mirror of
https://github.com/alyraffauf/nixcfg.git
synced 2024-11-24 04:51:54 -05:00
hosts: enable secureboot and tpm luks unlocking (#99)
* flake: add secureboot * petalburg: enable lanzaboote * lavaridge: enable lanzaboote * flake: auto import lanzaboote * mauville: enable secureboot and auto luks unlocking * lavaridge,petalburg: disable autologin * README.md: add lanzaboote * hosts/README.md: add secure boot setup docs
This commit is contained in:
parent
3fa234270e
commit
c6b59d0e34
|
@ -9,9 +9,8 @@ My comprehensive NixOS flake for managing my laptop, desktop, and home lab envir
|
|||
|
||||
- **Hyprland:** Dynamic tiling Wayland compositor and window manager.
|
||||
- **Stylix:** Auto-gnerated base16 themes for the whole desktop.
|
||||
- **Home Lab Services:** Media, file sharing, and more.
|
||||
- **Reverse Proxy:** Efficient traffic routing for my home lab services.
|
||||
- **Modular Configuration:** Reasonably adaptable for different hardware and use cases.
|
||||
- **Encryption:** Encrypted boot drives with Secure Boot and LUKS with TPM decryption.
|
||||
- **Home Lab:** Media, file sharing, and more with a efficnet routing via reverse proxy.
|
||||
|
||||
## Inputs
|
||||
|
||||
|
@ -27,6 +26,7 @@ As well as upstream third-party projects that I use for various tasks:
|
|||
- [home-manager](https://github.com/nix-community/home-manager): declarative dotfile and user package management.
|
||||
- [hyprland](https://github.com/hyprwm/Hyprland): great dynamic tiling wayland compositor.
|
||||
- [iio-hyprland](https://github.com/JeanSchoeller/iio-hyprland): autorotate daemon for Hyprland.
|
||||
- [lanzaboote](https://github.com/nix-community/lanzaboote): ssecure boot for NixOS.
|
||||
- [nur](https://github.com/nix-community/NUR): extra packages from the nix user repository.
|
||||
- [stylix](https://github.com/danth/stylix): system-wide colorscheming and typography.
|
||||
- [sway](https://github.com/swaywm/sway): fantastic, rock-solid tiling compositor for wayland.
|
||||
|
|
211
flake.lock
211
flake.lock
|
@ -137,6 +137,27 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"crane": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"lanzaboote",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1717535930,
|
||||
"narHash": "sha256-1hZ/txnbd/RmiBPNUs7i8UQw2N89uAK3UzrGAWdnFfU=",
|
||||
"owner": "ipetkov",
|
||||
"repo": "crane",
|
||||
"rev": "55e7754ec31dac78980c8be45f8a28e80e370946",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "ipetkov",
|
||||
"repo": "crane",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"darwin": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
|
@ -180,6 +201,22 @@
|
|||
}
|
||||
},
|
||||
"flake-compat": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1696426674,
|
||||
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-compat_2": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1673956053,
|
||||
|
@ -195,6 +232,45 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-parts": {
|
||||
"inputs": {
|
||||
"nixpkgs-lib": [
|
||||
"lanzaboote",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1717285511,
|
||||
"narHash": "sha256-iKzJcpdXih14qYVcZ9QC9XuZYnPc6T8YImb6dX166kw=",
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"rev": "2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-utils": {
|
||||
"inputs": {
|
||||
"systems": "systems_3"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1710146030,
|
||||
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"fromYaml": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
|
@ -211,6 +287,28 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"gitignore": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"lanzaboote",
|
||||
"pre-commit-hooks-nix",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1709087332,
|
||||
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
|
||||
"owner": "hercules-ci",
|
||||
"repo": "gitignore.nix",
|
||||
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "hercules-ci",
|
||||
"repo": "gitignore.nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"gnome-shell": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
|
@ -312,6 +410,33 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"lanzaboote": {
|
||||
"inputs": {
|
||||
"crane": "crane",
|
||||
"flake-compat": "flake-compat",
|
||||
"flake-parts": "flake-parts",
|
||||
"flake-utils": "flake-utils",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
|
||||
"rust-overlay": "rust-overlay"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1718178907,
|
||||
"narHash": "sha256-eSZyrQ9uoPB9iPQ8Y5H7gAmAgAvCw3InStmU3oEjqsE=",
|
||||
"owner": "nix-community",
|
||||
"repo": "lanzaboote",
|
||||
