lock b/flake.lock index 0963926f..06a24783 100644 --- a/flake.lock +++ b/flake.lock @@ -194,6 +194,22 @@ } }, "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { "flake": false, "locked": { "lastModified": 1668681692, @@ -209,6 +225,27 @@ "type": "github" } }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1683560683, + "narHash": "sha256-XAygPMN5Xnk/W2c1aW0jyEa6lfMDZWlQgiNtmHXytPc=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "006c75898cf814ef9497252b022e91c946ba8e17", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "flake-utils": { "inputs": { "systems": "systems" @@ -227,6 +264,46 @@ "type": "github" } }, + "flake-utils_2": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1681202837, + "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "cfacdce06f30d2b68473a46042957675eebb3401", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1660459072, + "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -247,6 +324,30 @@ "type": "github" } }, + "lanzaboote": { + "inputs": { + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "flake-utils": "flake-utils_2", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit-hooks-nix": "pre-commit-hooks-nix" + }, + "locked": { + "lastModified": 1687124707, + "narHash": "sha256-BEC2y7zwDI/Saeupr9rijLvwb0OoqTD9vntlcyciyrM=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "c758cdad465e0c8174db57dc493f51a89f0e3372", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "lanzaboote", + "type": "github" + } + }, "nix-index-database": { "inputs": { "nixpkgs": [ @@ -270,7 +371,7 @@ "nixos-mailserver": { "inputs": { "blobs": "blobs", - "flake-compat": "flake-compat", + "flake-compat": "flake-compat_2", "nixpkgs": [ "nixpkgs" ], @@ -340,6 +441,22 @@ "type": "github" } }, + "nixpkgs-stable_2": { + "locked": { + "lastModified": 1678872516, + "narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nur": { "locked": { "lastModified": 1687196525, @@ -355,6 +472,37 @@ "type": "github" } }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable_2" + }, + "locked": { + "lastModified": 1684842236, + "narHash": "sha256-rYWsIXHvNhVQ15RQlBUv67W3YnM+Pd+DuXGMvCBq2IE=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "61e567d6497bc9556f391faebe5e410e6623217f", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "root": { "inputs": { "accentor": "accentor", @@ -365,6 +513,7 @@ "emacs-overlay": "emacs-overlay", "flake-utils": "flake-utils", "home-manager": "home-manager", + "lanzaboote": "lanzaboote", "nix-index-database": "nix-index-database", "nixos-mailserver": "nixos-mailserver", "nixpkgs": "nixpkgs", @@ -388,6 +537,21 @@ "type": "github" } }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "tetris": { "inputs": { "devshell": [ diff --git a/flake.nix b/flake.nix index c86be2e4..42a5b3e9 100644 --- a/flake.nix +++ b/flake.nix @@ -54,6 +54,10 @@ url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; }; + lanzaboote = { + url = "github:nix-community/lanzaboote"; + inputs.nixpkgs.follows = "nixpkgs"; + }; nixos-mailserver = { url = "gitlab:simple-nixos-mailserver/nixos-mailserver"; inputs = { @@ -85,7 +89,7 @@ }; }; - outputs = inputs@{ self, nixpkgs, accentor, accentor-api, accentor-web, agenix, devshell, emacs-overlay, flake-utils, home-manager, nix-index-database, nixos-mailserver, nur, tetris, www-chvp-be }: + outputs = inputs@{ self, nixpkgs, accentor, accentor-api, accentor-web, agenix, devshell, emacs-overlay, flake-utils, home-manager, lanzaboote, nix-index-database, nixos-mailserver, nur, tetris, www-chvp-be }: let patches = builtins.map (patch: ./patches + "/${patch}") (builtins.filter (x: x != ".keep") (builtins.attrNames (builtins.readDir ./patches))); # Avoid IFD if there are no patches @@ -111,6 +115,7 @@ accentor.nixosModules.default agenix.nixosModules.age home-manager.nixosModule + lanzaboote.nixosModules.lanzaboote nixos-mailserver.nixosModule nix-index-database.nixosModules.nix-index ./modules diff --git a/machines/kholinar/hardware.nix b/machines/kholinar/hardware.nix index 6e379e4b..1897a691 100644 --- a/machines/kholinar/hardware.nix +++ b/machines/kholinar/hardware.nix @@ -4,10 +4,11 @@ imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; boot = { - loader = { - systemd-boot.enable = true; - efi.canTouchEfiVariables = true; + lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; }; + loader.efi.canTouchEfiVariables = true; initrd = { availableKernelModules = [ "xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" ]; kernelModules = [ "i915" ]; @@ -19,6 +20,12 @@ }; }; + + chvp.base.zfs.systemLinks = [{ path = "/etc/secureboot"; type = "cache"; }]; + + # For Secure Boot management + environment.systemPackages = [ pkgs.sbctl ]; + fileSystems."/" = { device = "rpool/local/root"; fsType = "zfs"; diff --git a/modules/base/nix/default.nix b/modules/base/nix/default.nix index c89c0c0b..e6d4bdd3 100644 --- a/modules/base/nix/default.nix +++ b/modules/base/nix/default.nix @@ -62,15 +62,17 @@ in auto-optimise-store = true; substituters = [ "https://cache.nixos.org" - "https://nix-community.cachix.org" - "https://chvp.cachix.org" "https://accentor.cachix.org" + "https://chvp.cachix.org" + "https://lanzaboote.cachix.org" + "https://nix-community.cachix.org" ]; trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - "chvp.cachix.org-1:eIG26KkeA+R3tCpvmaayA9i3KVVL06G+qB5ci4dHBT4=" "accentor.cachix.org-1:QP+oJwzmeq5Fsyp4Vk501UgUSbl5VIna/ard/XOePH8=" + "chvp.cachix.org-1:eIG26KkeA+R3tCpvmaayA9i3KVVL06G+qB5ci4dHBT4=" + "lanzaboote.cachix.org-1:Nt9//zGmqkg1k5iu+B3bkj3OmHKjSw9pvf3faffLLNk=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" ]; trusted-users = [ "@wheel" ]; };