From c011c9bfddedb3555d52390a898a472dfb01728d Mon Sep 17 00:00:00 2001 From: Swarsel Date: Sat, 28 Dec 2024 13:13:53 +0100 Subject: [PATCH] feat: introduce lanzaboote profile --- SwarselSystems.org | 65 +++++++++++++++------------- hosts/nixos/nbl-imba-2/default.nix | 8 +--- hosts/nixos/toto/default.nix | 8 +--- profiles/common/nixos/default.nix | 1 + profiles/common/nixos/lanzaboote.nix | 13 ++++++ scripts/bootstrap.sh | 28 ++++++------ 6 files changed, 65 insertions(+), 58 deletions(-) create mode 100644 profiles/common/nixos/lanzaboote.nix diff --git a/SwarselSystems.org b/SwarselSystems.org index feed39a..0c3c277 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -1269,13 +1269,6 @@ My work machine. Built for more security, this is the gold standard of my config networking.networkmanager.wifi.scanRandMacAddress = false; boot = { - loader.systemd-boot.enable = lib.mkForce false; - loader.efi.canTouchEfiVariables = true; - lanzaboote = { - enable = true; - # pkiBundle = "/etc/secureboot"; - pkiBundle = "/var/lib/sbctl"; - }; supportedFilesystems = [ "btrfs" ]; kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; kernelParams = [ @@ -1315,6 +1308,7 @@ My work machine. Built for more security, this is the gold standard of my config hasBluetooth = true; hasFingerprint = true; isImpermanence = false; + isSecureBoot = true; isCrypted = true; } sharedOptions; @@ -1785,6 +1779,7 @@ This is a slim setup for developing base configuration. "${profilesPath}/common/nixos/xserver.nix" "${profilesPath}/common/nixos/users.nix" "${profilesPath}/common/nixos/impermanence.nix" + "${profilesPath}/common/nixos/lanzaboote.nix" "${profilesPath}/common/nixos/sops.nix" "${profilesPath}/server/nixos/ssh.nix" @@ -1823,15 +1818,8 @@ This is a slim setup for developing base configuration. system.stateVersion = lib.mkForce "23.05"; boot = { - loader.efi.canTouchEfiVariables = true; supportedFilesystems = [ "btrfs" ]; kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; - loader.systemd-boot.enable = lib.swarselsystems.mkIfElse (config.swarselsystems.initialSetup || !config.swarselsystems.isSecureBoot) (lib.mkForce true) (lib.mkForce false); - lanzaboote = lib.mkIf (!config.swarselsystems.initialSetup && config.swarselsystems.isSecureBoot) { - enable = true; - pkiBundle = "/var/lib/sbctl"; - # enrollKeys = true; - }; }; @@ -2886,14 +2874,14 @@ This program sets up a new NixOS host remotely. It also takes care of secret man SOPS_FILE=".sops.yaml" sed -i "{ - # Remove any * and & entries for this host - /[*&]$key_name/ d; - # Inject a new age: entry - # n matches the first line following age: and p prints it, then we transform it while reusing the spacing - /age:/{n; p; s/\(.*- \*\).*/\1$key_name/}; - # Inject a new hosts or user: entry - /&$key_type/{n; p; s/\(.*- &\).*/\1$key_name $key/} - }" $SOPS_FILE + # Remove any * and & entries for this host + /[*&]$key_name/ d; + # Inject a new age: entry + # n matches the first line following age: and p prints it, then we transform it while reusing the spacing + /age:/{n; p; s/\(.*- \*\).*/\1$key_name/}; + # Inject a new hosts or user: entry + /&$key_type/{n; p; s/\(.*- &\).