swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2025-12-06 09:07:21 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: introduce lanzaboote profile

Browse source
This commit is contained in:
Swarsel 2024-12-28 13:13:53 +01:00
parent 71a9020d17
commit c011c9bfdd
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
6 changed files with 65 additions and 58 deletions
Download patch file Download diff file Expand all files Collapse all files

45
SwarselSystems.org
View file

@ -1269,13 +1269,6 @@ My work machine. Built for more security, this is the gold standard of my config
networking.networkmanager.wifi.scanRandMacAddress = false; networking.networkmanager.wifi.scanRandMacAddress = false;
boot = { boot = {
loader.systemd-boot.enable = lib.mkForce false;
loader.efi.canTouchEfiVariables = true;
lanzaboote = {
enable = true;
# pkiBundle = "/etc/secureboot";
pkiBundle = "/var/lib/sbctl";
};
supportedFilesystems = [ "btrfs" ]; supportedFilesystems = [ "btrfs" ];
kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
kernelParams = [ kernelParams = [
@ -1315,6 +1308,7 @@ My work machine. Built for more security, this is the gold standard of my config
hasBluetooth = true; hasBluetooth = true;
hasFingerprint = true; hasFingerprint = true;
isImpermanence = false; isImpermanence = false;
isSecureBoot = true;
isCrypted = true; isCrypted = true;
} sharedOptions; } sharedOptions;
@ -1785,6 +1779,7 @@ This is a slim setup for developing base configuration.
"${profilesPath}/common/nixos/xserver.nix" "${profilesPath}/common/nixos/xserver.nix"
"${profilesPath}/common/nixos/users.nix" "${profilesPath}/common/nixos/users.nix"
"${profilesPath}/common/nixos/impermanence.nix" "${profilesPath}/common/nixos/impermanence.nix"
"${profilesPath}/common/nixos/lanzaboote.nix"
"${profilesPath}/common/nixos/sops.nix" "${profilesPath}/common/nixos/sops.nix"
"${profilesPath}/server/nixos/ssh.nix" "${profilesPath}/server/nixos/ssh.nix"
@ -1823,15 +1818,8 @@ This is a slim setup for developing base configuration.
system.stateVersion = lib.mkForce "23.05"; system.stateVersion = lib.mkForce "23.05";
boot = { boot = {
loader.efi.canTouchEfiVariables = true;
supportedFilesystems = [ "btrfs" ]; supportedFilesystems = [ "btrfs" ];
kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
loader.systemd-boot.enable = lib.swarselsystems.mkIfElse (config.swarselsystems.initialSetup || !config.swarselsystems.isSecureBoot) (lib.mkForce true) (lib.mkForce false);
lanzaboote = lib.mkIf (!config.swarselsystems.initialSetup && config.swarselsystems.isSecureBoot) {
enable = true;
pkiBundle = "/var/lib/sbctl";
# enrollKeys = true;
};
}; };
@ -3018,10 +3006,8 @@ This program sets up a new NixOS host remotely. It also takes care of secret man
green "Generating hardware-config.nix for $target_hostname and adding it to the nix-config." green "Generating hardware-config.nix for $target_hostname and adding it to the nix-config."
$ssh_root_cmd "nixos-generate-config --force --no-filesystems --root /mnt" $ssh_root_cmd "nixos-generate-config --force --no-filesystems --root /mnt"
