patrick/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Wiki Activity

chore: nucnix secureboot

Browse source
This commit is contained in:
Patrick 2024-12-17 21:54:26 +01:00
parent 7b756ebaac
commit 0bdd15c113
Signed by: patrick
GPG key ID: 451F95EFB8BECD0F
10 changed files with 85 additions and 86 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
README.md
View file

@ -90,15 +90,13 @@ These are notable external flakes which this config depend upon
### Add secureboot to new systems
1. generate keys with `sbct create-keys`
1. tar the resulting folder using `tar cvf secureboot.tar -C /etc/secureboot .`
1. generate keys with `sbctl create-keys`
1. tar the resulting folder using `tar cvf secureboot.tar -C /var/lib/sbctl .`
1. Copy the tar to local using scp and encrypt it using rage
- `rage -e -R ./secrets/recipients.txt secureboot.tar -o <host>/secrets/secureboot.tar.age`
1. safe the encrypted archive to `hosts/<host>/secrets/secureboot.tar.age`
1. *DO NOT* forget to delete the unecrypted archives
1. Deploy your system with lanzaboote enabled
- link `/run/secureboot` to `/etc/secureboot`
- This is necesarry since for your this apply the rekeyed keys are not yet available but already needed for signing the boot files
1. ensure the boot files are signed using `sbctl verify`
1. Now reboot the computer into BIOS and enable secureboot,
this may include removing any existing old keys

3
config/services/netbird.nix
View file

@ -79,7 +79,8 @@
management = {
port = 3000;
dnsDomain = "internal.${config.secrets.secrets.global.domains.web}";
# DNS server should do the lookup this is not used
dnsDomain = "internal.invalid";
singleAccountModeDomain = "netbird.patrick";
oidcConfigEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird/.well-known/openid-configuration";
settings = {

15
config/support/secureboot.nix
View file

@ -8,15 +8,16 @@
lib.optionalAttrs (!minimal) {
environment.systemPackages = [
# For debugging and troubleshooting Secure Boot.
(pkgs.sbctl.override { databasePath = "/run/secureboot"; })
pkgs.sbctl
];
age.secrets.secureboot.rekeyFile = ../../hosts/${config.node.name}/secrets/secureboot.tar.age;
system.activationScripts.securebootuntar = {
# TODO sbctl config file
text = ''
rm -r /run/secureboot || true
mkdir -p /run/secureboot
chmod 700 /run/secureboot
${pkgs.gnutar}/bin/tar xf ${config.age.secrets.secureboot.path} -C /run/secureboot || true
rm -r /var/lib/sbctl || true
mkdir -p /var/lib/sbctl
chmod 700 /var/lib/sbctl
${pkgs.gnutar}/bin/tar xf ${config.age.secrets.secureboot.path} -C /var/lib/sbctl || true
'';
deps = [ "agenix" ];
};
@ -29,8 +30,6 @@ lib.optionalAttrs (!minimal) {
boot.lanzaboote = {
enable = true;
# Not usable anyway
#enrollKeys = true;
pkiBundle = "/run/secureboot";
pkiBundle = "/var/lib/sbctl/";
};
}

