From 57318825006bdfa235d2c9b46befed79b4118ab1 Mon Sep 17 00:00:00 2001 From: Lyn Date: Wed, 16 Oct 2024 22:50:37 +0200 Subject: [PATCH] lanzaboot added for secureboot, went back to unstable packages --- flake.nix | 2 ++ hosts/supernova/default.nix | 21 ++++++++++++++------- modules/profiles/base.nix | 2 +- modules/profiles/secureboot.nix | 13 +++++++++++++ 4 files changed, 30 insertions(+), 8 deletions(-) create mode 100644 modules/profiles/secureboot.nix diff --git a/flake.nix b/flake.nix index 54c8e76..cceb947 100644 --- a/flake.nix +++ b/flake.nix @@ -1,6 +1,7 @@ { description = "Lyns flake"; inputs = { + lanzaboote.url = "github:nix-community/lanzaboote/v0.4.1"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05"; sops-nix.url = "github:Mic92/sops-nix"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; @@ -45,6 +46,7 @@ ./hosts/supernova sops-nix.nixosModules.sops passInputs mkLocalModsInput + lanzaboote.nixosModules.lanzaboote ]; }; }; diff --git a/hosts/supernova/default.nix b/hosts/supernova/default.nix index 959bf30..a069fe2 100644 --- a/hosts/supernova/default.nix +++ b/hosts/supernova/default.nix @@ -5,11 +5,14 @@ ./../../users/lyn ]; lyn.kernel.latest.enable = true; - lyn.kernel.hardened.enable = true; lyn.profiles.base.enable = true; + + networking.useDHCP = true; + # Use UEFI boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; + boot.kernelParams = [ "ip=dhcp" ]; # Firewall stuff: networking.firewall.enable = true; @@ -17,11 +20,18 @@ networking.hostName = "supernova"; system.stateVersion = "24.05"; + + ############## + ## Security ## + ############## + # Kernel hardening + lyn.kernel.hardened.enable = true; + + # Secure boot + lyn.profiles.secureboot.enable = true; + # FDE stuff - - boot.kernelParams = [ "ip=dhcp" ]; boot.loader.timeout = 2; - networking.useDHCP = true; boot.initrd = { availableKernelModules = [ "r8169" ]; systemd.users.root.shell = "/bin/systemd-tty-ask-password-agent"; @@ -36,9 +46,6 @@ # authorizedKeys = [ "ssh-rsa ..." ]; authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users); }; - #postCommands = '' - # echo 'cryptsetup-askpass' >> /root/.profile - #''; }; }; } diff --git a/modules/profiles/base.nix b/modules/profiles/base.nix index fa6b96a..9406564 100644 --- a/modules/profiles/base.nix +++ b/modules/profiles/base.nix @@ -2,7 +2,7 @@ lyn.sops.default.enable = true; nix.settings.experimental-features = [ "nix-command" "flakes" ]; nixpkgs.config.allowUnfree = true; - #nix.package = config.pkgsInstances.unstable.lix; + nix.package = config.pkgsInstances.unstable.lix; environment.variables.EDITOR = "nvim"; time.timeZone = "Europe/Berlin"; diff --git a/modules/profiles/secureboot.nix b/modules/profiles/secureboot.nix new file mode 100644 index 0000000..3f821a8 --- /dev/null +++ b/modules/profiles/secureboot.nix @@ -0,0 +1,13 @@ +{ config, pkgs, lib, ... }: +{ + environment.systemPackages = [ + # For debugging and troubleshooting Secure Boot. + pkgs.sbctl + ]; + boot.loader.systemd-boot.enable = lib.mkForce false; + boot.lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + }; + +} \ No newline at end of file