swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2025-12-06 09:07:21 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: deploy secure boot on bootstrap

Browse source
This commit is contained in:
Swarsel 2024-12-28 03:06:45 +01:00
parent 9271805c26
commit 06b5b95a8a
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
8 changed files with 87 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

40
SwarselSystems.org
View file

@ -1249,7 +1249,8 @@ My work machine. Built for more security, this is the gold standard of my config
loader.efi.canTouchEfiVariables = true; loader.efi.canTouchEfiVariables = true;
lanzaboote = { lanzaboote = {
enable = true; enable = true;
pkiBundle = "/etc/secureboot"; # pkiBundle = "/etc/secureboot";
pkiBundle = "/var/lib/sbctl";
}; };
supportedFilesystems = [ "btrfs" ]; supportedFilesystems = [ "btrfs" ];
kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
@ -1752,6 +1753,7 @@ This is a slim setup for developing base configuration.
inputs.sops-nix.nixosModules.sops inputs.sops-nix.nixosModules.sops
inputs.impermanence.nixosModules.impermanence inputs.impermanence.nixosModules.impermanence
inputs.lanzaboote.nixosModules.lanzaboote
"${profilesPath}/optional/nixos/autologin.nix" "${profilesPath}/optional/nixos/autologin.nix"
"${profilesPath}/common/nixos/settings.nix" "${profilesPath}/common/nixos/settings.nix"
@ -1791,15 +1793,21 @@ This is a slim setup for developing base configuration.
sops sops
vim vim
just just
sbctl
]; ];
system.stateVersion = lib.mkForce "23.05"; system.stateVersion = lib.mkForce "23.05";
boot = { boot = {
loader.systemd-boot.enable = lib.mkForce true;
loader.efi.canTouchEfiVariables = true; loader.efi.canTouchEfiVariables = true;
supportedFilesystems = [ "btrfs" ]; supportedFilesystems = [ "btrfs" ];
kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
loader.systemd-boot.enable = lib.swarselsystems.mkIfElse (config.swarselsystems.initialSetup || !config.swarselsystems.isSecureBoot) (lib.mkForce true) (lib.mkForce false);
lanzaboote = lib.mkIf (!config.swarselsystems.initialSetup && config.swarselsystems.isSecureBoot) {
enable = true;
pkiBundle = "/var/lib/sbctl";
# enrollKeys = true;
};
}; };
@ -1812,10 +1820,10 @@ This is a slim setup for developing base configuration.
wallpaper = self + /wallpaper/lenovowp.png; wallpaper = self + /wallpaper/lenovowp.png;
isImpermanence = true; isImpermanence = true;
isCrypted = true; isCrypted = true;
initialSetup = true; isSecureBoot = true;
isSwap = true; isSwap = true;
swapSize = "8G"; swapSize = "8G";
rootDisk = "/dev/vda"; rootDisk = "/dev/nvme0n1";
} sharedOptions; } sharedOptions;
home-manager.users.swarsel.swarselsystems = lib.recursiveUpdate { home-manager.users.swarsel.swarselsystems = lib.recursiveUpdate {
@ -2975,9 +2983,14 @@ This program sets up a new NixOS host remotely. It also takes care of secret man
# ------------------------ # ------------------------
green "Generating hardware-config.nix for $target_hostname and adding it to the nix-config." green "Generating hardware-config.nix for $target_hostname and adding it to the nix-config."
$ssh_root_cmd "nixos-generate-config --force --no-filesystems --root /mnt" $ssh_root_cmd "nixos-generate-config --force --no-filesystems --root /mnt"
green "Injecting initialSetup"
$ssh_root_cmd "sed -i '/ boot.extraModulePackages /a \ swarselsystems.initialSetup = true;' /mnt/etc/nixos/hardware-configuration.nix"
mkdir -p "$FLAKE"/hosts/nixos/"$target_hostname" mkdir -p "$FLAKE"/hosts/nixos/"$target_hostname"
