lynatic/flake
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

lanzaboot added for secureboot, went back to unstable packages

Browse source
This commit is contained in:
Lyn 2024-10-16 22:50:37 +02:00
parent 6525287824
commit 5731882500
4 changed files with 30 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
flake.nix
View file

@ -1,6 +1,7 @@
{ {
description = "Lyns flake"; description = "Lyns flake";
inputs = { inputs = {
lanzaboote.url = "github:nix-community/lanzaboote/v0.4.1";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
sops-nix.url = "github:Mic92/sops-nix"; sops-nix.url = "github:Mic92/sops-nix";
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
@ -45,6 +46,7 @@
./hosts/supernova ./hosts/supernova
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
passInputs mkLocalModsInput passInputs mkLocalModsInput
lanzaboote.nixosModules.lanzaboote
]; ];
}; };
}; };

21
hosts/supernova/default.nix
View file

@ -5,11 +5,14 @@
./../../users/lyn ./../../users/lyn
]; ];
lyn.kernel.latest.enable = true; lyn.kernel.latest.enable = true;
lyn.kernel.hardened.enable = true;
lyn.profiles.base.enable = true; lyn.profiles.base.enable = true;
networking.useDHCP = true;
# Use UEFI # Use UEFI
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;
boot.kernelParams = [ "ip=dhcp" ];
# Firewall stuff: # Firewall stuff:
networking.firewall.enable = true; networking.firewall.enable = true;
@ -17,11 +20,18 @@
networking.hostName = "supernova"; networking.hostName = "supernova";
system.stateVersion = "24.05"; system.stateVersion = "24.05";
##############
## Security ##
##############
# Kernel hardening
lyn.kernel.hardened.enable = true;
# Secure boot
lyn.profiles.secureboot.enable = true;
# FDE stuff # FDE stuff
boot.kernelParams = [ "ip=dhcp" ];
boot.loader.timeout = 2; boot.loader.timeout = 2;
networking.useDHCP = true;
boot.initrd = { boot.initrd = {
availableKernelModules = [ "r8169" ]; availableKernelModules = [ "r8169" ];
systemd.users.root.shell = "/bin/systemd-tty-ask-password-agent"; systemd.users.root.shell = "/bin/systemd-tty-ask-password-agent";
@ -36,9 +46,6 @@
# authorizedKeys = [ "ssh-rsa ..." ]; # authorizedKeys = [ "ssh-rsa ..." ];
authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users); authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users);
}; };
#postCommands = ''
# echo 'cryptsetup-askpass' >> /root/.profile
#'';
}; };
}; };
} }

2
modules/profiles/base.nix
View file

@ -2,7 +2,7 @@
lyn.sops.default.enable = true; lyn.sops.default.enable = true;
nix.settings.experimental-features = [ "nix-command" "flakes" ]; nix.settings.experimental-features = [ "nix-command" "flakes" ];
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
#nix.package = config.pkgsInstances.unstable.lix; nix.package = config.pkgsInstances.unstable.lix;
environment.variables.EDITOR = "nvim"; environment.variables.EDITOR = "nvim";
time.timeZone = "Europe/Berlin"; time.timeZone = "Europe/Berlin";

13
modules/profiles/secureboot.nix Normal file
View file

@ -0,0 +1,13 @@
{ config, pkgs, lib, ... }:
{
environment.systemPackages = [
# For debugging and troubleshooting Secure Boot.
pkgs.sbctl
];
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
}