Enable secure boot
diff --git a/flake.lock b/flake.lock
index ec774bc..fa2af8c 100644
--- a/flake.lock
+++ b/flake.lock
@@ -62,6 +62,56 @@
"type": "github"
}
},
+ "flake-compat_2": {
+ "flake": false,
+ "locked": {
+ "lastModified": 1668681692,
+ "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
+ "owner": "edolstra",
+ "repo": "flake-compat",
+ "rev": "009399224d5e398d03b22badca40a37ac85412a1",
+ "type": "github"
+ },
+ "original": {
+ "owner": "edolstra",
+ "repo": "flake-compat",
+ "type": "github"
+ }
+ },
+ "flake-compat_3": {
+ "flake": false,
+ "locked": {
+ "lastModified": 1668681692,
+ "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
+ "owner": "edolstra",
+ "repo": "flake-compat",
+ "rev": "009399224d5e398d03b22badca40a37ac85412a1",
+ "type": "github"
+ },
+ "original": {
+ "owner": "edolstra",
+ "repo": "flake-compat",
+ "type": "github"
+ }
+ },
+ "flake-parts": {
+ "inputs": {
+ "nixpkgs-lib": "nixpkgs-lib"
+ },
+ "locked": {
+ "lastModified": 1673047662,
+ "narHash": "sha256-dXYxH/0Ea5oQSkGAWWNy7HzmFutguycDGn2dt6lTYRQ=",
+ "owner": "hercules-ci",
+ "repo": "flake-parts",
+ "rev": "aa1f6ca773b6e740037ebfb35f7010e0c3960638",
+ "type": "github"
+ },
+ "original": {
+ "owner": "hercules-ci",
+ "repo": "flake-parts",
+ "type": "github"
+ }
+ },
"flake-utils": {
"locked": {
"lastModified": 1667395993,
@@ -128,6 +178,28 @@
"type": "github"
}
},
+ "gitignore": {
+ "inputs": {
+ "nixpkgs": [
+ "lanzaboote",
+ "pre-commit-hooks-nix",
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1660459072,
+ "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
+ "owner": "hercules-ci",
+ "repo": "gitignore.nix",
+ "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
+ "type": "github"
+ },
+ "original": {
+ "owner": "hercules-ci",
+ "repo": "gitignore.nix",
+ "type": "github"
+ }
+ },
"gtimelog": {
"flake": false,
"locked": {
@@ -202,6 +274,37 @@
"type": "github"
}
},
+ "lanzaboote": {
+ "inputs": {
+ "crane": [
+ "crane"
+ ],
+ "flake-compat": "flake-compat_2",
+ "flake-parts": "flake-parts",
+ "flake-utils": [
+ "flake-utils"
+ ],
+ "nixpkgs": [
+ "nixpkgs"
+ ],
+ "nixpkgs-test": "nixpkgs-test",
+ "pre-commit-hooks-nix": "pre-commit-hooks-nix",
+ "rust-overlay": "rust-overlay_2"
+ },
+ "locked": {
+ "lastModified": 1673698540,
+ "narHash": "sha256-vF6qVrr3m99fiXzZDk41s93zi5mOv19wERxOFs91m3Y=",
+ "owner": "nix-community",
+ "repo": "lanzaboote",
+ "rev": "30d6c92583b950d22d2c3ddb729272f29d14a5b0",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nix-community",
+ "repo": "lanzaboote",
+ "type": "github"
+ }
+ },
"nixpkgs": {
"locked": {
"lastModified": 1672249180,
@@ -218,6 +321,24 @@
"type": "github"
}
},
+ "nixpkgs-lib": {
+ "locked": {
+ "dir": "lib",
+ "lastModified": 1672350804,
+ "narHash": "sha256-jo6zkiCabUBn3ObuKXHGqqORUMH27gYDIFFfLq5P4wg=",
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "rev": "677ed08a50931e38382dbef01cba08a8f7eac8f6",
+ "type": "github"
+ },
+ "original": {
+ "dir": "lib",
+ "owner": "NixOS",
+ "ref": "nixos-unstable",
+ "repo": "nixpkgs",
+ "type": "github"
+ }
+ },
"nixpkgs-minion": {
"locked": {
"lastModified": 1666777518,
@@ -235,6 +356,22 @@
},
"nixpkgs-stable": {
"locked": {
+ "lastModified": 1671271954,
+ "narHash": "sha256-cSvu+bnvN08sOlTBWbBrKaBHQZq8mvk8bgpt0ZJ2Snc=",
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "rev": "d513b448cc2a6da2c8803e3c197c9fc7e67b19e3",
+ "type": "github"
+ },
+ "original": {
+ "owner": "NixOS",
+ "ref": "nixos-22.05",
+ "repo": "nixpkgs",
+ "type": "github"
+ }
+ },
+ "nixpkgs-stable_2": {
+ "locked": {
"lastModified": 1671923641,
"narHash": "sha256-flPauiL5UrfRJD+1oAcEefpEIUqTqnyKScWe/UUU+lE=",
