diff --git a/flake.lock b/flake.lock index b381ea7..5834274 100644 --- a/flake.lock +++ b/flake.lock @@ -112,6 +112,21 @@ "url": "https://git.berlin.ccc.de/servicepoint/servicepoint-binding-uniffi.git" } }, + "crane": { + "locked": { + "lastModified": 1754269165, + "narHash": "sha256-0tcS8FHd4QjbCVoxN9jI+PjHgA4vc/IjkUSp+N3zy0U=", + "owner": "ipetkov", + "repo": "crane", + "rev": "444e81206df3f7d92780680e45858e31d2f07a08", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "fenix": { "inputs": { "nixpkgs": [ @@ -150,6 +165,22 @@ "type": "github" } }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1747046372, + "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": "nixpkgs-lib" @@ -168,6 +199,27 @@ "type": "github" } }, + "flake-parts_2": { + "inputs": { + "nixpkgs-lib": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1754091436, + "narHash": "sha256-XKqDMN1/Qj1DKivQvscI4vmHfDfvYR2pfuFOJiCeewM=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "67df8c627c2c39c41dbec76a1f201929929ab0bd", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "fromYaml": { "flake": false, "locked": { @@ -184,6 +236,28 @@ "type": "github" } }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "gnome-shell": { "flake": false, "locked": { @@ -222,6 +296,32 @@ "type": "github" } }, + "lanzaboote": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts_2", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1762205063, + "narHash": "sha256-If6vQ+KvtKs3ARBO9G3l+4wFSCYtRBrwX1z+I+B61wQ=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "88b8a563ff5704f4e8d8e5118fb911fa2110ca05", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "v0.4.3", + "repo": "lanzaboote", + "type": "github" + } + }, "naersk": { "inputs": { "fenix": "fenix", @@ -408,10 +508,37 @@ "type": "github" } }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1750779888, + "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "root": { "inputs": { "flake-parts": "flake-parts", "home-manager": "home-manager", + "lanzaboote": "lanzaboote", "naersk": "naersk", "niri": "niri", "nix-filter": "nix-filter", @@ -444,6 +571,27 @@ "type": "github" } }, + "rust-overlay": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1761791894, + "narHash": "sha256-myRIDh+PxaREz+z9LzbqBJF+SnTFJwkthKDX9zMyddY=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "59c45eb69d9222a4362673141e00ff77842cd219", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "servicepoint-cli": { "inputs": { "naersk": [ diff --git a/flake.nix b/flake.nix index 9d1a457..1f361fd 100644 --- a/flake.nix +++ b/flake.nix @@ -13,6 +13,10 @@ url = "github:hercules-ci/flake-parts"; #inputs.nixpkgs.follows = "nixpkgs"; }; + lanzaboote = { + url = "github:nix-community/lanzaboote/v0.4.3"; + inputs.nixpkgs.follows = "nixpkgs"; + }; naersk = { url = "github:nix-community/naersk"; inputs.nixpkgs.follows = "nixpkgs"; @@ -79,6 +83,7 @@ nixpkgs, home-manager, # keep-sorted start + lanzaboote, niri, nix-vscode-extensions, nixpkgs-unstable, @@ -104,6 +109,7 @@ self.nixosModules.podman self.nixosModules.vinzenz-desktop-settings self.nixosModules.intel-graphics + self.nixosModules.secure-boot ]; home-manager-users = { inherit (self.homeConfigurations) vinzenz; @@ -260,6 +266,7 @@ ./nixosConfigurations/${device} # keep-sorted start + lanzaboote.nixosModules.lanzaboote self.nixosModules.allowed-unfree-list self.nixosModules.autoupdate self.nixosModules.default diff --git a/nixosModules/secure-boot.nix b/nixosModules/secure-boot.nix new file mode 100644 index 0000000..7a483b1 --- /dev/null +++ b/nixosModules/secure-boot.nix @@ -0,0 +1,28 @@ +{ pkgs, lib, ... }: +{ + # https://github.com/nix-community/lanzaboote/blob/70be03ab23d0988224e152f5b52e2fbf44a6d8ee/docs/QUICK_START.md + # To enroll: + # 1. Put Secure Boot in Setup mode + # 2. sudo sbctl create-keys + # 3. import this module, rebuild + # 4. sudo sbctl verify + # 5. sudo sbctl enroll-keys --microsoft + # 6, reboot + # 7. sudo sbctl status + + environment.systemPackages = [ + # For debugging and troubleshooting Secure Boot. + pkgs.sbctl + ]; + + # Lanzaboote currently replaces the systemd-boot module. + # This setting is usually set to true in configuration.nix + # generated at installation time. So we force it to false + # for now. + boot.loader.systemd-boot.enable = lib.mkForce false; + + boot.lanzaboote = { + enable = true; + pkiBundle = "/var/lib/sbctl"; + }; +}