gerg-l/nixos
1
0
Fork 0
mirror of https://github.com/Gerg-L/nixos.git synced 2025-12-10 00:43:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

setup secure boot

Browse source
This commit is contained in:
Gerg-L 2024-05-01 22:32:44 -04:00
parent 452dbf5658
commit f8a338df15
Signed by: gerg-l
SSH key fingerprint: SHA256:FPYDHIkvMocr4wdmZXpgpJjsb2Tw6rASs2ISPbOb0KI
4 changed files with 259 additions and 34 deletions
Download patch file Download diff file Expand all files Collapse all files

2
disko/gerg-desktop.nix
View file

@ -17,6 +17,7 @@ lib: {
content = { content = {
type = "gpt"; type = "gpt";
partitions = { partitions = {
#BOOT is unused
BOOT = { BOOT = {
device = "${fullName}-part1"; device = "${fullName}-part1";
type = "EF00"; type = "EF00";
@ -25,7 +26,6 @@ lib: {
content = { content = {
type = "filesystem"; type = "filesystem";
format = "vfat"; format = "vfat";
mountpoint = "/efi${name}";
}; };
}; };
swap = { swap = {

232
flake.lock generated
View file

@ -1,5 +1,26 @@
{ {
"nodes": { "nodes": {
"crane": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1711299236,
"narHash": "sha256-6/JsyozOMKN8LUGqWMopKTSiK8N79T8Q+hcxu2KkTXg=",
"owner": "ipetkov",
"repo": "crane",
"rev": "880573f80d09e18a11713f402b9e6172a085449f",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"disko": { "disko": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -43,11 +64,11 @@
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1673956053, "lastModified": 1696426674,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra", "owner": "edolstra",
"repo": "flake-compat", "repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -59,11 +80,11 @@
"flake-compat_2": { "flake-compat_2": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1696426674, "lastModified": 1673956053,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra", "owner": "edolstra",
"repo": "flake-compat", "repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -88,6 +109,109 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat_4": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709336216,
"narHash": "sha256-Dt/wOWeW6Sqm11Yh+2+t0dfEWxoMxGBvv3JpIocFl9E=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "f7b3c975cf067e56e7cda6cb098ebe3fb4d74ca2",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"pre-commit-hooks-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"lanzaboote": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"flake-utils": "flake-utils",
"nixpkgs": [
"unstable"
],
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1713369831,
"narHash": "sha256-G4OGxvlIIjphpkxcRAkf1QInYsAeqbfNh6Yl1JLy2uM=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "850f27322239f8cfa56b122cc9a278ab99a49015",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "lanzaboote",
"type": "github"
}
},
"libgit2": { "libgit2": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -139,7 +263,7 @@
}, },
"nix": { "nix": {
"inputs": { "inputs": {
"flake-compat": "flake-compat", "flake-compat": "flake-compat_2",
"libgit2": "libgit2", "libgit2": "libgit2",
"nixpkgs": [ "nixpkgs": [
"stable" "stable"
@ -214,6 +338,22 @@
} }
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": {
"lastModified": 1710695816,
"narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "614b4613980a522ba49f0d194531beddbb7220d3",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable_2": {
"locked": { "locked": {
"lastModified": 1713638189, "lastModified": 1713638189,
"narHash": "sha256-q7APLfB6FmmSMI1Su5ihW9IwntBsk2hWNXh8XtSdSIk=", "narHash": "sha256-q7APLfB6FmmSMI1Su5ihW9IwntBsk2hWNXh8XtSdSIk=",
@ -231,7 +371,7 @@
}, },
"nvim-flake": { "nvim-flake": {
"inputs": { "inputs": {
"flake-compat": "flake-compat_2", "flake-compat": "flake-compat_3",
"neovim-src": "neovim-src", "neovim-src": "neovim-src",
"nixpkgs": [ "nixpkgs": [
"unstable" "unstable"
@ -251,10 +391,42 @@
"type": "github" "type": "github"
} }
}, },
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"gitignore": "gitignore",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1710923068,
"narHash": "sha256-6hOpUiuxuwpXXc/xfJsBUJeqqgGI+JMJuLo45aG3cKc=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "e611897ddfdde3ed3eaac4758635d7177ff78673",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"disko": "disko", "disko": "disko",
"fetch-rs": "fetch-rs", "fetch-rs": "fetch-rs",
"lanzaboote": "lanzaboote",
"master": "master", "master": "master",
"nix": "nix", "nix": "nix",
"nixos-generators": "nixos-generators", "nixos-generators": "nixos-generators",
@ -266,12 +438,37 @@
"unstable": "unstable" "unstable": "unstable"
} }
}, },
"rust-overlay": {
"inputs": {
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1711246447,
"narHash": "sha256-g9TOluObcOEKewFo2fR4cn51Y/jSKhRRo4QZckHLop0=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "dcc802a6ec4e9cc6a1c8c393327f0c42666f22e4",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"sops-nix": { "sops-nix": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"unstable" "unstable"
], ],
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable_2"
}, },
"locked": { "locked": {
"lastModified": 1713892811, "lastModified": 1713892811,
@ -289,7 +486,7 @@
}, },
"spicetify-nix": { "spicetify-nix": {
"inputs": { "inputs": {
"flake-compat": "flake-compat_3", "flake-compat": "flake-compat_4",
"nixpkgs": [ "nixpkgs": [
"unstable" "unstable"
] ]
@ -344,6 +541,21 @@
"type": "github" "type": "github"
} }
}, },
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"unstable": { "unstable": {
"locked": { "locked": {
"lastModified": 1714253743, "lastModified": 1714253743,