*/\1$key_name $key/} + }" $SOPS_FILE green "Updating .sops.yaml" cd - } @@ -3018,10 +3006,8 @@ This program sets up a new NixOS host remotely. It also takes care of secret man green "Generating hardware-config.nix for $target_hostname and adding it to the nix-config." $ssh_root_cmd "nixos-generate-config --force --no-filesystems --root /mnt" - if [[ $SECUREBOOT == "true" ]]; then - green "Injecting initialSetup" - $ssh_root_cmd "sed -i '/ boot.extraModulePackages /a \ swarselsystems.initialSetup = true;' /mnt/etc/nixos/hardware-configuration.nix" - fi + green "Injecting initialSetup" + $ssh_root_cmd "sed -i '/ boot.extraModulePackages /a \ swarselsystems.initialSetup = true;' /mnt/etc/nixos/hardware-configuration.nix" mkdir -p "$FLAKE"/hosts/nixos/"$target_hostname" $scp_cmd root@"$target_destination":/mnt/etc/nixos/hardware-configuration.nix "${git_root}"/hosts/nixos/"$target_hostname"/hardware-configuration.nix @@ -3052,10 +3038,10 @@ This program sets up a new NixOS host remotely. It also takes care of secret man read -ra scp_call <<< "${scp_cmd}" sudo "${scp_call[@]}" -r /var/lib/sbctl root@"$target_destination":/var/lib/ $ssh_root_cmd "sbctl enroll-keys --ignore-immutable --microsoft || true" - # ------------------------ - green "restoring hardware-configuration" - sed -i '/swarselsystems\.initialSetup = true;/d' "$git_root"/hosts/nixos/"$target_hostname"/hardware-configuration.nix fi + # ------------------------ + green "Disabling initialSetup" + sed -i '/swarselsystems\.initialSetup = true;/d' "$git_root"/hosts/nixos/"$target_hostname"/hardware-configuration.nix if [ -n "$persist_dir" ]; then $ssh_root_cmd "cp /etc/machine-id $persist_dir/etc/machine-id || true" @@ -4348,6 +4334,7 @@ This section is for setting things that should be used on hosts that are using t ./distrobox.nix ./lid.nix ./lowbattery.nix + ./lanzaboote.nix ]; nixpkgs.config.permittedInsecurePackages = [ @@ -5913,6 +5900,26 @@ Since I hide the waybar completely during normal operation, I run the risk of no } #+end_src +**** Lanzaboote + +This dynamically uses systemd boot or Lanzaboote depending on `config.swarselsystems.initialSetup` and `config.swarselsystems.isSecureBoot`. + +#+begin_src nix :tangle profiles/common/nixos/lanzaboote.nix + { lib, config, ... }: + { + boot = { + loader = { + efi.canTouchEfiVariables = true; + systemd-boot.enable = lib.swarselsystems.mkIfElse (config.swarselsystems.initialSetup || !config.swarselsystems.isSecureBoot) (lib.mkForce true) (lib.mkForce false); + }; + lanzaboote = lib.mkIf (!config.swarselsystems.initialSetup && config.swarselsystems.isSecureBoot) { + enable = true; + pkiBundle = "/var/lib/sbctl"; + }; + }; + } +#+end_src + *** Server :PROPERTIES: :CUSTOM_ID: h:e492c24a-83a0-4bcb-a084-706f49318651 diff --git a/hosts/nixos/nbl-imba-2/default.nix b/hosts/nixos/nbl-imba-2/default.nix index 695435c..7c8039c 100644 --- a/hosts/nixos/nbl-imba-2/default.nix +++ b/hosts/nixos/nbl-imba-2/default.nix @@ -41,13 +41,6 @@ in networking.networkmanager.wifi.scanRandMacAddress = false; boot = { - loader.systemd-boot.enable = lib.mkForce false; - loader.efi.canTouchEfiVariables = true; - lanzaboote = { - enable = true; - # pkiBundle = "/etc/secureboot"; - pkiBundle = "/var/lib/sbctl"; - }; supportedFilesystems = [ "btrfs" ]; kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; kernelParams = [ @@ -88,6 +81,7 @@ in hasBluetooth = true; hasFingerprint = true; isImpermanence = false; + isSecureBoot = true; isCrypted = true; } sharedOptions; diff --git a/hosts/nixos/toto/default.nix b/hosts/nixos/toto/default.nix index e32377f..00da785 100644 --- a/hosts/nixos/toto/default.nix +++ b/hosts/nixos/toto/default.nix @@ -22,6 +22,7 @@ in "${profilesPath}/common/nixos/xserver.nix" "${profilesPath}/common/nixos/users.nix" "${profilesPath}/common/nixos/impermanence.nix" + "${profilesPath}/common/nixos/lanzaboote.nix" "${profilesPath}/common/nixos/sops.nix" "${profilesPath}/server/nixos/ssh.nix" @@ -60,15 +61,8 @@ in system.stateVersion = lib.mkForce "23.05"; boot = { - loader.efi.canTouchEfiVariables = true; supportedFilesystems = [ "btrfs" ]; kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; - loader.systemd-boot.enable = lib.swarselsystems.mkIfElse (config.swarselsystems.initialSetup || !config.swarselsystems.isSecureBoot) (lib.mkForce true) (lib.mkForce false); - lanzaboote = lib.mkIf (!config.swarselsystems.initialSetup && config.swarselsystems.isSecureBoot) { - enable = true; - pkiBundle = "/var/lib/sbctl"; - # enrollKeys = true; - }; }; diff --git a/profiles/common/nixos/default.nix b/profiles/common/nixos/default.nix index 05e8540..183c6a7 100644 --- a/profiles/common/nixos/default.nix +++ b/profiles/common/nixos/default.nix @@ -39,6 +39,7 @@ _: ./distrobox.nix ./lid.nix ./lowbattery.nix + ./lanzaboote.nix ]; nixpkgs.config.permittedInsecurePackages = [ diff --git a/profiles/common/nixos/lanzaboote.nix b/profiles/common/nixos/lanzaboote.nix new file mode 100644 index 0000000..461f059 --- /dev/null +++ b/profiles/common/nixos/lanzaboote.nix @@ -0,0 +1,13 @@ +{ lib, config, ... }: +{ + boot = { + loader = { + efi.canTouchEfiVariables = true; + systemd-boot.enable = lib.swarselsystems.mkIfElse (config.swarselsystems.initialSetup || !config.swarselsystems.isSecureBoot) (lib.mkForce true) (lib.mkForce false); + }; + lanzaboote = lib.mkIf (!config.swarselsystems.initialSetup && config.swarselsystems.isSecureBoot) { + enable = true; + pkiBundle = "/var/lib/sbctl"; + }; + }; +} diff --git a/scripts/bootstrap.sh b/scripts/bootstrap.sh index 1211dac..146bb51 100644 --- a/scripts/bootstrap.sh +++ b/scripts/bootstrap.sh @@ -78,14 +78,14 @@ function update_sops_file() { SOPS_FILE=".sops.yaml" sed -i "{ - # Remove any * and & entries for this host - /[*&]$key_name/ d; - # Inject a new age: entry - # n matches the first line following age: and p prints it, then we transform it while reusing the spacing - /age:/{n; p; s/\(.*- \*\).*/\1$key_name/}; - # Inject a new hosts or user: entry - /&$key_type/{n; p; s/\(.*- &\).*/\1$key_name $key/} - }" $SOPS_FILE + # Remove any * and & entries for this host + /[*&]$key_name/ d; + # Inject a new age: entry + # n matches the first line following age: and p prints it, then we transform it while reusing the spacing + /age:/{n; p; s/\(.*- \*\).*/\1$key_name/}; + # Inject a new hosts or user: entry + /&$key_type/{n; p; s/\(.*- &\).*/\1$key_name $key/} + }" $SOPS_FILE green "Updating .sops.yaml" cd - } @@ -210,10 +210,8 @@ fi green "Generating hardware-config.nix for $target_hostname and adding it to the nix-config." $ssh_root_cmd "nixos-generate-config --force --no-filesystems --root /mnt" -if [[ $SECUREBOOT == "true" ]]; then - green "Injecting initialSetup" - $ssh_root_cmd "sed -i '/ boot.extraModulePackages /a \ swarselsystems.initialSetup = true;' /mnt/etc/nixos/hardware-configuration.nix" -fi +green "Injecting initialSetup" +$ssh_root_cmd "sed -i '/ boot.extraModulePackages /a \ swarselsystems.initialSetup = true;' /mnt/etc/nixos/hardware-configuration.nix" mkdir -p "$FLAKE"/hosts/nixos/"$target_hostname" $scp_cmd root@"$target_destination":/mnt/etc/nixos/hardware-configuration.nix "${git_root}"/hosts/nixos/"$target_hostname"/hardware-configuration.nix @@ -244,10 +242,10 @@ if [[ $SECUREBOOT == "true" ]]; then read -ra scp_call <<< "${scp_cmd}" sudo "${scp_call[@]}" -r /var/lib/sbctl root@"$target_destination":/var/lib/ $ssh_root_cmd "sbctl enroll-keys --ignore-immutable --microsoft || true" - # ------------------------ - green "restoring hardware-configuration" - sed -i '/swarselsystems\.initialSetup = true;/d' "$git_root"/hosts/nixos/"$target_hostname"/hardware-configuration.nix fi +# ------------------------ +green "Disabling initialSetup" +sed -i '/swarselsystems\.initialSetup = true;/d' "$git_root"/hosts/nixos/"$target_hostname"/hardware-configuration.nix if [ -n "$persist_dir" ]; then $ssh_root_cmd "cp /etc/machine-id $persist_dir/etc/machine-id || true"