chvp/nixos-config
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

Enable secure boot on kholinar

Browse source
This commit is contained in:
Charlotte Van Petegem 2023-06-19 21:28:51 +02:00
parent 79d8375c21
commit f323d1826e
No known key found for this signature in database
GPG key ID: 019E764B7184435A
4 changed files with 187 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

166
flake.lock generated
View file

@ -194,6 +194,22 @@
} }
}, },
"flake-compat": { "flake-compat": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1668681692, "lastModified": 1668681692,
@ -209,6 +225,27 @@
"type": "github" "type": "github"
} }
}, },
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1683560683,
"narHash": "sha256-XAygPMN5Xnk/W2c1aW0jyEa6lfMDZWlQgiNtmHXytPc=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "006c75898cf814ef9497252b022e91c946ba8e17",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-utils": { "flake-utils": {
"inputs": { "inputs": {
"systems": "systems" "systems": "systems"
@ -227,6 +264,46 @@
"type": "github" "type": "github"
} }
}, },
"flake-utils_2": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1681202837,
"narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "cfacdce06f30d2b68473a46042957675eebb3401",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"pre-commit-hooks-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1660459072,
"narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -247,6 +324,30 @@
"type": "github" "type": "github"
} }
}, },
"lanzaboote": {
"inputs": {
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"flake-utils": "flake-utils_2",
"nixpkgs": [
"nixpkgs"
],
"pre-commit-hooks-nix": "pre-commit-hooks-nix"
},
"locked": {
"lastModified": 1687124707,
"narHash": "sha256-BEC2y7zwDI/Saeupr9rijLvwb0OoqTD9vntlcyciyrM=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "c758cdad465e0c8174db57dc493f51a89f0e3372",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "lanzaboote",
"type": "github"
}
},
"nix-index-database": { "nix-index-database": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -270,7 +371,7 @@
"nixos-mailserver": { "nixos-mailserver": {
"inputs": { "inputs": {
"blobs": "blobs", "blobs": "blobs",
"flake-compat": "flake-compat", "flake-compat": "flake-compat_2",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
@ -340,6 +441,22 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-stable_2": {
"locked": {
"lastModified": 1678872516,
"narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-22.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nur": { "nur": {
"locked": { "locked": {
"lastModified": 1687196525, "lastModified": 1687196525,
@ -355,6 +472,37 @@
"type": "github" "type": "github"
} }
}, },
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"gitignore": "gitignore",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable_2"
},
"locked": {
"lastModified": 1684842236,
"narHash": "sha256-rYWsIXHvNhVQ15RQlBUv67W3YnM+Pd+DuXGMvCBq2IE=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "61e567d6497bc9556f391faebe5e410e6623217f",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"accentor": "accentor", "accentor": "accentor",
@ -365,6 +513,7 @@
"emacs-overlay": "emacs-overlay", "emacs-overlay": "emacs-overlay",
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"home-manager": "home-manager", "home-manager": "home-manager",
"lanzaboote": "lanzaboote",
"nix-index-database": "nix-index-database", "nix-index-database": "nix-index-database",
"nixos-mailserver": "nixos-mailserver", "nixos-mailserver": "nixos-mailserver",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
@ -388,6 +537,21 @@
"type": "github" "type": "github"
} }
}, },
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"tetris": { "tetris": {
"inputs": { "inputs": {
"devshell": [ "devshell": [

7
flake.nix
View file

@ -54,6 +54,10 @@
url = "github:nix-community/home-manager"; url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
lanzaboote = {
url = "github:nix-community/lanzaboote";
inputs.nixpkgs.follows = "nixpkgs";
};
nixos-mailserver = { nixos-mailserver = {
url = "gitlab:simple-nixos-mailserver/nixos-mailserver"; url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
inputs = { inputs = {
@ -85,7 +89,7 @@
}; };
}; };
outputs = inputs@{ self, nixpkgs, accentor, accentor-api, accentor-web, agenix, devshell, emacs-overlay, flake-utils, home-manager, nix-index-database, nixos-mailserver, nur, tetris, www-chvp-be }: outputs = inputs@{ self, nixpkgs, accentor, accentor-api, accentor-web, agenix, devshell, emacs-overlay, flake-utils, home-manager, lanzaboote, nix-index-database, nixos-mailserver, nur, tetris, www-chvp-be }:
let let
patches = builtins.map (patch: ./patches + "/${patch}") (builtins.filter (x: x != ".keep") (builtins.attrNames (builtins.readDir ./patches))); patches = builtins.map (patch: ./patches + "/${patch}") (builtins.filter (x: x != ".keep") (builtins.attrNames (builtins.readDir ./patches)));
# Avoid IFD if there are no patches # Avoid IFD if there are no patches
@ -111,6 +115,7 @@
accentor.nixosModules.default accentor.nixosModules.default
agenix.nixosModules.age agenix.nixosModules.age
home-manager.nixosModule home-manager.nixosModule
lanzaboote.nixosModules.lanzaboote
nixos-mailserver.nixosModule nixos-mailserver.nixosModule
nix-index-database.nixosModules.nix-index nix-index-database.nixosModules.nix-index
./modules ./modules

13
machines/kholinar/hardware.nix
View file

@ -4,10 +4,11 @@
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = { boot = {
loader = { lanzaboote = {
systemd-boot.enable = true; enable = true;
efi.canTouchEfiVariables = true; pkiBundle = "/etc/secureboot";
}; };
loader.efi.canTouchEfiVariables = true;
initrd = { initrd = {
availableKernelModules = [ "xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" ]; availableKernelModules = [ "xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" ];
kernelModules = [ "i915" ]; kernelModules = [ "i915" ];
@ -19,6 +20,12 @@
}; };
}; };
chvp.base.zfs.systemLinks = [{ path = "/etc/secureboot"; type = "cache"; }];
# For Secure Boot management
environment.systemPackages = [ pkgs.sbctl ];
fileSystems."/" = { fileSystems."/" = {
device = "rpool/local/root"; device = "rpool/local/root";
fsType = "zfs"; fsType = "zfs";

10
modules/base/nix/default.nix
View file

@ -62,15 +62,17 @@ in
auto-optimise-store = true; auto-optimise-store = true;
substituters = [ substituters = [
"https://cache.nixos.org" "https://cache.nixos.org"
"https://nix-community.cachix.org"
"https://chvp.cachix.org"
"https://accentor.cachix.org" "https://accentor.cachix.org"
"https://chvp.cachix.org"
"https://lanzaboote.cachix.org"
"https://nix-community.cachix.org"
]; ];
trusted-public-keys = [ trusted-public-keys = [
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"chvp.cachix.org-1:eIG26KkeA+R3tCpvmaayA9i3KVVL06G+qB5ci4dHBT4="
"accentor.cachix.org-1:QP+oJwzmeq5Fsyp4Vk501UgUSbl5VIna/ard/XOePH8=" "accentor.cachix.org-1:QP+oJwzmeq5Fsyp4Vk501UgUSbl5VIna/ard/XOePH8="
"chvp.cachix.org-1:eIG26KkeA+R3tCpvmaayA9i3KVVL06G+qB5ci4dHBT4="
"lanzaboote.cachix.org-1:Nt9//zGmqkg1k5iu+B3bkj3OmHKjSw9pvf3faffLLNk="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
]; ];
trusted-users = [ "@wheel" ]; trusted-users = [ "@wheel" ];
}; };