$scp_cmd root@"$target_destination":/mnt/etc/nixos/hardware-configuration.nix "${git_root}"/hosts/nixos/"$target_hostname"/hardware-configuration.nix $scp_cmd root@"$target_destination":/mnt/etc/nixos/hardware-configuration.nix "${git_root}"/hosts/nixos/"$target_hostname"/hardware-configuration.nix
# ------------------------ # ------------------------
green "Deploying minimal NixOS installation on $target_destination" green "Deploying minimal NixOS installation on $target_destination"
SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --ssh-port "$ssh_port" --extra-files "$temp" --flake .#"$target_hostname" root@"$target_destination" SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --ssh-port "$ssh_port" --extra-files "$temp" --flake .#"$target_hostname" root@"$target_destination"
@ -2994,7 +3007,17 @@ This program sets up a new NixOS host remotely. It also takes care of secret man
yellow "$target_destination is not yet ready." yellow "$target_destination is not yet ready."
fi fi
done done
# ------------------------ # ------------------------
green "Setting up secure boot keys"
$ssh_root_cmd "mkdir -p /var/lib/sbctl"
read -ra scp_call <<< "${scp_cmd}"
sudo "${scp_call[@]}" -r /var/lib/sbctl root@"$target_destination":/var/lib/
$ssh_root_cmd "sbctl enroll-keys --ignore-immutable --microsoft || true"
# ------------------------
green "restoring hardware-configuration"
sed -i '/swarselsystems\.initialSetup = true;/d' "$git_root"/hosts/nixos/"$target_hostname"/hardware-configuration.nix
if [ -n "$persist_dir" ]; then if [ -n "$persist_dir" ]; then
$ssh_root_cmd "cp /etc/machine-id $persist_dir/etc/machine-id || true" $ssh_root_cmd "cp /etc/machine-id $persist_dir/etc/machine-id || true"
$ssh_root_cmd "cp -R /etc/ssh/ $persist_dir/etc/ssh/ || true" $ssh_root_cmd "cp -R /etc/ssh/ $persist_dir/etc/ssh/ || true"
@ -3073,6 +3096,11 @@ This program sets up a new NixOS host remotely. It also takes care of secret man
echo echo
fi fi
# # ------------------------
# green "Enrolling secure boot keys"
# $ssh_root_cmd "sbctl enroll-keys --microsoft"
# ------------------------
if yes_or_no "You can now commit and push the nix-config, which includes the hardware-configuration.nix for $target_hostname?"; then if yes_or_no "You can now commit and push the nix-config, which includes the hardware-configuration.nix for $target_hostname?"; then
cd "${git_root}" cd "${git_root}"
deadnix hosts/nixos/"$target_hostname"/hardware-configuration.nix -qe deadnix hosts/nixos/"$target_hostname"/hardware-configuration.nix -qe
@ -3651,6 +3679,7 @@ I usually use =mutableUsers = false= in my NixOS configuration. However, on a ne
options.swarselsystems.isBtrfs = lib.mkEnableOption "use btrfs filesystem"; options.swarselsystems.isBtrfs = lib.mkEnableOption "use btrfs filesystem";
options.swarselsystems.isImpermanence = lib.mkEnableOption "use impermanence on this system"; options.swarselsystems.isImpermanence = lib.mkEnableOption "use impermanence on this system";
options.swarselsystems.isSecureBoot = lib.mkEnableOption "use secure boot on this system";
} }
#+end_src #+end_src
@ -5624,7 +5653,7 @@ Normally, doing that also resets the lecture that happens on the first use of =s
"/etc/nixos" "/etc/nixos"
"/etc/nix" "/etc/nix"
"/etc/NetworkManager/system-connections" "/etc/NetworkManager/system-connections"
"/etc/secureboot" # "/etc/secureboot"
"/var/db/sudo" "/var/db/sudo"
"/var/cache" "/var/cache"
"/var/lib" "/var/lib"
@ -7977,6 +8006,7 @@ Options that I need specifically at work. There are more options at [[#h:f0b2ea9
sops sops
vim vim
just just
sbctl
]; ];
programs = { programs = {