136
flake.lock
View file

@ -134,29 +134,14 @@
},
"crane_2": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"rust-overlay": [
"lanzaboote",
"rust-overlay"
]
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1681177078,
"narHash": "sha256-ZNIjBDou2GOabcpctiQykEQVkI8BDwk7TyvlWlI4myE=",
"lastModified": 1717535930,
"narHash": "sha256-1hZ/txnbd/RmiBPNUs7i8UQw2N89uAK3UzrGAWdnFfU=",
"owner": "ipetkov",
"repo": "crane",
"rev": "0c9f468ff00576577d83f5019a66c557ede5acf6",
"rev": "55e7754ec31dac78980c8be45f8a28e80e370946",
"type": "github"
},
"original": {
@ -553,11 +538,11 @@
"flake-compat_4": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
@ -707,11 +692,11 @@
]
},
"locked": {
"lastModified": 1680392223,
"narHash": "sha256-n3g7QFr85lDODKt250rkZj2IFS3i4/8HBU2yKHO3tqw=",
"lastModified": 1717285511,
"narHash": "sha256-iKzJcpdXih14qYVcZ9QC9XuZYnPc6T8YImb6dX166kw=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "dcc36e45d054d7bb554c9cdab69093debd91a0b5",
"rev": "2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8",
"type": "github"
},
"original": {
@ -786,11 +771,11 @@
"systems": "systems_2"
},
"locked": {
"lastModified": 1681202837,
"narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "cfacdce06f30d2b68473a46042957675eebb3401",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
@ -1009,11 +994,11 @@
]
},
"locked": {
"lastModified": 1660459072,
"narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
@ -1283,7 +1268,6 @@
"crane": "crane_2",
"flake-compat": "flake-compat_4",
"flake-parts": "flake-parts_4",
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
],
@ -1291,16 +1275,15 @@
"rust-overlay": "rust-overlay_2"
},
"locked": {
"lastModified": 1682802423,
"narHash": "sha256-Fb5TeRTdvUlo/5Yi2d+FC8a6KoRLk2h1VE0/peMhWPs=",
"lastModified": 1731941836,
"narHash": "sha256-zpmAzrvK8KdssBSwiIwwRxaUJ77oWORbW0XFvgCFpTE=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "64b903ca87d18cef2752c19c098af275c6e51d63",
"rev": "2f48272f34174fd2a5ab3df4d8a46919247be879",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "v0.3.0",
"repo": "lanzaboote",
"type": "github"
}
@ -1423,7 +1406,7 @@
"crane": "crane_3",
"dream2nix": "dream2nix_2",
"mk-naked-shell": "mk-naked-shell_2",
"nixpkgs": "nixpkgs_2",
"nixpkgs": "nixpkgs_3",
"parts": "parts_2",
"rust-overlay": "rust-overlay_3",
"treefmt": "treefmt_2"
@ -1467,7 +1450,7 @@
"inputs": {
"flake-parts": "flake-parts_6",
"nix-github-actions": "nix-github-actions",
"nixpkgs": "nixpkgs_7",
"nixpkgs": "nixpkgs_8",
"treefmt-nix": "treefmt-nix_4"
},
"locked": {
@ -1530,7 +1513,7 @@
"inputs": {
"devshell": "devshell_4",
"flake-utils": "flake-utils_3",
"nixpkgs": "nixpkgs",
"nixpkgs": "nixpkgs_2",
"pre-commit-hooks": "pre-commit-hooks_3"
},
"locked": {
@ -1648,7 +1631,7 @@
"devshell": "devshell_6",
"flake-parts": "flake-parts_5",
"nci": "nci_2",
"nixpkgs": "nixpkgs_3",
"nixpkgs": "nixpkgs_4",
"pre-commit-hooks": "pre-commit-hooks_5",
"treefmt-nix": "treefmt-nix_3"
},
@ -1668,16 +1651,16 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1730531603,
"narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=",
"lastModified": 1734126203,
"narHash": "sha256-0XovF7BYP50rTD2v4r55tR5MuBLet7q4xIz6Rgh3BBU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d",
"rev": "71a6392e367b08525ee710a93af2e80083b5b3e2",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
@ -1779,16 +1762,16 @@
},
"nixpkgs-stable_3": {
"locked": {
"lastModified": 1678872516,
"narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=",
"lastModified": 1710695816,
"narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8",
"rev": "614b4613980a522ba49f0d194531beddbb7220d3",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-22.11",
"ref": "nixos-23.11",
"repo": "nixpkgs",
"type": "github"
}
@ -1865,6 +1848,22 @@
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1730531603,
"narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1731139594,
"narHash": "sha256-IigrKK3vYRpUu+HEjPL/phrfh7Ox881er1UEsZvw9Q4=",
@ -1880,7 +1879,7 @@
"type": "github"
}
},
"nixpkgs_3": {
"nixpkgs_4": {
"locked": {
"lastModified": 1731319897,
"narHash": "sha256-PbABj4tnbWFMfBp6OcUK5iGy1QY+/Z96ZcLpooIbuEI=",
@ -1896,7 +1895,7 @@
"type": "github"
}
},
"nixpkgs_4": {
"nixpkgs_5": {
"locked": {
"lastModified": 1730768919,
"narHash": "sha256-8AKquNnnSaJRXZxc5YmF/WfmxiHX6MMZZasRP6RRQkE=",
@ -1912,7 +1911,7 @@
"type": "github"
}
},
"nixpkgs_5": {
"nixpkgs_6": {
"locked": {
"lastModified": 1726871744,
"narHash": "sha256-V5LpfdHyQkUF7RfOaDPrZDP+oqz88lTJrMT1+stXNwo=",
@ -1928,7 +1927,7 @@
"type": "github"
}
},
"nixpkgs_6": {
"nixpkgs_7": {
"locked": {
"lastModified": 1734119587,
"narHash": "sha256-AKU6qqskl0yf2+JdRdD0cfxX4b9x3KKV5RqA6wijmPM=",
@ -1944,7 +1943,7 @@
"type": "github"
}
},
"nixpkgs_7": {
"nixpkgs_8": {
"locked": {
"lastModified": 1732238832,
"narHash": "sha256-sQxuJm8rHY20xq6Ah+GwIUkF95tWjGRd1X8xF+Pkk38=",
@ -1960,7 +1959,7 @@
"type": "github"
}
},
"nixpkgs_8": {
"nixpkgs_9": {
"locked": {
"lastModified": 1725194671,
"narHash": "sha256-tLGCFEFTB5TaOKkpfw3iYT9dnk4awTP/q4w+ROpMfuw=",
@ -2101,10 +2100,6 @@
"lanzaboote",
"flake-compat"
],
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"gitignore": "gitignore_3",
"nixpkgs": [
"lanzaboote",
@ -2113,11 +2108,11 @@
"nixpkgs-stable": "nixpkgs-stable_3"
},
"locked": {
"lastModified": 1681413034,
"narHash": "sha256-/t7OjNQcNkeWeSq/CFLYVBfm+IEnkjoSm9iKvArnUUI=",
"lastModified": 1717664902,
"narHash": "sha256-7XfBuLULizXjXfBYy/VV+SpYMHreNRHk9nKMsm1bgb4=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "d3de8f69ca88fb6f8b09e5b598be5ac98d28ede5",
"rev": "cc4d466cb1254af050ff7bdf47f6d404a7c646d1",
"type": "github"
},
"original": {
@ -2209,7 +2204,7 @@
"inputs": {
"flake-compat": "flake-compat_8",
"gitignore": "gitignore_6",
"nixpkgs": "nixpkgs_4",
"nixpkgs": "nixpkgs_5",
"nixpkgs-stable": "nixpkgs-stable_5"
},
"locked": {
@ -2352,7 +2347,7 @@
"nixos-hardware": "nixos-hardware",
"nixos-nftables-firewall": "nixos-nftables-firewall",
"nixp-meta": "nixp-meta",
"nixpkgs": "nixpkgs_6",
"nixpkgs": "nixpkgs_7",
"nixpkgs-wayland": "nixpkgs-wayland",
"nixvim": "nixvim",
"pre-commit-hooks": "pre-commit-hooks_6",
@ -2386,21 +2381,18 @@
},
"rust-overlay_2": {
"inputs": {
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"flake-utils": "flake-utils",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1682129965,
"narHash": "sha256-1KRPIorEL6pLpJR04FwAqqnt4Tzcm4MqD84yhlD+XSk=",
"lastModified": 1717813066,
"narHash": "sha256-wqbRwq3i7g5EHIui0bIi84mdqZ/It1AXBSLJ5tafD28=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "2c417c0460b788328220120c698630947547ee83",
"rev": "6dc3e45fe4aee36efeed24d64fc68b1f989d5465",
"type": "github"
},
"original": {
@ -2526,7 +2518,7 @@
"flake-utils": "flake-utils_7",
"gnome-shell": "gnome-shell",
"home-manager": "home-manager_3",
"nixpkgs": "nixpkgs_8",
"nixpkgs": "nixpkgs_9",
"systems": "systems_9",
"tinted-foot": "tinted-foot",
"tinted-kitty": "tinted-kitty",
@ -2827,7 +2819,7 @@
},
"treefmt-nix_3": {
"inputs": {
"nixpkgs": "nixpkgs_5"
"nixpkgs": "nixpkgs_6"
},
"locked": {
"lastModified": 1730321837,