"rev": "b627ccd97d0159214cee5c7db1412b75e4be6086",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-community",
|
||||
"ref": "v0.4.1",
|
||||
"repo": "lanzaboote",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixhw": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
|
@ -348,6 +473,22 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-stable": {
|
||||
"locked": {
|
||||
"lastModified": 1710695816,
|
||||
"narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "614b4613980a522ba49f0d194531beddbb7220d3",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixos-23.11",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1723637854,
|
||||
|
@ -379,6 +520,33 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"pre-commit-hooks-nix": {
|
||||
"inputs": {
|
||||
"flake-compat": [
|
||||
"lanzaboote",
|
||||
"flake-compat"
|
||||
],
|
||||
"gitignore": "gitignore",
|
||||
"nixpkgs": [
|
||||
"lanzaboote",
|
||||
"nixpkgs"
|
||||
],
|
||||
"nixpkgs-stable": "nixpkgs-stable"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1717664902,
|
||||
"narHash": "sha256-7XfBuLULizXjXfBYy/VV+SpYMHreNRHk9nKMsm1bgb4=",
|
||||
"owner": "cachix",
|
||||
"repo": "pre-commit-hooks.nix",
|
||||
"rev": "cc4d466cb1254af050ff7bdf47f6d404a7c646d1",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "cachix",
|
||||
"repo": "pre-commit-hooks.nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"raffauflabs": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
|
@ -405,6 +573,7 @@
|
|||
"disko": "disko",
|
||||
"home-manager": "home-manager_2",
|
||||
"iio-hyprland": "iio-hyprland",
|
||||
"lanzaboote": "lanzaboote",
|
||||
"nixhw": "nixhw",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"nixpkgs-unstable": "nixpkgs-unstable",
|
||||
|
@ -413,6 +582,31 @@
|
|||
"stylix": "stylix"
|
||||
}
|
||||
},
|
||||
"rust-overlay": {
|
||||
"inputs": {
|
||||
"flake-utils": [
|
||||
"lanzaboote",
|
||||
"flake-utils"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"lanzaboote",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1717813066,
|
||||
"narHash": "sha256-wqbRwq3i7g5EHIui0bIi84mdqZ/It1AXBSLJ5tafD28=",
|
||||
"owner": "oxalica",
|
||||
"repo": "rust-overlay",
|
||||
"rev": "6dc3e45fe4aee36efeed24d64fc68b1f989d5465",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "oxalica",
|
||||
"repo": "rust-overlay",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"stylix": {
|
||||
"inputs": {
|
||||
"base16": "base16",
|
||||
|
@ -422,7 +616,7 @@
|
|||
"base16-kitty": "base16-kitty",
|
||||
"base16-tmux": "base16-tmux",
|
||||
"base16-vim": "base16-vim",
|
||||
"flake-compat": "flake-compat",
|
||||
"flake-compat": "flake-compat_2",
|
||||
"gnome-shell": "gnome-shell",
|
||||
"home-manager": "home-manager_3",
|
||||
"nixpkgs": [
|
||||
|
@ -472,6 +666,21 @@
|
|||
"repo": "default-linux",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"systems_3": {
|
||||
"locked": {
|
||||
"lastModified": 1681028828,
|
||||
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"type": "github"
|
||||
}
|
||||
}
|
||||
},
|
||||
"root": "root",
|
||||
|
|
|
@ -25,6 +25,11 @@
|
|||
url = "github:JeanSchoeller/iio-hyprland";
|
||||
};
|
||||
|
||||
lanzaboote = {
|
||||
url = "github:nix-community/lanzaboote/v0.4.1";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
|
||||
nixhw = {
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
url = "github:alyraffauf/nixhw";
|
||||
|
@ -120,6 +125,7 @@
|
|||
self.inputs.agenix.nixosModules.default
|
||||
self.inputs.disko.nixosModules.disko
|
||||
self.inputs.home-manager.nixosModules.home-manager
|
||||
self.inputs.lanzaboote.nixosModules.lanzaboote
|
||||
self.inputs.stylix.nixosModules.stylix
|
||||
self.nixosModules.nixos
|
||||
self.nixosModules.users
|
||||
|
|
|
@ -43,3 +43,56 @@ In short,
|
|||
1. Add the new public key to `secrets/secrets.nix`, rekey all secrets with `agenix --rekey`, and push your changes to master.
|
||||
1. Rebuild the new system from git. Secrets will be automatically decrypted and immediately available in `/run/agenix/` for NixOS and `$XDG_RUNTIME_DIR/agenix/` for users.
|
||||
1. (OPTIONAL) Generate a new user SSH key and add it to `nixosModules/users/default.nix` in order to enable passwordless logins to other hosts.
|
||||
|
||||
## Secure Boot
|
||||
|
||||
1. Generate secure boot keys:
|
||||
|
||||
```bash
|
||||
sudo nix run nixpkgs#sbctl create-keys
|
||||
```
|
||||
|
||||
1. Enable lanzaboote in NixOS host configuration:
|
||||
|
||||
```nix
|
||||
boot = {
|
||||
initrd.systemd.enable = true; # For automatic decryption with TPM.
|
||||
loader.systemd-boot.enable = lib.mkForce false; # Interferes with lanzaboote and must be force-disabled.
