From ab7e49581a49fd32a9767cabdac88fb74c39ef46 Mon Sep 17 00:00:00 2001 From: Harald Hoyer Date: Tue, 5 Mar 2024 15:41:42 +0100 Subject: [PATCH] x1: secure boot and encrypted swap Signed-off-by: Harald Hoyer --- flake.lock | 251 +++++++++++++++++- flake.nix | 6 + systems/x86_64-linux/x1/default.nix | 15 +- .../x1/hardware-configuration.nix | 3 +- 4 files changed, 257 insertions(+), 18 deletions(-) diff --git a/flake.lock b/flake.lock index 8558127..2368844 100644 --- a/flake.lock +++ b/flake.lock @@ -256,6 +256,39 @@ "type": "github" } }, + "crane": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "rust-overlay": [ + "lanzaboote", + "rust-overlay" + ] + }, + "locked": { + "lastModified": 1681177078, + "narHash": "sha256-ZNIjBDou2GOabcpctiQykEQVkI8BDwk7TyvlWlI4myE=", + "owner": "ipetkov", + "repo": "crane", + "rev": "0c9f468ff00576577d83f5019a66c557ede5acf6", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "crates-nvim": { "flake": false, "locked": { @@ -439,6 +472,22 @@ } }, "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_3": { "flake": false, "locked": { "lastModified": 1650374568, @@ -455,6 +504,27 @@ } }, "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1680392223, + "narHash": "sha256-n3g7QFr85lDODKt250rkZj2IFS3i4/8HBU2yKHO3tqw=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "dcc36e45d054d7bb554c9cdab69093debd91a0b5", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { "inputs": { "nixpkgs-lib": "nixpkgs-lib" }, @@ -477,11 +547,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1689068808, - "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=", + "lastModified": 1681202837, + "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", "owner": "numtide", "repo": "flake-utils", - "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4", + "rev": "cfacdce06f30d2b68473a46042957675eebb3401", "type": "github" }, "original": { @@ -492,7 +562,7 @@ }, "flake-utils-plus": { "inputs": { - "flake-utils": "flake-utils_3" + "flake-utils": "flake-utils_4" }, "locked": { "lastModified": 1696331477, @@ -509,6 +579,24 @@ } }, "flake-utils_2": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1689068808, + "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_3": { "locked": { "lastModified": 1659877975, "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", @@ -523,9 +611,9 @@ "type": "github" } }, - "flake-utils_3": { + "flake-utils_4": { "inputs": { - "systems": "systems_3" + "systems": "systems_4" }, "locked": { "lastModified": 1694529238, @@ -573,6 +661,28 @@ "type": "github" } }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1660459072, + "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "gitsigns-nvim": { "flake": false, "locked": { @@ -706,6 +816,33 @@ "type": "github" } }, + "lanzaboote": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1682802423, + "narHash": "sha256-Fb5TeRTdvUlo/5Yi2d+FC8a6KoRLk2h1VE0/peMhWPs=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "64b903ca87d18cef2752c19c098af275c6e51d63", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "v0.3.0", + "repo": "lanzaboote", + "type": "github" + } + }, "leap-nvim": { "flake": false, "locked": { @@ -914,8 +1051,8 @@ "elixir-ls": "elixir-ls", "elixir-tools": "elixir-tools", "fidget-nvim": "fidget-nvim", - "flake-parts": "flake-parts", - "flake-utils": "flake-utils", + "flake-parts": "flake-parts_2", + "flake-utils": "flake-utils_2", "flutter-tools": "flutter-tools", "gesture-nvim": "gesture-nvim", "gitsigns-nvim": "gitsigns-nvim", @@ -978,7 +1115,7 @@ "scrollbar-nvim": "scrollbar-nvim", "smartcolumn": "smartcolumn", "sqls-nvim": "sqls-nvim", - "systems": "systems_2", + "systems": "systems_3", "tabular": "tabular", "telescope": "telescope", "tidalcycles": "tidalcycles", @@ -1020,7 +1157,7 @@ "neovim-flake", "nixpkgs" ], - "rust-overlay": "rust-overlay" + "rust-overlay": "rust-overlay_2" }, "locked": { "lastModified": 