2
flake.nix
View file

@ -85,7 +85,7 @@
};
lanzaboote = {
url = "github:nix-community/lanzaboote/v0.3.0";
url = "github:nix-community/lanzaboote";
inputs.nixpkgs.follows = "nixpkgs";
};

1
hosts/nucnix/default.nix
View file

@ -16,6 +16,7 @@
../../config/support/physical.nix
../../config/support/zfs.nix
../../config/support/server.nix
../../config/support/secureboot.nix
./net.nix
./fs.nix

8
hosts/nucnix/net.nix
View file

@ -23,6 +23,13 @@
};
};
};
netdevs."40-vlan-fritz" = {
netdevConfig = {
Name = "vlan-fritz";
Kind = "vlan";
};
vlanConfig.Id = 2;
};
netdevs."40-vlan-home" = {
netdevConfig = {
Name = "vlan-home";
@ -67,6 +74,7 @@
networks."40-vlans" = {
matchConfig.Name = "lan01";
vlan = [
"vlan-fritz"
"vlan-home"
"vlan-services"
"vlan-devices"

BIN
hosts/nucnix/secrets/secrets.nix.age
View file

Binary file not shown.

BIN
hosts/nucnix/secrets/secureboot.tar.age Normal file
View file

Binary file not shown.

BIN
secureboot.tar Normal file
View file

Binary file not shown.