|
||||
|
||||
lanzaboote = {
|
||||
enable = true;
|
||||
pkiBundle = "/etc/secureboot";
|
||||
};
|
||||
};
|
||||
```
|
||||
|
||||
1. In UEFI, set secure boot to "setup mode" or erase platform keys.
|
||||
|
||||
1. Enroll your secure boot keys:
|
||||
|
||||
```bash
|
||||
sudo nix run nixpkgs#sbctl -- enroll-keys --microsoft
|
||||
```
|
||||
|
||||
1. Reboot, make sure secure boot is enabled in UEFI.
|
||||
|
||||
1. Check secure boot status with `bootctl status`:
|
||||
|
||||
```bash
|
||||
System:
|
||||
Firmware: UEFI 2.70 (American Megatrends 5.17)
|
||||
Firmware Arch: x64
|
||||
Secure Boot: enabled (user)
|
||||
TPM2 Support: yes
|
||||
Measured UKI: yes
|
||||
Boot into FW: supported
|
||||
```
|
||||
|
||||
1. If your root drive is encrypted with LUKS, you can have the TPM automatically decrypt it on boot:
|
||||
|
||||
```bash
|
||||
sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+2+7+12 --wipe-slot=tpm2 /dev/nvme0n1p2
|
||||
```
|
||||
|
||||
Replace `/dev/nvme0n1p2` with your root partition.
|
||||
Check the [Linux TPM PCR Registry](https://uapi-group.org/specifications/specs/linux_tpm_pcr_registry/) for more details.
|
||||
|
|
|
@ -24,11 +24,17 @@
|
|||
];
|
||||
|
||||
boot = {
|
||||
initrd.systemd.enable = true;
|
||||
kernelPackages = lib.mkForce pkgs.linuxPackages_6_9;
|
||||
|
||||
lanzaboote = {
|
||||
enable = true;
|
||||
pkiBundle = "/etc/secureboot";
|
||||
};
|
||||
|
||||
loader = {
|
||||
efi.canTouchEfiVariables = true;
|
||||
systemd-boot.enable = true;
|
||||
systemd-boot.enable = lib.mkForce false;
|
||||
};
|
||||
};
|
||||
|
||||
|
@ -45,11 +51,7 @@
|
|||
};
|
||||
|
||||
desktop = {
|
||||
greetd = {
|
||||
enable = true;
|
||||
autologin = "aly";
|
||||
};
|
||||
|
||||
greetd.enable = true;
|
||||
hyprland.enable = true;
|
||||
sway.enable = true;
|
||||
};
|
||||
|
|
|
@ -33,28 +33,17 @@ in {
|
|||
boot = {
|
||||
initrd = {
|
||||
availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "sd_mod" "r8169"];
|
||||
systemd.enable = true;
|
||||
};
|
||||
|
||||
network = {
|
||||
enable = true;
|
||||
flushBeforeStage2 = true;
|
||||
|
||||
ssh = {
|
||||
enable = true;
|
||||
hostKeys = [/etc/secrets/initrd/ssh_host_ed25519_key];
|
||||
};
|
||||
|
||||
udhcpc.enable = true;
|
||||
|
||||
postCommands = ''
|
||||
# Automatically ask for the password on SSH login
|
||||
echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1' >> /root/.profile
|
||||
'';
|
||||
};
|
||||
lanzaboote = {
|
||||
enable = true;
|
||||
pkiBundle = "/etc/secureboot";
|
||||
};
|
||||
|
||||
loader = {
|
||||
efi.canTouchEfiVariables = true;
|
||||
systemd-boot.enable = true;
|
||||
systemd-boot.enable = lib.mkForce false;
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
# Lenovo Yoga 9i Convertible with Intel Core i7-1360P, 16GB RAM, 512GB SSD.
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
self,
|
||||
...
|
||||
}: {
|
||||
|
@ -22,11 +23,17 @@
|
|||
];
|
||||
|
||||
boot = {
|
||||
initrd.systemd.enable = true;
|
||||
extraModulePackages = with config.boot.kernelPackages; [acpi_call];
|
||||
|
||||
lanzaboote = {
|
||||
enable = true;
|
||||
pkiBundle = "/etc/secureboot";
|
||||
};
|
||||
|
||||
loader = {
|
||||
efi.canTouchEfiVariables = true;
|
||||
systemd-boot.enable = true;
|
||||
systemd-boot.enable = lib.mkForce false;
|
||||
};
|
||||
};
|
||||
|
||||
|
@ -65,11 +72,7 @@
|
|||
};
|
||||
|
||||
desktop = {
|
||||
greetd = {
|
||||
enable = true;
|
||||
autologin = "aly";
|
||||
};
|
||||
|
||||
greetd.enable = true;
|
||||
hyprland.enable = true;
|
||||
sway.enable = true;
|
||||
};
|
||||
|
|
Loading…
Reference in a new issue