diff --git a/README.md b/README.md index 550653f..49aa4e9 100644 --- a/README.md +++ b/README.md @@ -90,15 +90,13 @@ These are notable external flakes which this config depend upon ### Add secureboot to new systems -1. generate keys with `sbct create-keys` -1. tar the resulting folder using `tar cvf secureboot.tar -C /etc/secureboot .` +1. generate keys with `sbctl create-keys` +1. tar the resulting folder using `tar cvf secureboot.tar -C /var/lib/sbctl .` 1. Copy the tar to local using scp and encrypt it using rage - `rage -e -R ./secrets/recipients.txt secureboot.tar -o /secrets/secureboot.tar.age` 1. safe the encrypted archive to `hosts//secrets/secureboot.tar.age` 1. *DO NOT* forget to delete the unecrypted archives 1. Deploy your system with lanzaboote enabled - - link `/run/secureboot` to `/etc/secureboot` - - This is necesarry since for your this apply the rekeyed keys are not yet available but already needed for signing the boot files 1. ensure the boot files are signed using `sbctl verify` 1. Now reboot the computer into BIOS and enable secureboot, this may include removing any existing old keys diff --git a/config/services/netbird.nix b/config/services/netbird.nix index 502b0c2..ea66105 100644 --- a/config/services/netbird.nix +++ b/config/services/netbird.nix @@ -79,7 +79,8 @@ management = { port = 3000; - dnsDomain = "internal.${config.secrets.secrets.global.domains.web}"; + # DNS server should do the lookup this is not used + dnsDomain = "internal.invalid"; singleAccountModeDomain = "netbird.patrick"; oidcConfigEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird/.well-known/openid-configuration"; settings = { diff --git a/config/support/secureboot.nix b/config/support/secureboot.nix index 085aa7b..612f5de 100644 --- a/config/support/secureboot.nix +++ b/config/support/secureboot.nix @@ -8,15 +8,16 @@ lib.optionalAttrs (!minimal) { environment.systemPackages = [ # For debugging and troubleshooting Secure Boot. - (pkgs.sbctl.override { databasePath = "/run/secureboot"; }) + pkgs.sbctl ]; age.secrets.secureboot.rekeyFile = ../../hosts/${config.node.name}/secrets/secureboot.tar.age; system.activationScripts.securebootuntar = { + # TODO sbctl config file text = '' - rm -r /run/secureboot || true - mkdir -p /run/secureboot - chmod 700 /run/secureboot - ${pkgs.gnutar}/bin/tar xf ${config.age.secrets.secureboot.path} -C /run/secureboot || true + rm -r /var/lib/sbctl || true + mkdir -p /var/lib/sbctl + chmod 700 /var/lib/sbctl + ${pkgs.gnutar}/bin/tar xf ${config.age.secrets.secureboot.path} -C /var/lib/sbctl || true ''; deps = [ "agenix" ]; }; @@ -29,8 +30,6 @@ lib.optionalAttrs (!minimal) { boot.lanzaboote = { enable = true; - # Not usable anyway - #enrollKeys = true; - pkiBundle = "/run/secureboot"; + pkiBundle = "/var/lib/sbctl/"; }; } diff --git a/flake.lock b/flake.lock index f075d9a..112b0b5 100644 --- a/flake.lock +++ b/flake.lock @@ -134,29 +134,14 @@ }, "crane_2": { "inputs": { - "flake-compat": [ - "lanzaboote", - "flake-compat" - ], - "flake-utils": [ - "lanzaboote", - "flake-utils" - ], - "nixpkgs": [ - "lanzaboote", - "nixpkgs" - ], - "rust-overlay": [ - "lanzaboote", - "rust-overlay" - ] + "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1681177078, - "narHash": "sha256-ZNIjBDou2GOabcpctiQykEQVkI8BDwk7TyvlWlI4myE=", + "lastModified": 1717535930, + "narHash": "sha256-1hZ/txnbd/RmiBPNUs7i8UQw2N89uAK3UzrGAWdnFfU=", "owner": "ipetkov", "repo": "crane", - "rev": "0c9f468ff00576577d83f5019a66c557ede5acf6", + "rev": "55e7754ec31dac78980c8be45f8a28e80e370946", "type": "github" }, "original": { @@ -553,11 +538,11 @@ "flake-compat_4": { "flake": false, "locked": { - "lastModified": 1673956053, - "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", "owner": "edolstra", "repo": "flake-compat", - "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", "type": "github" }, "original": { @@ -707,11 +692,11 @@ ] }, "locked": { - "lastModified": 1680392223, - "narHash": "sha256-n3g7QFr85lDODKt250rkZj2IFS3i4/8HBU2yKHO3tqw=", + "lastModified": 1717285511, + "narHash": "sha256-iKzJcpdXih14qYVcZ9QC9XuZYnPc6T8YImb6dX166kw=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "dcc36e45d054d7bb554c9cdab69093debd91a0b5", + "rev": "2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8", "type": "github" }, "original": { @@ -786,11 +771,11 @@ "systems": "systems_2" }, "locked": { - "lastModified": 1681202837, - "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", "owner": "numtide", "repo": "flake-utils", - "rev": "cfacdce06f30d2b68473a46042957675eebb3401", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", "type": "github" }, "original": { @@ -1009,11 +994,11 @@ ] }, "locked": { - "lastModified": 1660459072, - "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=", + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", "owner": "hercules-ci", "repo": "gitignore.nix", - "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", "type": "github" }, "original": { @@ -1283,7 +1268,6 @@ "crane": "crane_2", "flake-compat": "flake-compat_4", "flake-parts": "flake-parts_4", - "flake-utils": "flake-utils", "nixpkgs": [ "nixpkgs" ], @@ -1291,16 +1275,15 @@ "rust-overlay": "rust-overlay_2" }, "locked": { - "lastModified": 1682802423, - "narHash": "sha256-Fb5TeRTdvUlo/5Yi2d+FC8a6KoRLk2h1VE0/peMhWPs=", + "lastModified": 1731941836, + "narHash": "sha256-zpmAzrvK8KdssBSwiIwwRxaUJ77oWORbW0XFvgCFpTE=", "owner": "nix-community", "repo": "lanzaboote", - "rev": "64b903ca87d18cef2752c19c098af275c6e51d63", + "rev": "2f48272f34174fd2a5ab3df4d8a46919247be879", "type": "github" }, "original": { "owner": "nix-community", - "ref": "v0.3.0", "repo": "lanzaboote", "type": "github" } @@ -1423,7 +1406,7 @@ "crane": "crane_3", "dream2nix": "dream2nix_2", "mk-naked-shell": "mk-naked-shell_2", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs_3", "parts": "parts_2", "rust-overlay": "rust-overlay_3", "treefmt": "treefmt_2" @@ -1467,7 +1450,7 @@ "inputs": { "flake-parts": "flake-parts_6", "nix-github-actions": "nix-github-actions", - "nixpkgs": "nixpkgs_7", + "nixpkgs": "nixpkgs_8", "treefmt-nix": "treefmt-nix_4" }, "locked": { @@ -1530,7 +1513,7 @@ "inputs": { "devshell": "devshell_4", "flake-utils": "flake-utils_3", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_2", "pre-commit-hooks": "pre-commit-hooks_3" }, "locked": { @@ -1648,7 +1631,7 @@ "devshell": "devshell_6", "flake-parts": "flake-parts_5", "nci": "nci_2", - "nixpkgs": "nixpkgs_3", + "nixpkgs": "nixpkgs_4", "pre-commit-hooks": "pre-commit-hooks_5", "treefmt-nix": "treefmt-nix_3" }, @@ -1668,16 +1651,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1730531603, - "narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=", + "lastModified": 1734126203, + "narHash": "sha256-0XovF7BYP50rTD2v4r55tR5MuBLet7q4xIz6Rgh3BBU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d", + "rev": "71a6392e367b08525ee710a93af2e80083b5b3e2", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-unstable", + "ref": "nixpkgs-unstable", "repo": "nixpkgs", "type": "github" } @@ -1779,16 +1762,16 @@ }, "nixpkgs-stable_3": { "locked": { - "lastModified": 1678872516, - "narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=", + "lastModified": 1710695816, + "narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8", + "rev": "614b4613980a522ba49f0d194531beddbb7220d3", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-22.11", + "ref": "nixos-23.11", "repo": "nixpkgs", "type": "github" } @@ -1865,6 +1848,22 @@ } }, "nixpkgs_2": { + "locked": { + "lastModified": 1730531603, + "narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { "locked": { "lastModified": 1731139594, "narHash": "sha256-IigrKK3vYRpUu+HEjPL/phrfh7Ox881er1UEsZvw9Q4=", @@ -1880,7 +1879,7 @@ "type": "github" } }, - "nixpkgs_3": { + "nixpkgs_4": { "locked": { "lastModified": 1731319897, "narHash": "sha256-PbABj4tnbWFMfBp6OcUK5iGy1QY+/Z96ZcLpooIbuEI=", @@ -1896,7 +1895,7 @@ "type": "github" } }, - "nixpkgs_4": { + "nixpkgs_5": { "locked": { "lastModified": 1730768919, "narHash": "sha256-8AKquNnnSaJRXZxc5YmF/WfmxiHX6MMZZasRP6RRQkE=", @@ -1912,7 +1911,7 @@ "type": "github" } }, - "nixpkgs_5": { + "nixpkgs_6": { "locked": { "lastModified": 1726871744, "narHash": "sha256-V5LpfdHyQkUF7RfOaDPrZDP+oqz88lTJrMT1+stXNwo=", @@ -1928,7 +1927,7 @@ "type": "github" } }, - "nixpkgs_6": { + "nixpkgs_7": { "locked": { "lastModified": 1734119587, "narHash": "sha256-AKU6qqskl0yf2+JdRdD0cfxX4b9x3KKV5RqA6wijmPM=", @@ -1944,7 +1943,7 @@ "type": "github" } }, - "nixpkgs_7": { + "nixpkgs_8": { "locked": { "lastModified": 1732238832, "narHash": "sha256-sQxuJm8rHY20xq6Ah+GwIUkF95tWjGRd1X8xF+Pkk38=", @@ -1960,7 +1959,7 @@ "type": "github" } }, - "nixpkgs_8": { + "nixpkgs_9": { "locked": { "lastModified": 1725194671, "narHash": "sha256-tLGCFEFTB5TaOKkpfw3iYT9dnk4awTP/q4w+ROpMfuw=", @@ -2101,10 +2100,6 @@ "lanzaboote", "flake-compat" ], - "flake-utils": [ - "lanzaboote", - "flake-utils" - ], "gitignore": "gitignore_3", "nixpkgs": [ "lanzaboote", @@ -2113,11 +2108,11 @@ "nixpkgs-stable": "nixpkgs-stable_3" }, "locked": { - "lastModified": 1681413034, - "narHash": "sha256-/t7OjNQcNkeWeSq/CFLYVBfm+IEnkjoSm9iKvArnUUI=", + "lastModified": 1717664902, + "narHash": "sha256-7XfBuLULizXjXfBYy/VV+SpYMHreNRHk9nKMsm1bgb4=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "d3de8f69ca88fb6f8b09e5b598be5ac98d28ede5", + "rev": "cc4d466cb1254af050ff7bdf47f6d404a7c646d1", "type": "github" }, "original": { @@ -2209,7 +2204,7 @@ "inputs": { "flake-compat": "flake-compat_8", "gitignore": "gitignore_6", - "nixpkgs": "nixpkgs_4", + "nixpkgs": "nixpkgs_5", "nixpkgs-stable": "nixpkgs-stable_5" }, "locked": { @@ -2352,7 +2347,7 @@ "nixos-hardware": "nixos-hardware", "nixos-nftables-firewall": "nixos-nftables-firewall", "nixp-meta": "nixp-meta", - "nixpkgs": "nixpkgs_6", + "nixpkgs": "nixpkgs_7", "nixpkgs-wayland": "nixpkgs-wayland", "nixvim": "nixvim", "pre-commit-hooks": "pre-commit-hooks_6", @@ -2386,21 +2381,18 @@ }, "rust-overlay_2": { "inputs": { - "flake-utils": [ - "lanzaboote", - "flake-utils" - ], + "flake-utils": "flake-utils", "nixpkgs": [ "lanzaboote", "nixpkgs" ] }, "locked": { - "lastModified": 1682129965, - "narHash": "sha256-1KRPIorEL6pLpJR04FwAqqnt4Tzcm4MqD84yhlD+XSk=", + "lastModified": 1717813066, + "narHash": "sha256-wqbRwq3i7g5EHIui0bIi84mdqZ/It1AXBSLJ5tafD28=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "2c417c0460b788328220120c698630947547ee83", + "rev": "6dc3e45fe4aee36efeed24d64fc68b1f989d5465", "type": "github" }, "original": { @@ -2526,7 +2518,7 @@ "flake-utils": "flake-utils_7", "gnome-shell": "gnome-shell", "home-manager": "home-manager_3", - "nixpkgs": "nixpkgs_8", + "nixpkgs": "nixpkgs_9", "systems": "systems_9", "tinted-foot": "tinted-foot", "tinted-kitty": "tinted-kitty", @@ -2827,7 +2819,7 @@ }, "treefmt-nix_3": { "inputs": { - "nixpkgs": "nixpkgs_5" + "nixpkgs": "nixpkgs_6" }, "locked": { "lastModified": 1730321837, diff --git a/flake.nix b/flake.nix index 20dc481..cae7645 100644 --- a/flake.nix +++ b/flake.nix @@ -85,7 +85,7 @@ }; lanzaboote = { - url = "github:nix-community/lanzaboote/v0.3.0"; + url = "github:nix-community/lanzaboote"; inputs.nixpkgs.follows = "nixpkgs"; }; diff --git a/hosts/nucnix/default.nix b/hosts/nucnix/default.nix index c36938f..2b6efd7 100644 --- a/hosts/nucnix/default.nix +++ b/hosts/nucnix/default.nix @@ -16,6 +16,7 @@ ../../config/support/physical.nix ../../config/support/zfs.nix ../../config/support/server.nix + ../../config/support/secureboot.nix ./net.nix ./fs.nix diff --git a/hosts/nucnix/net.nix b/hosts/nucnix/net.nix index aba7402..625c1f8 100644 --- a/hosts/nucnix/net.nix +++ b/hosts/nucnix/net.nix @@ -23,6 +23,13 @@ }; }; }; + netdevs."40-vlan-fritz" = { + netdevConfig = { + Name = "vlan-fritz"; + Kind = "vlan"; + }; + vlanConfig.Id = 2; + }; netdevs."40-vlan-home" = { netdevConfig = { Name = "vlan-home"; @@ -67,6 +74,7 @@ networks."40-vlans" = { matchConfig.Name = "lan01"; vlan = [ + "vlan-fritz" "vlan-home" "vlan-services" "vlan-devices" diff --git a/hosts/nucnix/secrets/secrets.nix.age b/hosts/nucnix/secrets/secrets.nix.age index be0161d..0df3d44 100644 Binary files a/hosts/nucnix/secrets/secrets.nix.age and b/hosts/nucnix/secrets/secrets.nix.age differ diff --git a/hosts/nucnix/secrets/secureboot.tar.age b/hosts/nucnix/secrets/secureboot.tar.age new file mode 100644 index 0000000..013edfc Binary files /dev/null and b/hosts/nucnix/secrets/secureboot.tar.age differ diff --git a/secureboot.tar b/secureboot.tar new file mode 100644 index 0000000..2e3156b Binary files /dev/null and b/secureboot.tar differ