"owner": "NixOS",
@@ -249,6 +386,22 @@
"type": "github"
}
},
+ "nixpkgs-test": {
+ "locked": {
+ "lastModified": 1671812130,
+ "narHash": "sha256-GALBK+qB9rhnB+lVnxdgtMoXCySXughZZ3+qGO1Ke/k=",
+ "owner": "RaitoBezarius",
+ "repo": "nixpkgs",
+ "rev": "e51bf8cc8e2c75192e930ad83ed272938729e7be",
+ "type": "github"
+ },
+ "original": {
+ "owner": "RaitoBezarius",
+ "ref": "simplified-qemu-boot-disks",
+ "repo": "nixpkgs",
+ "type": "github"
+ }
+ },
"nixpkgs-unfree": {
"inputs": {
"nixpkgs": [
@@ -324,6 +477,34 @@
"type": "github"
}
},
+ "pre-commit-hooks-nix": {
+ "inputs": {
+ "flake-compat": "flake-compat_3",
+ "flake-utils": [
+ "lanzaboote",
+ "flake-utils"
+ ],
+ "gitignore": "gitignore",
+ "nixpkgs": [
+ "lanzaboote",
+ "nixpkgs"
+ ],
+ "nixpkgs-stable": "nixpkgs-stable"
+ },
+ "locked": {
+ "lastModified": 1672912243,
+ "narHash": "sha256-QnQeKUjco2kO9J4rBqIBPp5XcOMblIMnmyhpjeaJBYc=",
+ "owner": "cachix",
+ "repo": "pre-commit-hooks.nix",
+ "rev": "a4548c09eac4afb592ab2614f4a150120b29584c",
+ "type": "github"
+ },
+ "original": {
+ "owner": "cachix",
+ "repo": "pre-commit-hooks.nix",
+ "type": "github"
+ }
+ },
"registry": {
"flake": false,
"locked": {
@@ -351,6 +532,7 @@
"home-manager": "home-manager",
"impermanence": "impermanence",
"kmonad": "kmonad",
+ "lanzaboote": "lanzaboote",
"nixpkgs": "nixpkgs",
"nixpkgs-minion": "nixpkgs-minion",
"nixpkgs-unfree": "nixpkgs-unfree",
@@ -403,12 +585,37 @@
"type": "github"
}
},
+ "rust-overlay_2": {
+ "inputs": {
+ "flake-utils": [
+ "lanzaboote",
+ "flake-utils"
+ ],
+ "nixpkgs": [
+ "lanzaboote",
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1673058265,
+ "narHash": "sha256-FFigGHIO9BQeIIKjH5dcpB+ey5CSgfy47wHPGeOhCps=",
+ "owner": "oxalica",
+ "repo": "rust-overlay",
+ "rev": "802ff3314663ec7114f29a6e8b200dfc892023f8",
+ "type": "github"
+ },
+ "original": {
+ "owner": "oxalica",
+ "repo": "rust-overlay",
+ "type": "github"
+ }
+ },
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
- "nixpkgs-stable": "nixpkgs-stable"
+ "nixpkgs-stable": "nixpkgs-stable_2"
},
"locked": {
"lastModified": 1671937829,
diff --git a/flake.nix b/flake.nix
index f401273..0f79ccd 100644
--- a/flake.nix
+++ b/flake.nix
@@ -36,6 +36,7 @@
};
fenix.url = "github:nix-community/fenix";
nps.url = "github:OleMussmann/Nix-Package-Search";
+ lanzaboote.url = "github:nix-community/lanzaboote";
fenix.inputs.nixpkgs.follows = "nixpkgs";
flake-utils-plus.inputs.flake-utils.follows = "flake-utils";
@@ -45,6 +46,9 @@
nps.inputs.flake-utils.follows = "flake-utils";
crane.inputs.nixpkgs.follows = "nixpkgs";
crane.inputs.flake-utils.follows = "flake-utils";
+ lanzaboote.inputs.nixpkgs.follows = "nixpkgs";
+ lanzaboote.inputs.flake-utils.follows = "flake-utils";
+ lanzaboote.inputs.crane.follows = "crane";
};
outputs = inputs:
diff --git a/modules/boot.nix b/modules/boot.nix
index c40726a..f93c554 100644
--- a/modules/boot.nix
+++ b/modules/boot.nix
@@ -3,7 +3,7 @@
boot = {
loader = {
systemd-boot = {
- enable = true;
+ /* enable = true; */ # Replaced by secure-boot.nix
editor = false;
};
efi.canTouchEfiVariables = true;
diff --git a/modules/secure-boot.nix b/modules/secure-boot.nix
new file mode 100644
index 0000000..a5469f4
--- /dev/null
+++ b/modules/secure-boot.nix
@@ -0,0 +1,22 @@
+{ pkgs, lanzaboote, lib, ... }: {
+ imports = [
+ lanzaboote.nixosModules.lanzaboote
+ ];
+ config = {
+ boot = {
+ bootspec.enable = true;
+ loader.systemd-boot.enable = lib.mkForce false;
+ lanzaboote = {
+ enable = true;
+ pkiBundle = "/etc/secureboot";
+ };
+ };
+
+ environment = {
+ persistence."/nix/persist".directories = [
+ "/etc/secureboot"
+ ];
+ systemPackages = [ pkgs.sbctl ];
+ };
+ };
+}