From 4a7cc1121cad6d9b203f5383b5e15346584a6902 Mon Sep 17 00:00:00 2001 From: uttarayan21 Date: Thu, 22 Feb 2024 17:44:20 +0530 Subject: [PATCH] [feat] Add secureboot --- config/nix/flake.lock | 222 ++++++++++++++++++++++++++++- config/nix/flake.nix | 5 + config/nix/linux/default.nix | 3 +- config/nix/nixos/configuration.nix | 10 +- config/nix/nixos/device.nix | 6 +- 5 files changed, 237 insertions(+), 9 deletions(-) diff --git a/config/nix/flake.lock b/config/nix/flake.lock index ca358f4d..bd0662ff 100644 --- a/config/nix/flake.lock +++ b/config/nix/flake.lock @@ -115,6 +115,27 @@ "type": "github" } }, + "crane_2": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1707685877, + "narHash": "sha256-XoXRS+5whotelr1rHiZle5t5hDg9kpguS5yk8c8qzOc=", + "owner": "ipetkov", + "repo": "crane", + "rev": "2c653e4478476a52c6aa3ac0495e4dea7449ea0e", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -131,6 +152,22 @@ "type": "github" } }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": [ @@ -173,7 +210,7 @@ "flake-parts_3": { "inputs": { "nixpkgs-lib": [ - "neovim-nightly-overlay", + "lanzaboote", "nixpkgs" ] }, @@ -192,6 +229,27 @@ } }, "flake-parts_4": { + "inputs": { + "nixpkgs-lib": [ + "neovim-nightly-overlay", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1706830856, + "narHash": "sha256-a0NYyp+h9hlb7ddVz4LUn1vT/PLwqfrWYcHMvFB1xYg=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "b253292d9c0a5ead9bc98c4e9a26c6312e27d69f", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_5": { "inputs": { "nixpkgs-lib": [ "neovim-nightly-overlay", @@ -287,6 +345,24 @@ "inputs": { "systems": "systems_5" }, + "locked": { + "lastModified": 1705309234, + "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_6": { + "inputs": { + "systems": "systems_6" + }, "locked": { "lastModified": 1701680307, "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", @@ -301,9 +377,31 @@ "type": "github" } }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703887061, + "narHash": "sha256-gGPa9qWNc6eCXT/+Z5/zMkyYOuRZqeFZBDbopNZQkuY=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "43e1aa1308018f37118e34d3a9cb4f5e75dc11d5", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "hercules-ci-effects": { "inputs": { - "flake-parts": "flake-parts_4", + "flake-parts": "flake-parts_5", "nixpkgs": [ "neovim-nightly-overlay", "nixpkgs" @@ -366,6 +464,32 @@ "type": "github" } }, + "lanzaboote": { + "inputs": { + "crane": "crane_2", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts_3", + "flake-utils": "flake-utils_5", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "rust-overlay": "rust-overlay_4" + }, + "locked": { + "lastModified": 1708388174, + "narHash": "sha256-mLROAGNyOykYwWOLga24BX05GnRE+acms0Ru10tye2o=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "73fec69386e8005911e15f3abe6bb6cee7fd9711", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "lanzaboote", + "type": "github" + } + }, "naersk": { "inputs": { "nixpkgs": "nixpkgs_3" @@ -386,7 +510,7 @@ }, "neovim-flake": { "inputs": { - "flake-utils": "flake-utils_5", + "flake-utils": "flake-utils_6", "nixpkgs": [ "neovim-nightly-overlay", "nixpkgs" @@ -410,8 +534,8 @@ }, "neovim-nightly-overlay": { "inputs": { - "flake-compat": "flake-compat", - "flake-parts": "flake-parts_3", + "flake-compat": "flake-compat_2", + "flake-parts": "flake-parts_4", "hercules-ci-effects": "hercules-ci-effects", "neovim-flake": "neovim-flake", "nixpkgs": [ @@ -487,6 +611,22 