vinzenz/nixos-configuration
0
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

lpt2: secure boot using lanzaboote

Browse source
This commit is contained in:
Vinzenz Schroeter 2025-11-15 14:13:00 +01:00
parent 02c5171e04
commit c972ff1e19
3 changed files with 183 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

148
flake.lock generated
View file

@ -112,6 +112,21 @@
"url": "https://git.berlin.ccc.de/servicepoint/servicepoint-binding-uniffi.git" "url": "https://git.berlin.ccc.de/servicepoint/servicepoint-binding-uniffi.git"
} }
}, },
"crane": {
"locked": {
"lastModified": 1754269165,
"narHash": "sha256-0tcS8FHd4QjbCVoxN9jI+PjHgA4vc/IjkUSp+N3zy0U=",
"owner": "ipetkov",
"repo": "crane",
"rev": "444e81206df3f7d92780680e45858e31d2f07a08",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"fenix": { "fenix": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -150,6 +165,22 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1747046372,
"narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": { "flake-parts": {
"inputs": { "inputs": {
"nixpkgs-lib": "nixpkgs-lib" "nixpkgs-lib": "nixpkgs-lib"
@ -168,6 +199,27 @@
"type": "github" "type": "github"
} }
}, },
"flake-parts_2": {
"inputs": {
"nixpkgs-lib": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1754091436,
"narHash": "sha256-XKqDMN1/Qj1DKivQvscI4vmHfDfvYR2pfuFOJiCeewM=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "67df8c627c2c39c41dbec76a1f201929929ab0bd",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"fromYaml": { "fromYaml": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -184,6 +236,28 @@
"type": "github" "type": "github"
} }
}, },
"gitignore": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"pre-commit-hooks-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"gnome-shell": { "gnome-shell": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -222,6 +296,32 @@
"type": "github" "type": "github"
} }
}, },
"lanzaboote": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat",
"flake-parts": "flake-parts_2",
"nixpkgs": [
"nixpkgs"
],
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1762205063,
"narHash": "sha256-If6vQ+KvtKs3ARBO9G3l+4wFSCYtRBrwX1z+I+B61wQ=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "88b8a563ff5704f4e8d8e5118fb911fa2110ca05",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "v0.4.3",
"repo": "lanzaboote",
"type": "github"
}
},
"naersk": { "naersk": {
"inputs": { "inputs": {
"fenix": "fenix", "fenix": "fenix",
@ -408,10 +508,37 @@
"type": "github" "type": "github"
} }
}, },
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"gitignore": "gitignore",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1750779888,
"narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"flake-parts": "flake-parts", "flake-parts": "flake-parts",
"home-manager": "home-manager", "home-manager": "home-manager",
"lanzaboote": "lanzaboote",
"naersk": "naersk", "naersk": "naersk",
"niri": "niri", "niri": "niri",
"nix-filter": "nix-filter", "nix-filter": "nix-filter",
@ -444,6 +571,27 @@
"type": "github" "type": "github"
} }
}, },
"rust-overlay": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1761791894,
"narHash": "sha256-myRIDh+PxaREz+z9LzbqBJF+SnTFJwkthKDX9zMyddY=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "59c45eb69d9222a4362673141e00ff77842cd219",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"servicepoint-cli": { "servicepoint-cli": {
"inputs": { "inputs": {
"naersk": [ "naersk": [

7
flake.nix
View file

@ -13,6 +13,10 @@
url = "github:hercules-ci/flake-parts"; url = "github:hercules-ci/flake-parts";
#inputs.nixpkgs.follows = "nixpkgs"; #inputs.nixpkgs.follows = "nixpkgs";
}; };
lanzaboote = {
url = "github:nix-community/lanzaboote/v0.4.3";
inputs.nixpkgs.follows = "nixpkgs";
};
naersk = { naersk = {
url = "github:nix-community/naersk"; url = "github:nix-community/naersk";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
@ -79,6 +83,7 @@
nixpkgs, nixpkgs,
home-manager, home-manager,
# keep-sorted start # keep-sorted start
lanzaboote,
niri, niri,
nix-vscode-extensions, nix-vscode-extensions,
nixpkgs-unstable, nixpkgs-unstable,
@ -104,6 +109,7 @@
self.nixosModules.podman self.nixosModules.podman
self.nixosModules.vinzenz-desktop-settings self.nixosModules.vinzenz-desktop-settings
self.nixosModules.intel-graphics self.nixosModules.intel-graphics
self.nixosModules.secure-boot
]; ];
home-manager-users = { home-manager-users = {
inherit (self.homeConfigurations) vinzenz; inherit (self.homeConfigurations) vinzenz;
@ -260,6 +266,7 @@
./nixosConfigurations/${device} ./nixosConfigurations/${device}
# keep-sorted start # keep-sorted start
lanzaboote.nixosModules.lanzaboote
self.nixosModules.allowed-unfree-list self.nixosModules.allowed-unfree-list
self.nixosModules.autoupdate self.nixosModules.autoupdate
self.nixosModules.default self.nixosModules.default

28
nixosModules/secure-boot.nix Normal file
View file

@ -0,0 +1,28 @@
{ pkgs, lib, ... }:
{
# https://github.com/nix-community/lanzaboote/blob/70be03ab23d0988224e152f5b52e2fbf44a6d8ee/docs/QUICK_START.md
# To enroll:
# 1. Put Secure Boot in Setup mode
# 2. sudo sbctl create-keys
# 3. import this module, rebuild
# 4. sudo sbctl verify
# 5. sudo sbctl enroll-keys --microsoft
# 6, reboot
# 7. sudo sbctl status
environment.systemPackages = [
# For debugging and troubleshooting Secure Boot.
pkgs.sbctl
];
# Lanzaboote currently replaces the systemd-boot module.
# This setting is usually set to true in configuration.nix
# generated at installation time. So we force it to false
# for now.
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.lanzaboote = {
enable = true;
pkiBundle = "/var/lib/sbctl";
};
}