diff options
| author | Franck Cuny <franck@fcuny.net> | 2026-01-25 08:20:25 -0800 |
|---|---|---|
| committer | Franck Cuny <franck@fcuny.net> | 2026-01-25 08:29:39 -0800 |
| commit | 2777680940425a9a741a8ba1befef2fcf1cc139b (patch) | |
| tree | a86d7ea98aceb31325de04324ba59ebd5b20f96e | |
| parent | enforce sorting in some places (diff) | |
| download | infra-2777680940425a9a741a8ba1befef2fcf1cc139b.tar.gz | |
enable lanzaboote
Diffstat (limited to '')
| -rw-r--r-- | flake.lock | 138 | ||||
| -rw-r--r-- | flake.nix | 8 | ||||
| -rw-r--r-- | machines/framebox.nix | 4 | ||||
| -rw-r--r-- | modules/host-config.nix | 4 | ||||
| -rw-r--r-- | profiles/secureboot.nix | 17 |
5 files changed, 163 insertions, 8 deletions
@@ -44,6 +44,21 @@ "type": "github" } }, + "crane": { + "locked": { + "lastModified": 1765145449, + "narHash": "sha256-aBVHGWWRzSpfL++LubA0CwOOQ64WNLegrYHwsVuVN7A=", + "owner": "ipetkov", + "repo": "crane", + "rev": "69f538cdce5955fcd47abfed4395dc6d5194c1c5", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "darwin": { "inputs": { "nixpkgs": [ @@ -131,6 +146,22 @@ "flake-compat": { "flake": false, "locked": { + "lastModified": 1761588595, + "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { + "flake": false, + "locked": { "lastModified": 1730663653, "narHash": "sha256-kFCUWettiFHDIqxCWWQ9qY8pVh+Lj+XL0Giyy/kdomg=", "owner": "hraban", @@ -145,7 +176,7 @@ "type": "github" } }, - "flake-compat_2": { + "flake-compat_3": { "flake": false, "locked": { "lastModified": 1747046372, @@ -161,7 +192,7 @@ "type": "github" } }, - "flake-compat_3": { + "flake-compat_4": { "flake": false, "locked": { "lastModified": 1767039857, @@ -257,6 +288,28 @@ "gitignore": { "inputs": { "nixpkgs": [ + "lanzaboote", + "pre-commit", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "gitignore_2": { + "inputs": { + "nixpkgs": [ "my-go-tools", "pre-commit-hooks", "nixpkgs" @@ -276,7 +329,7 @@ "type": "github" } }, - "gitignore_2": { + "gitignore_3": { "inputs": { "nixpkgs": [ "pre-commit-hooks", @@ -379,10 +432,34 @@ "type": "github" } }, + "lanzaboote": { + "inputs": { + "crane": "crane", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit": "pre-commit", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1765382359, + "narHash": "sha256-RJmgVDzjRI18BWVogG6wpsl1UCuV6ui8qr4DJ1LfWZ8=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "e8c096ade12ec9130ff931b0f0e25d2f1bc63607", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "v1.0.0", + "repo": "lanzaboote", + "type": "github" + } + }, "mac-app-util": { "inputs": { "cl-nix-lite": "cl-nix-lite", - "flake-compat": "flake-compat", + "flake-compat": "flake-compat_2", "flake-utils": "flake-utils", "nixpkgs": "nixpkgs_4", "systems": "systems_3", @@ -597,11 +674,34 @@ "type": "github" } }, - "pre-commit-hooks": { + "pre-commit": { "inputs": { - "flake-compat": "flake-compat_2", + "flake-compat": "flake-compat", "gitignore": "gitignore", "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1765016596, + "narHash": "sha256-rhSqPNxDVow7OQKi4qS5H8Au0P4S3AYbawBSmJNUtBQ=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "548fc44fca28a5e81c5d6b846e555e6b9c2a5a3c", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, + "pre-commit-hooks": { + "inputs": { + "flake-compat": "flake-compat_3", + "gitignore": "gitignore_2", + "nixpkgs": [ "my-go-tools", "nixpkgs" ] @@ -622,8 +722,8 @@ }, "pre-commit-hooks_2": { "inputs": { - "flake-compat": "flake-compat_3", - "gitignore": "gitignore_2", + "flake-compat": "flake-compat_4", + "gitignore": "gitignore_3", "nixpkgs": [ "nixpkgs" ] @@ -650,6 +750,7 @@ "emacs-overlay": "emacs-overlay", "home-manager": "home-manager_2", "impermanence": "impermanence", + "lanzaboote": "lanzaboote", "mac-app-util": "mac-app-util", "my-go-tools": "my-go-tools", "nixos-hardware": "nixos-hardware", @@ -659,6 +760,27 @@ "treefmt-nix": "treefmt-nix_4" } }, + "rust-overlay": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1765075567, + "narHash": "sha256-KFDCdQcHJ0hE3Nt5Gm5enRIhmtEifAjpxgUQ3mzSJpA=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "769156779b41e8787a46ca3d7d76443aaf68be6f", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, @@ -13,6 +13,8 @@ home-manager.inputs.nixpkgs.follows = "nixpkgs"; home-manager.url = "github:nix-community/home-manager/release-25.11"; impermanence.url = "github:nix-community/impermanence"; + lanzaboote.inputs.nixpkgs.follows = "nixpkgs"; + lanzaboote.url = "github:nix-community/lanzaboote/v1.0.0"; mac-app-util.url = "github:hraban/mac-app-util"; my-go-tools.url = "git+https://code.fcuny.net/x"; nixos-hardware.url = "github:NixOS/nixos-hardware/master"; @@ -39,6 +41,7 @@ nur, my-go-tools, impermanence, + lanzaboote, ... }: let @@ -96,19 +99,24 @@ defaultModules = [ nixSettings + #keep-sorted start agenix.nixosModules.age disko.nixosModules.disko home-manager.nixosModules.home-manager impermanence.nixosModules.impermanence + lanzaboote.nixosModules.lanzaboote + #keep-sorted end ./modules/default.nix ]; # Default modules for Darwin hosts darwinDefaultModules = [ nixSettings + #keep-sorted start agenix.darwinModules.age home-manager.darwinModules.home-manager inputs.mac-app-util.darwinModules.default + #keep-sorted end ./modules/default-darwin.nix ]; diff --git a/machines/framebox.nix b/machines/framebox.nix index 15a82bd..34ef32b 100644 --- a/machines/framebox.nix +++ b/machines/framebox.nix @@ -9,6 +9,7 @@ wgPublicKey = "jf7T7TMKQWSgSXhUplldZDV9G2y2BjMmHIAhg5d26ng="; publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID76U5kt8DfBbuP16rMzfBTVTpjjPFKWnnheMALaCQEd"; ephemeralRoot = true; + secureBoot = true; age.secrets = { wireguard.file = ../secrets/framebox/wireguard.age; @@ -36,6 +37,7 @@ }; imports = [ + # keep-sorted start ../profiles/authelia.nix ../profiles/core-metrics.nix ../profiles/defaults.nix @@ -48,12 +50,14 @@ ../profiles/postgresql.nix ../profiles/remote-unlock.nix ../profiles/restic-backup.nix + ../profiles/secureboot.nix ../profiles/server.nix ../profiles/state.nix ../profiles/users/admin-user.nix ../profiles/users/builder.nix ../profiles/users/home-manager.nix ../profiles/wireguard.nix + # keep-sorted end ]; boot.kernelModules = [ "sg" ]; diff --git a/modules/host-config.nix b/modules/host-config.nix index ff1eaa5..348c7b0 100644 --- a/modules/host-config.nix +++ b/modules/host-config.nix @@ -17,5 +17,9 @@ type = lib.types.bool; default = false; }; + secureBoot = lib.mkOption { + type = lib.types.bool; + default = false; + }; }; } diff --git a/profiles/secureboot.nix b/profiles/secureboot.nix new file mode 100644 index 0000000..53df8e3 --- /dev/null +++ b/profiles/secureboot.nix @@ -0,0 +1,17 @@ +{ pkgs, lib, ... }: +{ + environment.persistence."/persist/save".directories = [ + "/var/lib/sbctl" + ]; + + environment.systemPackages = [ + pkgs.sbctl + ]; + + boot.loader.systemd-boot.enable = lib.mkForce false; + + boot.lanzaboote = { + enable = true; + pkiBundle = "/var/lib/sbctl"; + }; +} |