3
hosts/nixos/nbl-imba-2/default.nix
View file

@ -45,7 +45,8 @@ in
loader.efi.canTouchEfiVariables = true; loader.efi.canTouchEfiVariables = true;
lanzaboote = { lanzaboote = {
enable = true; enable = true;
pkiBundle = "/etc/secureboot"; # pkiBundle = "/etc/secureboot";
pkiBundle = "/var/lib/sbctl";
}; };
supportedFilesystems = [ "btrfs" ]; supportedFilesystems = [ "btrfs" ];
kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;

13
hosts/nixos/toto/default.nix
View file

@ -14,6 +14,7 @@ in
inputs.sops-nix.nixosModules.sops inputs.sops-nix.nixosModules.sops
inputs.impermanence.nixosModules.impermanence inputs.impermanence.nixosModules.impermanence
inputs.lanzaboote.nixosModules.lanzaboote
"${profilesPath}/optional/nixos/autologin.nix" "${profilesPath}/optional/nixos/autologin.nix"
"${profilesPath}/common/nixos/settings.nix" "${profilesPath}/common/nixos/settings.nix"
@ -53,15 +54,21 @@ in
sops sops
vim vim
just just
sbctl
]; ];
system.stateVersion = lib.mkForce "23.05"; system.stateVersion = lib.mkForce "23.05";
boot = { boot = {
loader.systemd-boot.enable = lib.mkForce true;
loader.efi.canTouchEfiVariables = true; loader.efi.canTouchEfiVariables = true;
supportedFilesystems = [ "btrfs" ]; supportedFilesystems = [ "btrfs" ];
kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
loader.systemd-boot.enable = lib.swarselsystems.mkIfElse (config.swarselsystems.initialSetup || !config.swarselsystems.isSecureBoot) (lib.mkForce true) (lib.mkForce false);
lanzaboote = lib.mkIf (!config.swarselsystems.initialSetup && config.swarselsystems.isSecureBoot) {
enable = true;
pkiBundle = "/var/lib/sbctl";
# enrollKeys = true;
};
}; };
@ -75,10 +82,10 @@ in
wallpaper = self + /wallpaper/lenovowp.png; wallpaper = self + /wallpaper/lenovowp.png;
isImpermanence = true; isImpermanence = true;
isCrypted = true; isCrypted = true;
initialSetup = true; isSecureBoot = true;
isSwap = true; isSwap = true;
swapSize = "8G"; swapSize = "8G";
rootDisk = "/dev/vda"; rootDisk = "/dev/nvme0n1";
} }
sharedOptions; sharedOptions;

1
lib/default.nix
View file

@ -4,4 +4,5 @@
(lib.mkIf p yes) (lib.mkIf p yes)
(lib.mkIf (!p) no) (lib.mkIf (!p) no)
]; ];
mkIfElse = p: yes: no: if p then yes else no;
} }

1
modules/nixos/setup.nix
View file

@ -30,4 +30,5 @@
options.swarselsystems.isBtrfs = lib.mkEnableOption "use btrfs filesystem"; options.swarselsystems.isBtrfs = lib.mkEnableOption "use btrfs filesystem";
options.swarselsystems.isImpermanence = lib.mkEnableOption "use impermanence on this system"; options.swarselsystems.isImpermanence = lib.mkEnableOption "use impermanence on this system";
options.swarselsystems.isSecureBoot = lib.mkEnableOption "use secure boot on this system";
} }

2
profiles/common/nixos/impermanence.nix
View file

@ -74,7 +74,7 @@ in
"/etc/nixos" "/etc/nixos"
"/etc/nix" "/etc/nix"
"/etc/NetworkManager/system-connections" "/etc/NetworkManager/system-connections"
"/etc/secureboot" # "/etc/secureboot"
"/var/db/sudo" "/var/db/sudo"
"/var/cache" "/var/cache"
"/var/lib" "/var/lib"

