From 2777680940425a9a741a8ba1befef2fcf1cc139b Mon Sep 17 00:00:00 2001 From: Franck Cuny Date: Sun, 25 Jan 2026 08:20:25 -0800 Subject: enable lanzaboote --- flake.lock | 138 +++++++++++++++++++++++++++++++++++++++++++++--- flake.nix | 8 +++ machines/framebox.nix | 4 ++ modules/host-config.nix | 4 ++ profiles/secureboot.nix | 17 ++++++ 5 files changed, 163 insertions(+), 8 deletions(-) create mode 100644 profiles/secureboot.nix diff --git a/flake.lock b/flake.lock index 1935384..cb62110 100644 --- a/flake.lock +++ b/flake.lock @@ -44,6 +44,21 @@ "type": "github" } }, + "crane": { + "locked": { + "lastModified": 1765145449, + "narHash": "sha256-aBVHGWWRzSpfL++LubA0CwOOQ64WNLegrYHwsVuVN7A=", + "owner": "ipetkov", + "repo": "crane", + "rev": "69f538cdce5955fcd47abfed4395dc6d5194c1c5", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "darwin": { "inputs": { "nixpkgs": [ @@ -129,6 +144,22 @@ } }, "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1761588595, + "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { "flake": false, "locked": { "lastModified": 1730663653, @@ -145,7 +176,7 @@ "type": "github" } }, - "flake-compat_2": { + "flake-compat_3": { "flake": false, "locked": { "lastModified": 1747046372, @@ -161,7 +192,7 @@ "type": "github" } }, - "flake-compat_3": { + "flake-compat_4": { "flake": false, "locked": { "lastModified": 1767039857, @@ -255,6 +286,28 @@ } }, "gitignore": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "gitignore_2": { "inputs": { "nixpkgs": [ "my-go-tools", @@ -276,7 +329,7 @@ "type": "github" } }, - "gitignore_2": { + "gitignore_3": { "inputs": { "nixpkgs": [ "pre-commit-hooks", @@ -379,10 +432,34 @@ "type": "github" } }, + "lanzaboote": { + "inputs": { + "crane": "crane", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit": "pre-commit", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1765382359, + "narHash": "sha256-RJmgVDzjRI18BWVogG6wpsl1UCuV6ui8qr4DJ1LfWZ8=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "e8c096ade12ec9130ff931b0f0e25d2f1bc63607", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "v1.0.0", + "repo": "lanzaboote", + "type": "github" + } + }, "mac-app-util": { "inputs": { "cl-nix-lite": "cl-nix-lite", - "flake-compat": "flake-compat", + "flake-compat": "flake-compat_2", "flake-utils": "flake-utils", "nixpkgs": "nixpkgs_4", "systems": "systems_3", @@ -597,10 +674,33 @@ "type": "github" } }, - "pre-commit-hooks": { + "pre-commit": { "inputs": { - "flake-compat": "flake-compat_2", + "flake-compat": "flake-compat", "gitignore": "gitignore", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1765016596, + "narHash": "sha256-rhSqPNxDVow7OQKi4qS5H8Au0P4S3AYbawBSmJNUtBQ=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "548fc44fca28a5e81c5d6b846e555e6b9c2a5a3c", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, + "pre-commit-hooks": { + "inputs": { + "flake-compat": "flake-compat_3", + "gitignore": "gitignore_2", "nixpkgs": [ "my-go-tools", "nixpkgs" @@ -622,8 +722,8 @@ }, "pre-commit-hooks_2": { "inputs": { - "flake-compat": "flake-compat_3", - "gitignore": "gitignore_2", + "flake-compat": "flake-compat_4", + "gitignore": "gitignore_3", "nixpkgs": [ "nixpkgs" ] @@ -650,6 +750,7 @@ "emacs-overlay": "emacs-overlay", "home-manager": "home-manager_2", "impermanence": "impermanence", + "lanzaboote": "lanzaboote", "mac-app-util": "mac-app-util", "my-go-tools": "my-go-tools", "nixos-hardware": "nixos-hardware", @@ -659,6 +760,27 @@ "treefmt-nix": "treefmt-nix_4" } }, + "rust-overlay": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1765075567, + "narHash": "sha256-KFDCdQcHJ0hE3Nt5Gm5enRIhmtEifAjpxgUQ3mzSJpA=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "769156779b41e8787a46ca3d7d76443aaf68be6f", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, diff --git a/flake.nix b/flake.nix index 418cab3..e986e79 100644 --- a/flake.nix +++ b/flake.nix @@ -13,6 +13,8 @@ home-manager.inputs.nixpkgs.follows = "nixpkgs"; home-manager.url = "github:nix-community/home-manager/release-25.11"; impermanence.url = "github:nix-community/impermanence"; + lanzaboote.inputs.nixpkgs.follows = "nixpkgs"; + lanzaboote.url = "github:nix-community/lanzaboote/v1.0.0"; mac-app-util.url = "github:hraban/mac-app-util"; my-go-tools.url = "git+https://code.fcuny.net/x"; nixos-hardware.url = "github:NixOS/nixos-hardware/master"; @@ -39,6 +41,7 @@ nur, my-go-tools, impermanence, + lanzaboote, ... }: let @@ -96,19 +99,24 @@ defaultModules = [ nixSettings + #keep-sorted start agenix.nixosModules.age disko.nixosModules.disko home-manager.nixosModules.home-manager impermanence.nixosModules.impermanence + lanzaboote.nixosModules.lanzaboote + #keep-sorted end ./modules/default.nix ]; # Default modules for Darwin hosts darwinDefaultModules = [ nixSettings + #keep-sorted start agenix.darwinModules.age home-manager.darwinModules.home-manager inputs.mac-app-util.darwinModules.default + #keep-sorted end ./modules/default-darwin.nix ]; diff --git a/machines/framebox.nix b/machines/framebox.nix index 15a82bd..34ef32b 100644 --- a/machines/framebox.nix +++ b/machines/framebox.nix @@ -9,6 +9,7 @@ wgPublicKey = "jf7T7TMKQWSgSXhUplldZDV9G2y2BjMmHIAhg5d26ng="; publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID76U5kt8DfBbuP16rMzfBTVTpjjPFKWnnheMALaCQEd"; ephemeralRoot = true; + secureBoot = true; age.secrets = { wireguard.file = ../secrets/framebox/wireguard.age; @@ -36,6 +37,7 @@ }; imports = [ + # keep-sorted start ../profiles/authelia.nix ../profiles/core-metrics.nix ../profiles/defaults.nix @@ -48,12 +50,14 @@ ../profiles/postgresql.nix ../profiles/remote-unlock.nix ../profiles/restic-backup.nix + ../profiles/secureboot.nix ../profiles/server.nix ../profiles/state.nix ../profiles/users/admin-user.nix ../profiles/users/builder.nix ../profiles/users/home-manager.nix ../profiles/wireguard.nix + # keep-sorted end ]; boot.kernelModules = [ "sg" ]; diff --git a/modules/host-config.nix b/modules/host-config.nix index ff1eaa5..348c7b0 100644 --- a/modules/host-config.nix +++ b/modules/host-config.nix @@ -17,5 +17,9 @@ type = lib.types.bool; default = false; }; + secureBoot = lib.mkOption { + type = lib.types.bool; + default = false; + }; }; } diff --git a/profiles/secureboot.nix b/profiles/secureboot.nix new file mode 100644 index 0000000..53df8e3 --- /dev/null +++ b/profiles/secureboot.nix @@ -0,0 +1,17 @@ +{ pkgs, lib, ... }: +{ + environment.persistence."/persist/save".directories = [ + "/var/lib/sbctl" + ]; + + environment.systemPackages = [ + pkgs.sbctl + ]; + + boot.loader.systemd-boot.enable = lib.mkForce false; + + boot.lanzaboote = { + enable = true; + pkiBundle = "/var/lib/sbctl"; + }; +} -- cgit v1.2.3