lanzaboot added for secureboot, went back to unstable packages

2024-10-16 22:50:37 +02:00 · 2024-10-16 22:50:37 +02:00 · 5731882500
commit 5731882500
parent 6525287824
4 changed files with 30 additions and 8 deletions
--- a/flake.nix
+++ b/flake.nix
@ -1,6 +1,7 @@
 {
  description = "Lyns flake";
  inputs = {
+    lanzaboote.url = "github:nix-community/lanzaboote/v0.4.1";
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
    sops-nix.url = "github:Mic92/sops-nix";
    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
@ -45,6 +46,7 @@
          ./hosts/supernova
          sops-nix.nixosModules.sops
          passInputs mkLocalModsInput
+          lanzaboote.nixosModules.lanzaboote
        ];
      };
    };
--- a/hosts/supernova/default.nix
+++ b/hosts/supernova/default.nix
@ -5,11 +5,14 @@
      ./../../users/lyn
    ];
  lyn.kernel.latest.enable = true; 
-  lyn.kernel.hardened.enable = true;
  lyn.profiles.base.enable = true;
+  
+  networking.useDHCP = true;
+
  # Use UEFI
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
+  boot.kernelParams = [ "ip=dhcp" ]; 

  # Firewall stuff:
  networking.firewall.enable = true;
@ -17,11 +20,18 @@
  networking.hostName = "supernova";
  system.stateVersion = "24.05"; 

-  # FDE stuff

-  boot.kernelParams = [ "ip=dhcp" ]; 
+  ##############
+  ## Security ##
+  ##############
+  # Kernel hardening
+  lyn.kernel.hardened.enable = true;
+
+  # Secure boot
+  lyn.profiles.secureboot.enable = true;
+
+  # FDE stuff
  boot.loader.timeout = 2;
-  networking.useDHCP = true;
  boot.initrd = {
    availableKernelModules = [ "r8169" ];
    systemd.users.root.shell = "/bin/systemd-tty-ask-password-agent";
@ -36,9 +46,6 @@
      # authorizedKeys = [ "ssh-rsa ..." ];
      authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users);
    };
-    #postCommands = ''
-    #  echo 'cryptsetup-askpass' >> /root/.profile
-    #'';
  };
  }; 
 }
--- a/modules/profiles/base.nix
+++ b/modules/profiles/base.nix
@ -2,7 +2,7 @@
  lyn.sops.default.enable = true;
  nix.settings.experimental-features = [ "nix-command" "flakes" ];
  nixpkgs.config.allowUnfree = true;
-  #nix.package = config.pkgsInstances.unstable.lix;
+  nix.package = config.pkgsInstances.unstable.lix;
  environment.variables.EDITOR = "nvim";
  
  time.timeZone = "Europe/Berlin";
--- a/modules/profiles/secureboot.nix
+++ b/modules/profiles/secureboot.nix
@ -0,0 +1,13 @@
+{ config, pkgs, lib, ... }:
+{
+  environment.systemPackages = [
+    # For debugging and troubleshooting Secure Boot.
+    pkgs.sbctl
+  ];
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+  boot.lanzaboote = {
+    enable = true;
+    pkiBundle = "/etc/secureboot";
+  };
+  
+}