6
flake.nix
View file

@ -45,6 +45,12 @@
repo = "disko"; repo = "disko";
inputs.nixpkgs.follows = "unstable"; inputs.nixpkgs.follows = "unstable";
}; };
lanzaboote = {
type = "github";
owner = "nix-community";
repo = "lanzaboote";
inputs.nixpkgs.follows = "unstable";
};
#my own packages #my own packages
spicetify-nix = { spicetify-nix = {
type = "github"; type = "github";

53
hosts/gerg-desktop/zfs.nix
View file

@ -1,4 +1,4 @@
_: { lanzaboote, ... }:
{ {
config, config,
lib, lib,
@ -6,8 +6,19 @@ _:
... ...
}: }:
{ {
imports = [ lanzaboote.nixosModules.lanzaboote ];
environment.systemPackages = [ pkgs.sbctl ];
boot.lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
configurationLimit = 10;
};
#link some stuff #link some stuff
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"L+ /etc/secureboot - - - - /persist/secureboot"
"L+ /etc/ssh/ssh_host_ed25519_key - - - - /persist/ssh/ssh_host_ed25519_key" "L+ /etc/ssh/ssh_host_ed25519_key - - - - /persist/ssh/ssh_host_ed25519_key"
"L+ /etc/ssh/ssh_host_ed25519_key.pub - - - - /persist/ssh/ssh_host_ed25519_key.pub" "L+ /etc/ssh/ssh_host_ed25519_key.pub - - - - /persist/ssh/ssh_host_ed25519_key.pub"
"L /etc/nixos/flake.nix - - - - /home/gerg/Projects/nixos/flake.nix" "L /etc/nixos/flake.nix - - - - /home/gerg/Projects/nixos/flake.nix"
@ -21,8 +32,17 @@ _:
sops.age.sshKeyPaths = lib.mkForce [ "/persist/ssh/ssh_host_ed25519_key" ]; sops.age.sshKeyPaths = lib.mkForce [ "/persist/ssh/ssh_host_ed25519_key" ];
fileSystems = { fileSystems = {
"/persist".neededForBoot = true; "/persist".neededForBoot = true;
"/efi22".options = [ "nofail" ]; # These are my Windows drives partitions
"/efi0E".options = [ "nofail" ]; "/efi".device = "/dev/disk/by-id/ata-Samsung_SSD_870_EVO_500GB_S6PXNM0T402828A-part1";
"/boot".device = "/dev/disk/by-id/ata-Samsung_SSD_870_EVO_500GB_S6PXNM0T402828A-part4";
"/efi/EFI/Linux" = {
device = "/boot/EFI/Linux";
options = [ "bind" ];
};
"/efi/EFI/nixos" = {
device = "/boot/EFI/nixos";
options = [ "bind" ];
};
}; };
boot = { boot = {
@ -61,27 +81,14 @@ _:
}; };
}; };
loader = { loader = {
generationsDir.copyKernels = true; systemd-boot = {
#override default enable = lib.mkForce false;
systemd-boot.enable = false; xbootldrMountPoint = "/boot";
efi.canTouchEfiVariables = false;
grub = {
enable = true;
copyKernels = true;
efiInstallAsRemovable = true;
efiSupport = true;
mirroredBoots = [
{
path = "/efi22";
devices = [ "nodev" ];
}
{
path = "/efi0E";
devices = [ "nodev" ];
}
];
splashImage = null;
}; };
grub.enable = lib.mkForce false;
timeout = lib.mkForce 5;
efi.efiSysMountPoint = "/efi";
}; };
}; };
#_file #_file