1
profiles/iso/minimal.nix
View file

@ -53,6 +53,7 @@
sops sops
vim vim
just just
sbctl
]; ];
programs = { programs = {

20
scripts/bootstrap.sh
View file

@ -200,9 +200,14 @@ fi
# ------------------------ # ------------------------
green "Generating hardware-config.nix for $target_hostname and adding it to the nix-config." green "Generating hardware-config.nix for $target_hostname and adding it to the nix-config."
$ssh_root_cmd "nixos-generate-config --force --no-filesystems --root /mnt" $ssh_root_cmd "nixos-generate-config --force --no-filesystems --root /mnt"
green "Injecting initialSetup"
$ssh_root_cmd "sed -i '/ boot.extraModulePackages /a \ swarselsystems.initialSetup = true;' /mnt/etc/nixos/hardware-configuration.nix"
mkdir -p "$FLAKE"/hosts/nixos/"$target_hostname" mkdir -p "$FLAKE"/hosts/nixos/"$target_hostname"
$scp_cmd root@"$target_destination":/mnt/etc/nixos/hardware-configuration.nix "${git_root}"/hosts/nixos/"$target_hostname"/hardware-configuration.nix $scp_cmd root@"$target_destination":/mnt/etc/nixos/hardware-configuration.nix "${git_root}"/hosts/nixos/"$target_hostname"/hardware-configuration.nix
# ------------------------ # ------------------------
green "Deploying minimal NixOS installation on $target_destination" green "Deploying minimal NixOS installation on $target_destination"
SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --ssh-port "$ssh_port" --extra-files "$temp" --flake .#"$target_hostname" root@"$target_destination" SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --ssh-port "$ssh_port" --extra-files "$temp" --flake .#"$target_hostname" root@"$target_destination"
@ -219,7 +224,17 @@ while true; do
yellow "$target_destination is not yet ready." yellow "$target_destination is not yet ready."
fi fi
done done
# ------------------------ # ------------------------
green "Setting up secure boot keys"
$ssh_root_cmd "mkdir -p /var/lib/sbctl"
read -ra scp_call <<< "${scp_cmd}"
sudo "${scp_call[@]}" -r /var/lib/sbctl root@"$target_destination":/var/lib/
$ssh_root_cmd "sbctl enroll-keys --ignore-immutable --microsoft || true"
# ------------------------
green "restoring hardware-configuration"
sed -i '/swarselsystems\.initialSetup = true;/d' "$git_root"/hosts/nixos/"$target_hostname"/hardware-configuration.nix
if [ -n "$persist_dir" ]; then if [ -n "$persist_dir" ]; then
$ssh_root_cmd "cp /etc/machine-id $persist_dir/etc/machine-id || true" $ssh_root_cmd "cp /etc/machine-id $persist_dir/etc/machine-id || true"
$ssh_root_cmd "cp -R /etc/ssh/ $persist_dir/etc/ssh/ || true" $ssh_root_cmd "cp -R /etc/ssh/ $persist_dir/etc/ssh/ || true"
@ -298,6 +313,11 @@ else
echo echo
fi fi
# # ------------------------
# green "Enrolling secure boot keys"
# $ssh_root_cmd "sbctl enroll-keys --microsoft"
# ------------------------
if yes_or_no "You can now commit and push the nix-config, which includes the hardware-configuration.nix for $target_hostname?"; then if yes_or_no "You can now commit and push the nix-config, which includes the hardware-configuration.nix for $target_hostname?"; then
cd "${git_root}" cd "${git_root}"
deadnix hosts/nixos/"$target_hostname"/hardware-configuration.nix -qe deadnix hosts/nixos/"$target_hostname"/hardware-configuration.nix -qe