harald/nixcfg
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

x1: secure boot and encrypted swap

Browse source 
Signed-off-by: Harald Hoyer <harald@hoyer.xyz>
This commit is contained in:
Harald Hoyer 2024-03-05 15:41:42 +01:00
parent cab06248d2
commit ab7e49581a
4 changed files with 257 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

251
flake.lock
View file

@ -256,6 +256,39 @@
"type": "github" "type": "github"
} }
}, },
"crane": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"rust-overlay": [
"lanzaboote",
"rust-overlay"
]
},
"locked": {
"lastModified": 1681177078,
"narHash": "sha256-ZNIjBDou2GOabcpctiQykEQVkI8BDwk7TyvlWlI4myE=",
"owner": "ipetkov",
"repo": "crane",
"rev": "0c9f468ff00576577d83f5019a66c557ede5acf6",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"crates-nvim": { "crates-nvim": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -439,6 +472,22 @@
} }
}, },
"flake-compat_2": { "flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_3": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1650374568, "lastModified": 1650374568,
@ -455,6 +504,27 @@
} }
}, },
"flake-parts": { "flake-parts": {
"inputs": {
"nixpkgs-lib": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1680392223,
"narHash": "sha256-n3g7QFr85lDODKt250rkZj2IFS3i4/8HBU2yKHO3tqw=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "dcc36e45d054d7bb554c9cdab69093debd91a0b5",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_2": {
"inputs": { "inputs": {
"nixpkgs-lib": "nixpkgs-lib" "nixpkgs-lib": "nixpkgs-lib"
}, },
@ -477,11 +547,11 @@
"systems": "systems" "systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1689068808, "lastModified": 1681202837,
"narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=", "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4", "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -492,7 +562,7 @@
}, },
"flake-utils-plus": { "flake-utils-plus": {
"inputs": { "inputs": {
"flake-utils": "flake-utils_3" "flake-utils": "flake-utils_4"
}, },
"locked": { "locked": {
"lastModified": 1696331477, "lastModified": 1696331477,
@ -509,6 +579,24 @@
} }
}, },
"flake-utils_2": { "flake-utils_2": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1689068808,
"narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_3": {
"locked": { "locked": {
"lastModified": 1659877975, "lastModified": 1659877975,
"narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
@ -523,9 +611,9 @@
"type": "github" "type": "github"
} }
}, },
"flake-utils_3": { "flake-utils_4": {
"inputs": { "inputs": {
"systems": "systems_3" "systems": "systems_4"
}, },
"locked": { "locked": {
"lastModified": 1694529238, "lastModified": 1694529238,
@ -573,6 +661,28 @@
"type": "github" "type": "github"
} }
}, },
"gitignore": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"pre-commit-hooks-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1660459072,
"narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"gitsigns-nvim": { "gitsigns-nvim": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -706,6 +816,33 @@
"type": "github" "type": "github"
} }
}, },
"lanzaboote": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
],
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1682802423,
"narHash": "sha256-Fb5TeRTdvUlo/5Yi2d+FC8a6KoRLk2h1VE0/peMhWPs=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "64b903ca87d18cef2752c19c098af275c6e51d63",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "v0.3.0",
"repo": "lanzaboote",
"type": "github"
}
},
"leap-nvim": { "leap-nvim": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -914,8 +1051,8 @@
"elixir-ls": "elixir-ls", "elixir-ls": "elixir-ls",
"elixir-tools": "elixir-tools", "elixir-tools": "elixir-tools",
"fidget-nvim": "fidget-nvim", "fidget-nvim": "fidget-nvim",
"flake-parts": "flake-parts", "flake-parts": "flake-parts_2",
"flake-utils": "flake-utils", "flake-utils": "flake-utils_2",
"flutter-tools": "flutter-tools", "flutter-tools": "flutter-tools",
"gesture-nvim": "gesture-nvim", "gesture-nvim": "gesture-nvim",
"gitsigns-nvim": "gitsigns-nvim", "gitsigns-nvim": "gitsigns-nvim",
@ -978,7 +1115,7 @@
"scrollbar-nvim": "scrollbar-nvim", "scrollbar-nvim": "scrollbar-nvim",
"smartcolumn": "smartcolumn", "smartcolumn": "smartcolumn",
"sqls-nvim": "sqls-nvim", "sqls-nvim": "sqls-nvim",
"systems": "systems_2", "systems": "systems_3",
"tabular": "tabular", "tabular": "tabular",
"telescope": "telescope", "telescope": "telescope",
"tidalcycles": "tidalcycles", "tidalcycles": "tidalcycles",
@ -1020,7 +1157,7 @@
"neovim-flake", "neovim-flake",
"nixpkgs" "nixpkgs"
], ],
"rust-overlay": "rust-overlay" "rust-overlay": "rust-overlay_2"
}, },
"locked": { "locked": {
"lastModified": 1699423608, "lastModified": 1699423608,
@ -1070,6 +1207,22 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-stable": {
"locked": {
"lastModified": 1678872516,
"narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-22.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1655400192, "lastModified": 1655400192,
@ -1615,6 +1768,37 @@
"type": "github" "type": "github"
} }
}, },
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"gitignore": "gitignore",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1681413034,
"narHash": "sha256-/t7OjNQcNkeWeSq/CFLYVBfm+IEnkjoSm9iKvArnUUI=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "d3de8f69ca88fb6f8b09e5b598be5ac98d28ede5",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"presence-nvim": { "presence-nvim": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -1687,6 +1871,7 @@
"inputs": { "inputs": {
"disko": "disko", "disko": "disko",
"home-manager": "home-manager", "home-manager": "home-manager",
"lanzaboote": "lanzaboote",
"neovim-flake": "neovim-flake", "neovim-flake": "neovim-flake",
"nixpkgs": "nixpkgs_4", "nixpkgs": "nixpkgs_4",
"snowfall-lib": "snowfall-lib", "snowfall-lib": "snowfall-lib",
@ -1694,6 +1879,31 @@
} }
}, },
"rust-overlay": { "rust-overlay": {
"inputs": {
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1682129965,
"narHash": "sha256-1KRPIorEL6pLpJR04FwAqqnt4Tzcm4MqD84yhlD+XSk=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "2c417c0460b788328220120c698630947547ee83",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"rust-overlay_2": {
"inputs": { "inputs": {
"flake-utils": [ "flake-utils": [
"neovim-flake", "neovim-flake",
@ -1770,7 +1980,7 @@
}, },
"snowfall-lib": { "snowfall-lib": {
"inputs": { "inputs": {
"flake-compat": "flake-compat_2", "flake-compat": "flake-compat_3",
"flake-utils-plus": "flake-utils-plus", "flake-utils-plus": "flake-utils-plus",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
@ -1868,6 +2078,21 @@
"type": "github" "type": "github"
} }
}, },
"systems_4": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"tabular": { "tabular": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -2199,8 +2424,8 @@
}, },
"zig": { "zig": {
"inputs": { "inputs": {
"flake-compat": "flake-compat", "flake-compat": "flake-compat_2",
"flake-utils": "flake-utils_2", "flake-utils": "flake-utils_3",
"nixpkgs": "nixpkgs_3" "nixpkgs": "nixpkgs_3"
}, },
"locked": { "locked": {