1699423608, @@ -1070,6 +1207,22 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1678872516, + "narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_2": { "locked": { "lastModified": 1655400192, @@ -1615,6 +1768,37 @@ "type": "github" } }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1681413034, + "narHash": "sha256-/t7OjNQcNkeWeSq/CFLYVBfm+IEnkjoSm9iKvArnUUI=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "d3de8f69ca88fb6f8b09e5b598be5ac98d28ede5", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "presence-nvim": { "flake": false, "locked": { @@ -1687,6 +1871,7 @@ "inputs": { "disko": "disko", "home-manager": "home-manager", + "lanzaboote": "lanzaboote", "neovim-flake": "neovim-flake", "nixpkgs": "nixpkgs_4", "snowfall-lib": "snowfall-lib", @@ -1694,6 +1879,31 @@ } }, "rust-overlay": { + "inputs": { + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1682129965, + "narHash": "sha256-1KRPIorEL6pLpJR04FwAqqnt4Tzcm4MqD84yhlD+XSk=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "2c417c0460b788328220120c698630947547ee83", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "rust-overlay_2": { "inputs": { "flake-utils": [ "neovim-flake", @@ -1770,7 +1980,7 @@ }, "snowfall-lib": { "inputs": { - "flake-compat": "flake-compat_2", + "flake-compat": "flake-compat_3", "flake-utils-plus": "flake-utils-plus", "nixpkgs": [ "nixpkgs" @@ -1868,6 +2078,21 @@ "type": "github" } }, + "systems_4": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "tabular": { "flake": false, "locked": { @@ -2199,8 +2424,8 @@ }, "zig": { "inputs": { - "flake-compat": "flake-compat", - "flake-utils": "flake-utils_2", + "flake-compat": "flake-compat_2", + "flake-utils": "flake-utils_3", "nixpkgs": "nixpkgs_3" }, "locked": { diff --git a/flake.nix b/flake.nix index e92bde1..3fdf618 100644 --- a/flake.nix +++ b/flake.nix @@ -7,6 +7,11 @@ # NixPkgs Unstable (nixos-unstable) unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + lanzaboote = { + url = "github:nix-community/lanzaboote/v0.3.0"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + snowfall-lib = { url = "github:snowfallorg/lib"; inputs.nixpkgs.follows = "nixpkgs"; @@ -64,6 +69,7 @@ # ]; systems.modules.nixos = with inputs; [ + lanzaboote.nixosModules.lanzaboote home-manager.nixosModules.home-manager ]; diff --git a/systems/x86_64-linux/x1/default.nix b/systems/x86_64-linux/x1/default.nix index d50ee2f..9053afd 100644 --- a/systems/x86_64-linux/x1/default.nix +++ b/systems/x86_64-linux/x1/default.nix @@ -13,9 +13,11 @@ with lib.plusultra; operation = "boot"; allowReboot = false; flags = [ - "--update-input" "nixpkgs" - "--update-input" "unstable" - ]; + "--update-input" + "nixpkgs" + "--update-input" + "unstable" + ]; flake = "git+https://git.hoyer.xyz/harald/nixcfg#x1"; }; @@ -26,9 +28,13 @@ with lib.plusultra; }; boot = { + lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + }; tmp.cleanOnBoot = true; loader = { - systemd-boot.enable = true; + systemd-boot.enable = false; efi.canTouchEfiVariables = true; timeout = 2; }; @@ -62,6 +68,7 @@ with lib.plusultra; openssl restic rrsync + sbctl sops strace tmux diff --git a/systems/x86_64-linux/x1/hardware-configuration.nix b/systems/x86_64-linux/x1/hardware-configuration.nix index 6e980fe..7398840 100644 --- a/systems/x86_64-linux/x1/hardware-configuration.nix +++ b/systems/x86_64-linux/x1/hardware-configuration.nix @@ -22,6 +22,7 @@ }; boot.initrd.luks.devices."luks-0e2792db-1b80-49a7-b2eb-54e4b5fc3502".device = "/dev/disk/by-uuid/0e2792db-1b80-49a7-b2eb-54e4b5fc3502"; + boot.initrd.luks.devices."luks-280f2e07-e5fc-478e-b7ee-445c99bea415".device = "/dev/disk/by-uuid/280f2e07-e5fc-478e-b7ee-445c99bea415"; fileSystems."/boot" = { @@ -29,7 +30,7 @@ fsType = "vfat"; }; - swapDevices = [ ]; + swapDevices = [{ device = "/dev/mapper/luks-280f2e07-e5fc-478e-b7ee-445c99bea415"; }]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's