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1704874635, + "narHash": "sha256-YWuCrtsty5vVZvu+7BchAxmcYzTMfolSPP5io8+WYCg=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "3dc440faeee9e889fe2d1b4d25ad0f430d449356", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_2": { "locked": { "lastModified": 1706487304, @@ -533,6 +673,37 @@ "type": "github" } }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1708018599, + "narHash": "sha256-M+Ng6+SePmA8g06CmUZWi1AjG2tFBX9WCXElBHEKnyM=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "5df5a70ad7575f6601d91f0efec95dd9bc619431", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "root": { "inputs": { "anyrun": "anyrun", @@ -542,6 +713,7 @@ "flake-utils": "flake-utils_3", "home-manager": "home-manager", "ironbar": "ironbar", + "lanzaboote": "lanzaboote", "neovim-nightly-overlay": "neovim-nightly-overlay", "nix-darwin": "nix-darwin", "nixpkgs": "nixpkgs_4" @@ -607,6 +779,31 @@ "type": "github" } }, + "rust-overlay_4": { + "inputs": { + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1708241671, + "narHash": "sha256-zSulX9tP4R35Y8A842dGSzaHMVP91W2Ry0SXvQKD2BQ=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "d500e370b26f9b14303cb39bf1509df0a920c8b0", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, @@ -681,6 +878,21 @@ "repo": "default", "type": "github" } + }, + "systems_6": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } } }, "root": "root", diff --git a/config/nix/flake.nix b/config/nix/flake.nix index e5613d71..bb53f1a9 100644 --- a/config/nix/flake.nix +++ b/config/nix/flake.nix @@ -42,6 +42,11 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + lanzaboote = { + url = "github:nix-community/lanzaboote"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + }; outputs = { nixpkgs, diff --git a/config/nix/linux/default.nix b/config/nix/linux/default.nix index df6ee75b..9eab22b0 100644 --- a/config/nix/linux/default.nix +++ b/config/nix/linux/default.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: { +{ pkgs, device, ... }: { imports = [ ../common/firefox.nix ../linux/hyprland.nix @@ -17,6 +17,7 @@ ExecStart = "${pkgs.spotify-player}/bin/spotify_player -d"; Restart = "on-failure"; RestartSec = "5"; + User = "${device.user}"; }; }; } diff --git a/config/nix/nixos/configuration.nix b/config/nix/nixos/configuration.nix index 179dd0a7..f5c9bab4 100644 --- a/config/nix/nixos/configuration.nix +++ b/config/nix/nixos/configuration.nix @@ -1,12 +1,17 @@ # Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). -{ pkgs, ... }: { +{ pkgs, ... }: { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix ]; + boot.lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + }; + environment.etc = { "wireplumber/bluetooth.lua.d/51-bluez-config.lua".text = '' bluez_monitor.properties = { @@ -21,7 +26,8 @@ hardware.bluetooth.enable = true; hardware.bluetooth.powerOnBoot = true; # Bootloader. - boot.loader.systemd-boot.enable = true; + boot.loader.systemd-boot.enable = pkgs.lib.mkForce false; + boot.loader.efi.canTouchEfiVariables = true; boot.bootspec.enable = true; diff --git a/config/nix/nixos/device.nix b/config/nix/nixos/device.nix index 53358d75..f118c6fd 100644 --- a/config/nix/nixos/device.nix +++ b/config/nix/nixos/device.nix @@ -3,11 +3,15 @@ builtins.listToAttrs (builtins.map (device: { name = device.name; value = nixpkgs.lib.nixosSystem { system = device.system; - specialArgs = { inherit device; }; + specialArgs = { + inherit device; + lanzaboote = inputs.lanzaboote; + }; modules = [ { nixpkgs.overlays = overlays; } ./configuration.nix home-manager.nixosModules.home-manager + inputs.lanzaboote.nixosModules.lanzaboote { nixpkgs.config.allowUnfree = true; home-manager = {