diff --git a/flake.lock b/flake.lock index 73733f5..6478a9f 100644 --- a/flake.lock +++ b/flake.lock @@ -69,6 +69,39 @@ "type": "github" } }, + "crane": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "rust-overlay": [ + "lanzaboote", + "rust-overlay" + ] + }, + "locked": { + "lastModified": 1681177078, + "narHash": "sha256-ZNIjBDou2GOabcpctiQykEQVkI8BDwk7TyvlWlI4myE=", + "owner": "ipetkov", + "repo": "crane", + "rev": "0c9f468ff00576577d83f5019a66c557ede5acf6", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "darwin": { "inputs": { "nixpkgs": [ @@ -151,6 +184,22 @@ } }, "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_3": { "locked": { "lastModified": 1688025799, "narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=", @@ -165,7 +214,7 @@ "type": "github" } }, - "flake-compat_3": { + "flake-compat_4": { "flake": false, "locked": { "lastModified": 1673956053, @@ -182,6 +231,27 @@ } }, "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1680392223, + "narHash": "sha256-n3g7QFr85lDODKt250rkZj2IFS3i4/8HBU2yKHO3tqw=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "dcc36e45d054d7bb554c9cdab69093debd91a0b5", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { "inputs": { "nixpkgs-lib": [ "nixpkgs-wayland", @@ -227,6 +297,24 @@ "inputs": { "systems": "systems" }, + "locked": { + "lastModified": 1681202837, + "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "cfacdce06f30d2b68473a46042957675eebb3401", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_3": { + "inputs": { + "systems": "systems_2" + }, "locked": { "lastModified": 1694529238, "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", @@ -241,9 +329,9 @@ "type": "github" } }, - "flake-utils_3": { + "flake-utils_4": { "inputs": { - "systems": "systems_2" + "systems": "systems_3" }, "locked": { "lastModified": 1685518550, @@ -260,6 +348,28 @@ } }, "gitignore": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1660459072, + "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "gitignore_2": { "inputs": { "nixpkgs": [ "pre-commit-hooks", @@ -315,9 +425,36 @@ "type": "github" } }, + "lanzaboote": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat_2", + "flake-parts": "flake-parts", + "flake-utils": "flake-utils_2", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1682802423, + "narHash": "sha256-Fb5TeRTdvUlo/5Yi2d+FC8a6KoRLk2h1VE0/peMhWPs=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "64b903ca87d18cef2752c19c098af275c6e51d63", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "v0.3.0", + "repo": "lanzaboote", + "type": "github" + } + }, "lib-aggregate": { "inputs": { - "flake-utils": "flake-utils_2", + "flake-utils": "flake-utils_3", "nixpkgs-lib": "nixpkgs-lib" }, "locked": { @@ -336,7 +473,7 @@ }, "nix-eval-jobs": { "inputs": { - "flake-parts": "flake-parts", + "flake-parts": "flake-parts_2", "nixpkgs": "nixpkgs_2", "treefmt-nix": "treefmt-nix" }, @@ -457,6 +594,22 @@ } }, "nixpkgs-stable": { + "locked": { + "lastModified": 1678872516, + "narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable_2": { "locked": { "lastModified": 1685801374, "narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=", @@ -474,7 +627,7 @@ }, "nixpkgs-wayland": { "inputs": { - "flake-compat": "flake-compat_2", + "flake-compat": "flake-compat_3", "lib-aggregate": "lib-aggregate", "nix-eval-jobs": "nix-eval-jobs", "nixpkgs": [ @@ -529,7 +682,7 @@ }, "nixseparatedebuginfod": { "inputs": { - "flake-utils": "flake-utils_3", + "flake-utils": "flake-utils_4", "nixpkgs": "nixpkgs_3" }, "locked": { @@ -548,15 +701,15 @@ }, "pre-commit-hooks": { "inputs": { - "flake-compat": "flake-compat_3", + "flake-compat": "flake-compat_4", "flake-utils": [ "flake-utils" ], - "gitignore": "gitignore", + "gitignore": "gitignore_2", "nixpkgs": [ "nixpkgs" ], - "nixpkgs-stable": "nixpkgs-stable" + "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { "lastModified": 1694364351, @@ -572,6 +725,37 @@ "type": "github" } }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1681413034, + "narHash": "sha256-/t7OjNQcNkeWeSq/CFLYVBfm+IEnkjoSm9iKvArnUUI=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "d3de8f69ca88fb6f8b09e5b598be5ac98d28ede5", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "root": { "inputs": { "agenix": "agenix", @@ -582,6 +766,7 @@ "flake-utils": "flake-utils", "home-manager": "home-manager", "impermanence": "impermanence", + "lanzaboote": "lanzaboote", "nix-index-database": "nix-index-database", "nixos-generators": "nixos-generators", "nixos-hardware": "nixos-hardware", @@ -589,10 +774,35 @@ "nixpkgs-wayland": "nixpkgs-wayland", "nixseparatedebuginfod": "nixseparatedebuginfod", "pre-commit-hooks": "pre-commit-hooks", - "systems": "systems_3", + "systems": "systems_4", "templates": "templates" } }, + "rust-overlay": { + "inputs": { + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1682129965, + "narHash": "sha256-1KRPIorEL6pLpJR04FwAqqnt4Tzcm4MqD84yhlD+XSk=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "2c417c0460b788328220120c698630947547ee83", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "stable": { "locked": { "lastModified": 1669735802, @@ -654,6 +864,21 @@ "type": "github" } }, + "systems_4": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "templates": { "locked": { "lastModified": 1685790891, diff --git a/flake.nix b/flake.nix index 678375a..aeeb243 100644 --- a/flake.nix +++ b/flake.nix @@ -72,6 +72,11 @@ inputs.nixpkgs.follows = "nixpkgs"; }; nixseparatedebuginfod.url = "github:symphorien/nixseparatedebuginfod"; + lanzaboote = { + url = "github:nix-community/lanzaboote/v0.3.0"; + + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = { diff --git a/hosts/testienix/default.nix b/hosts/testienix/default.nix index b43de75..84202b1 100644 --- a/hosts/testienix/default.nix +++ b/hosts/testienix/default.nix @@ -6,6 +6,7 @@ # TODO: sollte entfernt werden für server ../../modules/config ../../modules/optional/initrd-ssh.nix + ../../modules/optional/secureboot.nix ../../modules/hardware/intel.nix ../../modules/hardware/physical.nix diff --git a/hosts/testienix/secrets/secureboot.tar.age b/hosts/testienix/secrets/secureboot.tar.age new file mode 100644 index 0000000..2a25e4b Binary files /dev/null and b/hosts/testienix/secrets/secureboot.tar.age differ diff --git a/modules/config/default.nix b/modules/config/default.nix index 3cc6607..9620718 100644 --- a/modules/config/default.nix +++ b/modules/config/default.nix @@ -25,6 +25,7 @@ inputs.agenix-rekey.nixosModules.default inputs.disko.nixosModules.disko inputs.nixseparatedebuginfod.nixosModules.default + inputs.lanzaboote.nixosModules.lanzaboote ]; age.identityPaths = ["/state/etc/ssh/ssh_host_ed25519_key"]; } diff --git a/modules/config/system.nix b/modules/config/system.nix index 0a72e83..ef7ed30 100644 --- a/modules/config/system.nix +++ b/modules/config/system.nix @@ -23,10 +23,17 @@ security.sudo.enable = false; security.tpm2 = { enable = true; - abrmd.enable = true; pkcs11.enable = true; - tctiEnvironment.enable = true; }; + # Just before switching, remove the agenix directory if it exists. + # This can happen when a secret is used in the initrd because it will + # then be copied to the initramfs under the same path. This materializes + # /run/agenix as a directory which will cause issues when the actual system tries + # to create a link called /run/agenix. Agenix should probably fail in this case, + # but doesn't and instead puts the generation link into the existing directory. + # TODO See https://github.com/ryantm/agenix/pull/187. + system.activationScripts.removeAgenixLink.text = "[[ ! -L /run/agenix ]] && [[ -d /run/agenix ]] && rm -rf /run/agenix"; + system.activationScripts.agenixNewGeneration.deps = ["removeAgenixLink"]; time.timeZone = lib.mkDefault "Europe/Berlin"; i18n.defaultLocale = "C.UTF-8"; diff --git a/modules/optional/secureboot.nix b/modules/optional/secureboot.nix new file mode 100644 index 0000000..32ed161 --- /dev/null +++ b/modules/optional/secureboot.nix @@ -0,0 +1,32 @@ +{ + pkgs, + lib, + config, + ... +}: { + environment.systemPackages = [ + # For debugging and troubleshooting Secure Boot. + pkgs.sbctl + ]; + age.secrets.secureboot.rekeyFile = ../../hosts/${config.node.name}/secrets/secureboot.tar.age; + system.activationScripts.securebootuntar = { + text = '' + rm -r /run/secureboot || true + mkdir -p /run/secureboot + ${pkgs.gnutar}/bin/tar xf ${config.age.secrets.secureboot.path} -C /run/secureboot || true + ''; + deps = ["agenix"]; + }; + + # Lanzaboote currently replaces the systemd-boot module. + # This setting is usually set to true in configuration.nix + # generated at installation time. So we force it to false + # for now. + boot.loader.systemd-boot.enable = lib.mkForce false; + + boot.lanzaboote = { + enable = true; + enrollKeys = true; + pkiBundle = "/run/secureboot"; + }; +}