gerg-l/nixos
1
0
Fork 0
mirror of https://github.com/Gerg-L/nixos.git synced 2025-12-10 00:43:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

working lanzaboote secure boot with uefi shell

Browse source
This commit is contained in:
Gerg-L 2024-06-17 22:16:31 -04:00
parent 46e4e98668
commit f4f287acd1
Signed by: gerg-l
SSH key fingerprint: SHA256:FPYDHIkvMocr4wdmZXpgpJjsb2Tw6rASs2ISPbOb0KI
3 changed files with 268 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

232
flake.lock generated
View file

@ -1,5 +1,26 @@
{
"nodes": {
"crane": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1718474113,
"narHash": "sha256-UKrfy/46YF2TRnxTtKCYzqf2f5ZPRRWwKCCJb7O5X8U=",
"owner": "ipetkov",
"repo": "crane",
"rev": "0095fd8ea00ae0a9e6014f39c375e40c2fbd3386",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"disko": {
"inputs": {
"nixpkgs": [
@ -43,11 +64,11 @@
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
@ -59,11 +80,11 @@
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
@ -88,7 +109,44 @@
"type": "github"
}
},
"flake-compat_4": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1717285511,
"narHash": "sha256-iKzJcpdXih14qYVcZ9QC9XuZYnPc6T8YImb6dX166kw=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_2": {
"inputs": {
"nixpkgs-lib": [
"nix",
@ -110,6 +168,24 @@
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
@ -124,6 +200,54 @@
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"pre-commit-hooks-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"lanzaboote": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"flake-utils": "flake-utils",
"nixpkgs": [
"unstable"
],
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1718626451,
"narHash": "sha256-KEM9FwTX4XvWzn/wKcbhS/xI7z3oU89XBfG8WnlHE88=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "93dd69a5b683deb8ab7d6dbb91771a2487745e8c",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "lanzaboote",
"type": "github"
}
},
"libgit2": {
"flake": false,
"locked": {
@ -175,8 +299,8 @@
},
"nix": {
"inputs": {
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"flake-compat": "flake-compat_2",
"flake-parts": "flake-parts_2",
"libgit2": "libgit2",
"nixpkgs": [
"stable"
@ -272,6 +396,22 @@
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1710695816,
"narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "614b4613980a522ba49f0d194531beddbb7220d3",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable_2": {
"locked": {
"lastModified": 1718478900,
"narHash": "sha256-v43N1gZLcGkhg3PdcrKUNIZ1L0FBzB2JqhIYEyKAHEs=",
@ -289,7 +429,7 @@
},
"nvim-flake": {
"inputs": {
"flake-compat": "flake-compat_2",
"flake-compat": "flake-compat_3",
"neovim-src": "neovim-src",
"nixpkgs": [
"unstable"
@ -314,7 +454,7 @@
"flake-compat": [
"nix"
],
"flake-utils": "flake-utils",
"flake-utils": "flake-utils_2",
"gitignore": [
"nix"
],
@ -341,10 +481,38 @@
"type": "github"
}
},
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"gitignore": "gitignore",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1717664902,
"narHash": "sha256-7XfBuLULizXjXfBYy/VV+SpYMHreNRHk9nKMsm1bgb4=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "cc4d466cb1254af050ff7bdf47f6d404a7c646d1",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": {
"inputs": {
"disko": "disko",
"fetch-rs": "fetch-rs",
"lanzaboote": "lanzaboote",
"master": "master",
"nix": "nix",
"nix-index-database": "nix-index-database",
@ -357,12 +525,37 @@
"unstable": "unstable"
}
},
"rust-overlay": {
"inputs": {
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1718504420,
"narHash": "sha256-F2HT/abCfr0CDpkvXwYCscJyD66XDTLMVfdrIMRp2ck=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "0043c3f92304823cc2c0a4354b0feaa61dfb4cd9",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"unstable"
],
"nixpkgs-stable": "nixpkgs-stable"
"nixpkgs-stable": "nixpkgs-stable_2"
},
"locked": {
"lastModified": 1718506969,
@ -380,7 +573,7 @@
},
"spicetify-nix": {
"inputs": {
"flake-compat": "flake-compat_3",
"flake-compat": "flake-compat_4",
"nixpkgs": [
"unstable"
]
@ -435,6 +628,21 @@
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"unstable": {
"locked": {
"lastModified": 1718318537,

6
flake.nix
View file

@ -51,6 +51,12 @@
repo = "nix-index-database";
inputs.nixpkgs.follows = "unstable";
};
lanzaboote = {
type = "github";
owner = "nix-community";
repo = "lanzaboote";
inputs.nixpkgs.follows = "unstable";
};
#my own packages
spicetify-nix = {
type = "github";

50
hosts/gerg-desktop/zfs.nix
View file

@ -2,11 +2,51 @@
config,
lib,
pkgs,
lanzaboote,
}:
let
windowsConf = ''
title Windows
efi /shellx64.efi
options -nointerrupt -noconsolein -noconsoleout HD2d65535a1:EFI\Microsoft\Boot\Bootmgfw.efi
'';
in
{
imports = [ lanzaboote.nixosModules.lanzaboote ];
environment.systemPackages = [ pkgs.sbctl ];
boot.lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
configurationLimit = 10;
package = lib.mkForce (
pkgs.writeShellApplication {
name = "lzbt";
runtimeInputs = [
lanzaboote.packages.tool
pkgs.coreutils
pkgs.sbctl
];
text = ''
set -o pipefail
lzbt "$@"
MP='${config.boot.loader.efi.efiSysMountPoint}'
cp -f '${pkgs.edk2-uefi-shell.efi}' "$MP/shellx64.efi"
mkdir -p "$MP/loader/entries"
sbctl sign -s "$MP/shellx64.efi"
cat << EOF > "$MP/loader/entries/windows.conf"
${windowsConf}
EOF
'';
}
);
};
#link some stuff
systemd.tmpfiles.rules = [
"L+ /etc/secureboot - - - - /persist/secureboot"
"L+ /etc/ssh/ssh_host_ed25519_key - - - - /persist/ssh/ssh_host_ed25519_key"
"L+ /etc/ssh/ssh_host_ed25519_key.pub - - - - /persist/ssh/ssh_host_ed25519_key.pub"
"L /etc/nixos/flake.nix - - - - /home/gerg/Projects/nixos/flake.nix"
@ -86,15 +126,9 @@
};
loader = {
systemd-boot = {
enable = lib.mkForce true;
enable = lib.mkForce false;
extraFiles."shellx64.efi" = pkgs.edk2-uefi-shell.efi;
extraEntries."windows.conf" = ''
title Windows
efi /shellx64.efi
options -nointerrupt -noconsolein -noconsoleout HD2d65535a1:EFI\Microsoft\Boot\Bootmgfw.efi
'';
extraEntries."windows.conf" = windowsConf;
};
grub.enable = lib.mkForce false;
timeout = lib.mkForce 5;