if [[ $SECUREBOOT == "true" ]]; then
green "Injecting initialSetup" green "Injecting initialSetup"
$ssh_root_cmd "sed -i '/ boot.extraModulePackages /a \ swarselsystems.initialSetup = true;' /mnt/etc/nixos/hardware-configuration.nix" $ssh_root_cmd "sed -i '/ boot.extraModulePackages /a \ swarselsystems.initialSetup = true;' /mnt/etc/nixos/hardware-configuration.nix"
fi
mkdir -p "$FLAKE"/hosts/nixos/"$target_hostname" mkdir -p "$FLAKE"/hosts/nixos/"$target_hostname"
$scp_cmd root@"$target_destination":/mnt/etc/nixos/hardware-configuration.nix "${git_root}"/hosts/nixos/"$target_hostname"/hardware-configuration.nix $scp_cmd root@"$target_destination":/mnt/etc/nixos/hardware-configuration.nix "${git_root}"/hosts/nixos/"$target_hostname"/hardware-configuration.nix
@ -3052,10 +3038,10 @@ This program sets up a new NixOS host remotely. It also takes care of secret man
read -ra scp_call <<< "${scp_cmd}" read -ra scp_call <<< "${scp_cmd}"
sudo "${scp_call[@]}" -r /var/lib/sbctl root@"$target_destination":/var/lib/ sudo "${scp_call[@]}" -r /var/lib/sbctl root@"$target_destination":/var/lib/
$ssh_root_cmd "sbctl enroll-keys --ignore-immutable --microsoft || true" $ssh_root_cmd "sbctl enroll-keys --ignore-immutable --microsoft || true"
# ------------------------
green "restoring hardware-configuration"
sed -i '/swarselsystems\.initialSetup = true;/d' "$git_root"/hosts/nixos/"$target_hostname"/hardware-configuration.nix
fi fi
# ------------------------
green "Disabling initialSetup"
sed -i '/swarselsystems\.initialSetup = true;/d' "$git_root"/hosts/nixos/"$target_hostname"/hardware-configuration.nix
if [ -n "$persist_dir" ]; then if [ -n "$persist_dir" ]; then
$ssh_root_cmd "cp /etc/machine-id $persist_dir/etc/machine-id || true" $ssh_root_cmd "cp /etc/machine-id $persist_dir/etc/machine-id || true"
@ -4348,6 +4334,7 @@ This section is for setting things that should be used on hosts that are using t
./distrobox.nix ./distrobox.nix
./lid.nix ./lid.nix
./lowbattery.nix ./lowbattery.nix
./lanzaboote.nix
]; ];
nixpkgs.config.permittedInsecurePackages = [ nixpkgs.config.permittedInsecurePackages = [
@ -5913,6 +5900,26 @@ Since I hide the waybar completely during normal operation, I run the risk of no
} }
#+end_src #+end_src
**** Lanzaboote
This dynamically uses systemd boot or Lanzaboote depending on `config.swarselsystems.initialSetup` and `config.swarselsystems.isSecureBoot`.
#+begin_src nix :tangle profiles/common/nixos/lanzaboote.nix
{ lib, config, ... }:
{
boot = {
loader = {
efi.canTouchEfiVariables = true;
systemd-boot.enable = lib.swarselsystems.mkIfElse (config.swarselsystems.initialSetup || !config.swarselsystems.isSecureBoot) (lib.mkForce true) (lib.mkForce false);
};
lanzaboote = lib.mkIf (!config.swarselsystems.initialSetup && config.swarselsystems.isSecureBoot) {
enable = true;
pkiBundle = "/var/lib/sbctl";
};
};
}
#+end_src
*** Server *** Server
:PROPERTIES: :PROPERTIES:
:CUSTOM_ID: h:e492c24a-83a0-4bcb-a084-706f49318651 :CUSTOM_ID: h:e492c24a-83a0-4bcb-a084-706f49318651

