diff --git a/README.md b/README.md index 550653f..49aa4e9 100644 --- a/README.md +++ b/README.md @@ -90,15 +90,13 @@ These are notable external flakes which this config depend upon ### Add secureboot to new systems -1. generate keys with `sbct create-keys` -1. tar the resulting folder using `tar cvf secureboot.tar -C /etc/secureboot .` +1. generate keys with `sbctl create-keys` +1. tar the resulting folder using `tar cvf secureboot.tar -C /var/lib/sbctl .` 1. Copy the tar to local using scp and encrypt it using rage - `rage -e -R ./secrets/recipients.txt secureboot.tar -o /secrets/secureboot.tar.age` 1. safe the encrypted archive to `hosts//secrets/secureboot.tar.age` 1. *DO NOT* forget to delete the unecrypted archives 1. Deploy your system with lanzaboote enabled - - link `/run/secureboot` to `/etc/secureboot` - - This is necesarry since for your this apply the rekeyed keys are not yet available but already needed for signing the boot files 1. ensure the boot files are signed using `sbctl verify` 1. Now reboot the computer into BIOS and enable secureboot, this may include removing any existing old keys diff --git a/config/services/netbird.nix b/config/services/netbird.nix index 502b0c2..ea66105 100644 --- a/config/services/netbird.nix +++ b/config/services/netbird.nix @@ -79,7 +79,8 @@ management = { port = 3000; - dnsDomain = "internal.${config.secrets.secrets.global.domains.web}"; + # DNS server should do the lookup this is not used + dnsDomain = "internal.invalid"; singleAccountModeDomain = "netbird.patrick"; oidcConfigEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird/.well-known/openid-configuration"; settings = { diff --git a/config/support/secureboot.nix b/config/support/secureboot.nix index 085aa7b..612f5de 100644 --- a/config/support/secureboot.nix +++ b/config/support/secureboot.nix @@ -8,15 +8,16 @@ lib.optionalAttrs (!minimal) { environment.systemPackages = [ # For debugging and troubleshooting Secure Boot. - (pkgs.sbctl.override { databasePath = "/run/secureboot"; }) + pkgs.sbctl ]; age.secrets.secureboot.rekeyFile = ../../hosts/${config.node.name}/secrets/secureboot.tar.age; system.activationScripts.securebootuntar = { + # TODO sbctl config file text = '' - rm -r /run/secureboot || true - mkdir -p /run/secureboot - chmod 700 /run/secureboot - ${pkgs.gnutar}/bin/tar xf ${config.age.secrets.secureboot.path} -C /run/secureboot || true + rm -r /var/lib/sbctl || true + mkdir -p /var/lib/sbctl + chmod 700 /var/lib/sbctl + ${pkgs.gnutar}/bin/tar xf ${config.age.secrets.secureboot.path} -C /var/lib/sbctl || true ''; deps = [ "agenix" ]; }; @@ -29,8 +30,6 @@ lib.optionalAttrs (!minimal) { boot.lanzaboote = { enable = true; - # Not usable anyway - #enrollKeys = true; - pkiBundle = "/run/secureboot"; + pkiBundle = "/var/lib/sbctl/"; }; } diff --git a/flake.lock b/flake.lock index f075d9a..112b0b5 100644 --- a/flake.lock +++ b/flake.lock @@ -134,29 +134,14 @@ }, "crane_2": { "inputs": { - "flake-compat": [ - "lanzaboote", - "flake-compat" - ], - "flake-utils": [ - "lanzaboote", - "flake-utils" - ], - "nixpkgs": [ - "lanzaboote", - "nixpkgs" - ], - "rust-overlay": [ - "lanzaboote", - "rust-overlay" - ] + "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1681177078, - "narHash": "sha256-ZNIjBDou2GOabcpctiQykEQVkI8BDwk7TyvlWlI4myE=", + "lastModified": 1717535930, + "narHash": "sha256-1hZ/txnbd/RmiBPNUs7i8UQw2N89uAK3UzrGAWdnFfU=", "owner": "ipetkov", "repo": "crane", - "rev": "0c9f468ff00576577d83f5019a66c557ede5acf6", + "rev": "55e7754ec31dac78980c8be45f8a28e80e370946", "type": "github" }, "original": { @@ -553,11 +538,11 @@ "flake-compat_4": { "flake": false, "locked": { - "lastModified": 1673956053, - "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", "owner": "edolstra", "repo": "flake-compat", - "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", "type": "github" }, "original": { @@ -707,11 +692,11 @@ ] }, "locked": { - "lastModified": 1680392223, - "narHash": "sha256-n3g7QFr85lDODKt250rkZj2IFS3i4/8HBU2yKHO3tqw=", + "lastModified": 1717285511, + "narHash": "sha256-iKzJcpdXih14qYVcZ9QC9XuZYnPc6T8YImb6dX166kw=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "dcc36e45d054d7bb554c9cdab69093debd91a0b5", + "rev": "2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8", "type": "github" }, "original": { @@ -786,11 +771,11 @@ "systems": "systems_2" }, "locked": { - "lastModified": 1681202837, - "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", "owner": "numtide", "repo": "flake-utils", - "rev": "cfacdce06f30d2b68473a46042957675eebb3401", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", "type": "github" }, "original": { @@ -1009,11 +994,11 @@ ] }, "locked": { - "lastModified": 1660459072, - "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=", + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", "owner": "hercules-ci", "repo": "gitignore.nix", - "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", "type": "github" }, "original": { @@ -1283,7 +1268,6 @@ "crane": "crane_2", "flake-compat": "flake-compat_4", "flake-parts": "flake-parts_4", - "flake-utils": "flake-utils", "nixpkgs": [ "nixpkgs" ], @@ -1291,16 +1275,15 @@ "rust-overlay": "rust-overlay_2" }, "locked": { - "lastModified": 1682802423, - "narHash": "sha256-Fb5TeRTdvUlo/5Yi2d+FC8a6KoRLk2h1VE0/peMhWPs=", + "lastModified": 1731941836, + "narHash": "sha256-zpmAzrvK8KdssBSwiIwwRxaUJ77oWORbW0XFvgCFpTE=", "owner": "nix-community", "repo": "lanzaboote", - "rev": "64b903ca87d18cef2752c19c098af275c6e51d63", + "rev": "2f48272f34174fd2a5ab3df4d8a46919247be879", "type": "github" }, "original": { "owner": "nix-community", - "ref": "v0.3.0", "repo": "lanzaboote", "type": "github" } @@ -1423,7 +1406,7 @@ "crane": "crane_3", "dream2nix": "dream2nix_2", "mk-naked-shell": "mk-naked-shell_2", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs_3", "parts": "parts_2", "rust-overlay": "rust-overlay_3", "treefmt": "treefmt_2" @@ -1467,7 +1450,7 @@ "inputs": { "flake-parts": "flake-parts_6", "nix-github-actions": "nix-github-actions", - "nixpkgs": "nixpkgs_7", + "nixpkgs": "nixpkgs_8", "treefmt-nix": "treefmt-nix_4" }, "locked": { @@ -1530,7 +1513,7 @@ "inputs": { "devshell": "devshell_4", "flake-utils": "flake-utils_3", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_2", "pre-commit-hooks": "pre-commit-hooks_3" }, "locked": { @@ -1648,7 +1631,7 @@ "devshell": "devshell_6", "flake-parts": "flake-parts_5", "nci": "nci_2", - "nixpkgs": "nixpkgs_3", + "nixpkgs": "nixpkgs_4", "pre-commit-hooks": "pre-commit-hooks_5", "treefmt-nix": "treefmt-nix_3" }, @@ -1668,16 +1651,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1730531603, - "narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=", + "lastModified": 1734126203, + "narHash": "sha256-0XovF7BYP50rTD2v4r55tR5MuBLet7q4xIz6Rgh3BBU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d", + "rev": "71a6392e367b08525ee710a93af2e80083b5b3e2", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-unstable", + "ref": "nixpkgs-unstable", "repo": "nixpkgs", "type": "github" } @@ -1779,16 +1762,16 @@ }, "nixpkgs-stable_3": { "locked": { - "lastModified": 1678872516, - "narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=", + "lastModified": 1710695816, + "narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8", + "rev": "614b4613980a522ba49f0d194531beddbb7220d3", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-22.11", + "ref": "nixos-23.11", "repo": "nixpkgs", "type": "github" } @@ -1865,6 +1848,22 @@ } }, "nixpkgs_2": { + "locked": { + "lastModified": 1730531603, + "narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { "locked": { "lastModified": 1731139594, "narHash": "sha256-IigrKK3vYRpUu+HEjPL/phrfh7Ox881er1UEsZvw9Q4=", @@ -1880,7 +1879,7 @@ "type": "github" } }, - "nixpkgs_3": { + "nixpkgs_4": { "locked": { "lastModified": 1731319897, "narHash": "sha256-PbABj4tnbWFMfBp6OcUK5iGy1QY+/Z96ZcLpooIbuEI=", @@ -1896,7 +1895,7 @@ "type": "github" } }, - "nixpkgs_4": { + "nixpkgs_5": { "locked": { "lastModified": 1730768919, "narHash": "sha256-8AKquNnnSaJRXZxc5YmF/WfmxiHX6MMZZasRP6RRQkE=", @@ -1912,7 +1911,7 @@ "type": "github" } }, - "nixpkgs_5": { + "nixpkgs_6": { "locked": { "lastModified": 1726871744, "narHash": "sha256-V5LpfdHyQkUF7RfOaDPrZDP+oqz88lTJrMT1+stXNwo=", @@ -1928,7 +1927,7 @@ "type": "github" } }, - "nixpkgs_6": { + "nixpkgs_7": { "locked": { "lastModified": 1734119587, "narHash": "sha256-AKU6qqskl0yf2+JdRdD0cfxX4b9x3KKV5RqA6wijmPM=", @@ -1944,7 +1943,7 @@ "type": "github" } }, - "nixpkgs_7": { + "nixpkgs_8": { "locked": { "lastModified": 1732238832, "narHash": "sha256-sQxuJm8rHY20xq6Ah+GwIUkF95tWjGRd1X8xF+Pkk38=", @@ -1960,7 +1959,7 @@ "type": "github" } }, - "nixpkgs_8": { + "nixpkgs_9": { "locked": { "lastModified": 1725194671, "narHash": "sha256-tLGCFEFTB5TaOKkpfw3iYT9dnk4awTP/q4w+ROpMfuw=", @@ -2101,10 +2100,6 @@ "lanzaboote", "flake-compat" ], - "flake-utils": [ - "lanzaboote", - "flake-utils" - ], "gitignore": "gitignore_3", "nixpkgs": [ "lanzaboote", @@ -2113,11 +2108,11 @@ "nixpkgs-stable": "nixpkgs-stable_3" }, "locked": { - "lastModified": 1681413034, - "narHash": "sha256-/t7OjNQcNkeWeSq/CFLYVBfm+IEnkjoSm9iKvArnUUI=", + "lastModified": 1717664902, + "narHash": "sha256-7XfBuLULizXjXfBYy/VV+SpYMHreNRHk9nKMsm1bgb4=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "d3de8f69ca88fb6f8b09e5b598be5ac98d28ede5", + "rev": "cc4d466cb1254af050ff7bdf47f6d404a7c646d1", "type": "github" }, "original": { @@ -2209,7 +2204,7 @@ "inputs": { "flake-compat": "flake-compat_8", "gitignore": "gitignore_6", - "nixpkgs": "nixpkgs_4", + "nixpkgs": "nixpkgs_5", "nixpkgs-stable": "nixpkgs-stable_5" }, "locked": { @@ -2352,7 +2347,7 @@ "nixos-hardware": "nixos-hardware", "nixos-nftables-firewall": "nixos-nftables-firewall", "nixp-meta": "nixp-meta", - "nixpkgs": "nixpkgs_6", + "nixpkgs": "nixpkgs_7", "nixpkgs-wayland": "nixpkgs-wayland", "nixvim": "nixvim", "pre-commit-hooks": "pre-commit-hooks_6", @@ -2386,21 +2381,18 @@ }, "rust-overlay_2": { "inputs": { - "flake-utils": [ - "lanzaboote", - "flake-utils" - ], + "flake-utils": "flake-utils", "nixpkgs": [ "lanzaboote", "nixpkgs" ] }, "locked": { - "lastModified": 1682129965, - "narHash": "sha256-1KRPIorEL6pLpJR04FwAqqnt4Tzcm4MqD84yhlD+XSk=", + "lastModified": 1717813066, + "narHash": "sha256-wqbRwq3i7g5EHIui0bIi84mdqZ/It1AXBSLJ5tafD28=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "2c417c0460b788328220120c698630947547ee83", + "rev": "6dc3e45fe4aee36efeed24d64fc68b1f989d5465", "type": "github" }, "original": { @@ -2526,7 +2518,7 @@ "flake-utils": "flake-utils_7", "gnome-shell": "gnome-shell", "home-manager": "home-manager_3", - "nixpkgs": "nixpkgs_8", + "nixpkgs": "nixpkgs_9", "systems": "systems_9", "tinted-foot": "tinted-foot", "tinted-kitty": "tinted-kitty", @@ -2827,7 +2819,7 @@ }, "treefmt-nix_3": { "inputs": { - "nixpkgs": "nixpkgs_5" + "nixpkgs": "nixpkgs_6" }, "locked": { "lastModified": 1730321837, diff --git a/flake.nix b/flake.nix index 20dc481..cae7645 100644 --- a/flake.nix +++ b/flake.nix @@ -85,7 +85,7 @@ }; lanzaboote = { - url = "github:nix-community/lanzaboote/v0.3.0"; + url = "github:nix-community/lanzaboote"; inputs.nixpkgs.follows = "nixpkgs"; }; diff --git a/hosts/nucnix/default.nix b/hosts/nucnix/default.nix index c36938f..2b6efd7 100644 --- a/hosts/nucnix/default.nix +++ b/hosts/nucnix/default.nix @@ -16,6 +16,7 @@ ../../config/support/physical.nix ../../config/support/zfs.nix ../../config/support/server.nix + ../../config/support/secureboot.nix ./net.nix ./fs.nix diff --git a/hosts/nucnix/net.nix b/hosts/nucnix/net.nix index aba7402..625c1f8 100644 --- a/hosts/nucnix/net.nix +++ b/hosts/nucnix/net.nix @@ -23,6 +23,13 @@ }; }; }; + netdevs."40-vlan-fritz" = { + netdevConfig = { + Name = "vlan-fritz"; + Kind = "vlan"; + }; + vlanConfig.Id = 2; + }; netdevs."40-vlan-home" = { netdevConfig = { Name = "vlan-home"; @@ -67,6 +74,7 @@ networks."40-vlans" = { matchConfig.Name = "lan01"; vlan = [ + "vlan-fritz" "vlan-home" "vlan-services" "vlan-devices" diff --git a/hosts/nucnix/secrets/secrets.nix.age b/hosts/nucnix/secrets/secrets.nix.age index be0161d..0df3d44 100644 Binary files a/hosts/nucnix/secrets/secrets.nix.age and b/hosts/nucnix/secrets/secrets.nix.age differ diff --git a/hosts/nucnix/secrets/secureboot.tar.age b/hosts/nucnix/secrets/secureboot.tar.age new file mode 100644 index 0000000..013edfc Binary files /dev/null and b/hosts/nucnix/secrets/secureboot.tar.age differ