6
flake.nix
View file

@ -7,6 +7,11 @@
# NixPkgs Unstable (nixos-unstable) # NixPkgs Unstable (nixos-unstable)
unstable.url = "github:nixos/nixpkgs/nixos-unstable"; unstable.url = "github:nixos/nixpkgs/nixos-unstable";
lanzaboote = {
url = "github:nix-community/lanzaboote/v0.3.0";
inputs.nixpkgs.follows = "nixpkgs";
};
snowfall-lib = { snowfall-lib = {
url = "github:snowfallorg/lib"; url = "github:snowfallorg/lib";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
@ -64,6 +69,7 @@
# ]; # ];
systems.modules.nixos = with inputs; [ systems.modules.nixos = with inputs; [
lanzaboote.nixosModules.lanzaboote
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
]; ];

15
systems/x86_64-linux/x1/default.nix
View file

@ -13,9 +13,11 @@ with lib.plusultra;
operation = "boot"; operation = "boot";
allowReboot = false; allowReboot = false;
flags = [ flags = [
"--update-input" "nixpkgs" "--update-input"
"--update-input" "unstable" "nixpkgs"
]; "--update-input"
"unstable"
];
flake = "git+https://git.hoyer.xyz/harald/nixcfg#x1"; flake = "git+https://git.hoyer.xyz/harald/nixcfg#x1";
}; };
@ -26,9 +28,13 @@ with lib.plusultra;
}; };
boot = { boot = {
lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
tmp.cleanOnBoot = true; tmp.cleanOnBoot = true;
loader = { loader = {
systemd-boot.enable = true; systemd-boot.enable = false;
efi.canTouchEfiVariables = true; efi.canTouchEfiVariables = true;
timeout = 2; timeout = 2;
}; };
@ -62,6 +68,7 @@ with lib.plusultra;
openssl openssl
restic restic
rrsync rrsync
sbctl
sops sops
strace strace
tmux tmux

3
systems/x86_64-linux/x1/hardware-configuration.nix
View file

@ -22,6 +22,7 @@
}; };
boot.initrd.luks.devices."luks-0e2792db-1b80-49a7-b2eb-54e4b5fc3502".device = "/dev/disk/by-uuid/0e2792db-1b80-49a7-b2eb-54e4b5fc3502"; boot.initrd.luks.devices."luks-0e2792db-1b80-49a7-b2eb-54e4b5fc3502".device = "/dev/disk/by-uuid/0e2792db-1b80-49a7-b2eb-54e4b5fc3502";
boot.initrd.luks.devices."luks-280f2e07-e5fc-478e-b7ee-445c99bea415".device = "/dev/disk/by-uuid/280f2e07-e5fc-478e-b7ee-445c99bea415";
fileSystems."/boot" = fileSystems."/boot" =
{ {
@ -29,7 +30,7 @@
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = [ ]; swapDevices = [{ device = "/dev/mapper/luks-280f2e07-e5fc-478e-b7ee-445c99bea415"; }];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's