8
hosts/nixos/nbl-imba-2/default.nix
View file

@ -41,13 +41,6 @@ in
networking.networkmanager.wifi.scanRandMacAddress = false; networking.networkmanager.wifi.scanRandMacAddress = false;
boot = { boot = {
loader.systemd-boot.enable = lib.mkForce false;
loader.efi.canTouchEfiVariables = true;
lanzaboote = {
enable = true;
# pkiBundle = "/etc/secureboot";
pkiBundle = "/var/lib/sbctl";
};
supportedFilesystems = [ "btrfs" ]; supportedFilesystems = [ "btrfs" ];
kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
kernelParams = [ kernelParams = [
@ -88,6 +81,7 @@ in
hasBluetooth = true; hasBluetooth = true;
hasFingerprint = true; hasFingerprint = true;
isImpermanence = false; isImpermanence = false;
isSecureBoot = true;
isCrypted = true; isCrypted = true;
} }
sharedOptions; sharedOptions;

8
hosts/nixos/toto/default.nix
View file

@ -22,6 +22,7 @@ in
"${profilesPath}/common/nixos/xserver.nix" "${profilesPath}/common/nixos/xserver.nix"
"${profilesPath}/common/nixos/users.nix" "${profilesPath}/common/nixos/users.nix"
"${profilesPath}/common/nixos/impermanence.nix" "${profilesPath}/common/nixos/impermanence.nix"
"${profilesPath}/common/nixos/lanzaboote.nix"
"${profilesPath}/common/nixos/sops.nix" "${profilesPath}/common/nixos/sops.nix"
"${profilesPath}/server/nixos/ssh.nix" "${profilesPath}/server/nixos/ssh.nix"
@ -60,15 +61,8 @@ in
system.stateVersion = lib.mkForce "23.05"; system.stateVersion = lib.mkForce "23.05";
boot = { boot = {
loader.efi.canTouchEfiVariables = true;
supportedFilesystems = [ "btrfs" ]; supportedFilesystems = [ "btrfs" ];
kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
loader.systemd-boot.enable = lib.swarselsystems.mkIfElse (config.swarselsystems.initialSetup || !config.swarselsystems.isSecureBoot) (lib.mkForce true) (lib.mkForce false);
lanzaboote = lib.mkIf (!config.swarselsystems.initialSetup && config.swarselsystems.isSecureBoot) {
enable = true;
pkiBundle = "/var/lib/sbctl";
# enrollKeys = true;
};
}; };

1
profiles/common/nixos/default.nix
View file

@ -39,6 +39,7 @@ _:
./distrobox.nix ./distrobox.nix
./lid.nix ./lid.nix
./lowbattery.nix ./lowbattery.nix
./lanzaboote.nix
]; ];
nixpkgs.config.permittedInsecurePackages = [ nixpkgs.config.permittedInsecurePackages = [

13
profiles/common/nixos/lanzaboote.nix Normal file
View file

@ -0,0 +1,13 @@
{ lib, config, ... }:
{
boot = {
loader = {
efi.canTouchEfiVariables = true;
systemd-boot.enable = lib.swarselsystems.mkIfElse (config.swarselsystems.initialSetup || !config.swarselsystems.isSecureBoot) (lib.mkForce true) (lib.mkForce false);
};
lanzaboote = lib.mkIf (!config.swarselsystems.initialSetup && config.swarselsystems.isSecureBoot) {
enable = true;
pkiBundle = "/var/lib/sbctl";
};
};
}

12
scripts/bootstrap.sh
View file

@ -210,10 +210,8 @@ fi
green "Generating hardware-config.nix for $target_hostname and adding it to the nix-config." green "Generating hardware-config.nix for $target_hostname and adding it to the nix-config."
$ssh_root_cmd "nixos-generate-config --force --no-filesystems --root /mnt" $ssh_root_cmd "nixos-generate-config --force --no-filesystems --root /mnt"
if [[ $SECUREBOOT == "true" ]]; then green "Injecting initialSetup"
green "Injecting initialSetup" $ssh_root_cmd "sed -i '/ boot.extraModulePackages /a \ swarselsystems.initialSetup = true;' /mnt/etc/nixos/hardware-configuration.nix"
$ssh_root_cmd "sed -i '/ boot.extraModulePackages /a \ swarselsystems.initialSetup = true;' /mnt/etc/nixos/hardware-configuration.nix"
fi
mkdir -p "$FLAKE"/hosts/nixos/"$target_hostname" mkdir -p "$FLAKE"/hosts/nixos/"$target_hostname"
$scp_cmd root@"$target_destination":/mnt/etc/nixos/hardware-configuration.nix "${git_root}"/hosts/nixos/"$target_hostname"/hardware-configuration.nix $scp_cmd root@"$target_destination":/mnt/etc/nixos/hardware-configuration.nix "${git_root}"/hosts/nixos/"$target_hostname"/hardware-configuration.nix
@ -244,10 +242,10 @@ if [[ $SECUREBOOT == "true" ]]; then
read -ra scp_call <<< "${scp_cmd}" read -ra scp_call <<< "${scp_cmd}"
sudo "${scp_call[@]}" -r /var/lib/sbctl root@"$target_destination":/var/lib/ sudo "${scp_call[@]}" -r /var/lib/sbctl root@"$target_destination":/var/lib/
$ssh_root_cmd "sbctl enroll-keys --ignore-immutable --microsoft || true" $ssh_root_cmd "sbctl enroll-keys --ignore-immutable --microsoft || true"
# ------------------------
green "restoring hardware-configuration"
sed -i '/swarselsystems\.initialSetup = true;/d' "$git_root"/hosts/nixos/"$target_hostname"/hardware-configuration.nix
fi fi
# ------------------------
green "Disabling initialSetup"
sed -i '/swarselsystems\.initialSetup = true;/d' "$git_root"/hosts/nixos/"$target_hostname"/hardware-configuration.nix
if [ -n "$persist_dir" ]; then if [ -n "$persist_dir" ]; then
$ssh_root_cmd "cp /etc/machine-id $persist_dir/etc/machine-id || true" $ssh_root_cmd "cp /etc/machine-id $persist_dir/etc/machine-id || true"