From a9442f038d5519db82569b836611bedeb7ffc96d Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Wed, 31 May 2023 13:23:49 +0200 Subject: [PATCH] configured secureboot --- flake.lock | 228 ++++++++++++++++++++++++++++++++++++- flake.nix | 9 +- hosts/nuc/default.nix | 2 + hosts/thinkpad/default.nix | 13 ++- pkgs/circuitjs/default.nix | 72 ------------ users/rouven/default.nix | 1 + 6 files changed, 249 insertions(+), 76 deletions(-) delete mode 100644 pkgs/circuitjs/default.nix diff --git a/flake.lock b/flake.lock index fbb70df..7077b97 100644 --- a/flake.lock +++ b/flake.lock @@ -32,7 +32,56 @@ "type": "gitlab" } }, + "crane": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "rust-overlay": [ + "lanzaboote", + "rust-overlay" + ] + }, + "locked": { + "lastModified": 1683505101, + "narHash": "sha256-VBU64Jfu2V4sUR5+tuQS9erBRAe/QEYUxdVMcJGMZZs=", + "owner": "ipetkov", + "repo": "crane", + "rev": "7b5bd9e5acb2bb0cfba2d65f34d8568a894cdb6c", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { "flake": false, "locked": { "lastModified": 1668681692, @@ -48,6 +97,67 @@ "type": "github" } }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1683560683, + "narHash": "sha256-XAygPMN5Xnk/W2c1aW0jyEa6lfMDZWlQgiNtmHXytPc=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "006c75898cf814ef9497252b022e91c946ba8e17", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1681202837, + "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "cfacdce06f30d2b68473a46042957675eebb3401", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1660459072, + "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -145,6 +255,32 @@ "type": "github" } }, + "lanzaboote": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1685349926, + "narHash": "sha256-c1rKI1glJWdJIPefp9aiyhAkEZ4Sc6Rh/J5VumEXu1M=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "2e62c11babeead4b26efbb7f2cd4488baaa2e897", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "lanzaboote", + "type": "github" + } + }, "nix-colors": { "inputs": { "base16-schemes": "base16-schemes", @@ -245,6 +381,22 @@ } }, "nixpkgs-stable": { + "locked": { + "lastModified": 1678872516, + "narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable_2": { "locked": { "lastModified": 1685215858, "narHash": "sha256-IRMFoDXA6cYx3ifVw3B2JcC4JrjT5v7tRAx2vro2Ffs=", @@ -275,6 +427,37 @@ "type": "indirect" } }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1682596858, + "narHash": "sha256-Hf9XVpqaGqe/4oDGr30W8HlsWvJXtMsEPHDqHZA6dDg=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "fb58866e20af98779017134319b5663b8215d912", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "purge": { "inputs": { "nixpkgs": [ @@ -300,6 +483,7 @@ "home-manager": "home-manager", "hyprland": "hyprland", "impermanence": "impermanence", + "lanzaboote": "lanzaboote", "nix-colors": "nix-colors", "nix-index-database": "nix-index-database", "nixos-hardware": "nixos-hardware", @@ -310,10 +494,35 @@ "trucksimulatorbot": "trucksimulatorbot" } }, + "rust-overlay": { + "inputs": { + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1684030847, + "narHash": "sha256-z4tOxaN9Cl8C80u6wyZBpPt9A9MbL21fZ3zdB/vG+AU=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "aa1480f16bec7dda3c62b8cdb184c7e823331ba2", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "simple-nixos-mailserver": { "inputs": { "blobs": "blobs", - "flake-compat": "flake-compat", + "flake-compat": "flake-compat_2", "nixpkgs": [ "nixpkgs" ], @@ -339,7 +548,7 @@ "nixpkgs": [ "nixpkgs" ], - "nixpkgs-stable": "nixpkgs-stable" + "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { "lastModified": 1685434555, @@ -354,6 +563,21 @@ "type": "indirect" } }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "trucksimulatorbot": { "inputs": { "images": "images", diff --git a/flake.nix b/flake.nix index 850bd06..1f3686a 100644 --- a/flake.nix +++ b/flake.nix @@ -32,6 +32,11 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + lanzaboote = { + url = "github:nix-community/lanzaboote"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + simple-nixos-mailserver = { url = "gitlab:simple-nixos-mailserver/nixos-mailserver"; inputs.nixpkgs.follows = "nixpkgs"; @@ -49,6 +54,7 @@ , impermanence , nix-colors , nixos-hardware + , lanzaboote , purge , trucksimulatorbot , simple-nixos-mailserver @@ -56,7 +62,6 @@ }@attrs: { packages.x86_64-linux.iso = self.nixosConfigurations.iso.config.system.build.isoImage; packages.x86_64-linux.jmri = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/jmri { }; - packages.x86_64-linux.circuitjs = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/circuitjs { }; hydraJobs = self.packages; formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt; nixosConfigurations = { @@ -72,6 +77,7 @@ sops-nix.nixosModules.sops nix-index-database.nixosModules.nix-index impermanence.nixosModules.impermanence + lanzaboote.nixosModules.lanzaboote { home-manager.extraSpecialArgs = attrs; home-manager.users.rouven = { @@ -91,6 +97,7 @@ nixos-hardware.nixosModules.intel-nuc-8i7beh nix-index-database.nixosModules.nix-index impermanence.nixosModules.impermanence + lanzaboote.nixosModules.lanzaboote ./hosts/nuc ./shared sops-nix.nixosModules.sops diff --git a/hosts/nuc/default.nix b/hosts/nuc/default.nix index e77fe6d..0b22322 100644 --- a/hosts/nuc/default.nix +++ b/hosts/nuc/default.nix @@ -30,6 +30,7 @@ directories = [ "/etc/nixos" "/etc/ssh" + "/etc/secureboot" ]; files = [ "/etc/machine-id" @@ -53,6 +54,7 @@ htop-vim helix lsof + sbctl ]; programs.git = { enable = true; diff --git a/hosts/thinkpad/default.nix b/hosts/thinkpad/default.nix index e5b792a..a63a522 100755 --- a/hosts/thinkpad/default.nix +++ b/hosts/thinkpad/default.nix @@ -12,7 +12,16 @@ # Use the systemd-boot EFI boot loader. boot = { - loader.systemd-boot.enable = true; + # Lanzaboote currently replaces the systemd-boot module. + # This setting is usually set to true in configuration.nix + # generated at installation time. So we force it to false + # for now. + loader.systemd-boot.enable = lib.mkForce false; + lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + configurationLimit = 10; + }; loader.systemd-boot.editor = false; loader.efi.canTouchEfiVariables = true; kernelPackages = pkgs.linuxPackages_latest; @@ -27,6 +36,7 @@ directories = [ "/etc/nixos" # bind mounted from /nix/persist/system/etc/nixos to /etc/nixos "/etc/ssh" + "/etc/secureboot" ]; files = [ "/etc/machine-id" @@ -179,6 +189,7 @@ unzip virt-viewer # multi monitor for vms + sbctl ]; programs.java.enable = true; diff --git a/pkgs/circuitjs/default.nix b/pkgs/circuitjs/default.nix deleted file mode 100644 index 9636efe..0000000 --- a/pkgs/circuitjs/default.nix +++ /dev/null @@ -1,72 +0,0 @@ -{ stdenv, fetchurl, makeWrapper, wrapGAppsHook, lib, libX11, libXext, gtk3-x11, dbus, nspr, alsa-lib, glib, expat, gdk-pixbuf, mesa, xorg, nss, cups, ffmpeg, cairo, pango, atk, libdrm, ... }: -stdenv.mkDerivation rec { - pname = "circuitjs"; - version = "2.8.0"; - - src = fetchurl { - url = "https://www.falstad.com/circuit/offline/circuitjs1-linux64.tgz"; - hash = "sha256-dyIEuDA7FRwHCok41wcJAr8eqksJSOdChafPPh0Q3zM="; - }; - - nativeBuildInputs = [ makeWrapper wrapGAppsHook ]; - - sourceRoot = "."; - dontBuild = true; - dontStrip = true; - dontPatchELF = true; - libPath = lib.makeLibraryPath [ - libX11 - libXext - alsa-lib - xorg.libXi - xorg.libXrender - xorg.libXfixes - xorg.libXtst - xorg.libXcomposite - xorg.libXcursor - xorg.libXrandr - xorg.libXdamage - xorg.libxcb - xorg.libXScrnSaver - nss - ffmpeg.lib - cups - pango - cairo - nspr - atk - libdrm - glib - dbus - gtk3-x11 - mesa - expat - gdk-pixbuf - ]; - - # wrapProgramShell $out/opt/circuitjs1 \ - # "''${gappsWrapperArgs[@]}" \ - # --prefix LD_LIBRARY_PATH : ${libPath}:$out/lib \ - installPhase = '' - mkdir -p $out/ - cp -r circuitjs1 $out/opt - mkdir -p $out/lib - cp circuitjs1/lib* $out/lib - mkdir -p $out/bin - ln -sf $out/opt/circuitjs1 $out/bin/circuitjs1 - - patchelf \ - --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \ - --set-rpath "${libPath}":$out/lib \ - $out/bin/circuitjs1 - ''; - - meta = with lib; { - # inherit homepage; - description = "Falstad circuit simulator"; - sourceProvenance = with sourceTypes; [ binaryNativeCode ]; - # license = licenses.unfree; - platforms = platforms.linux; - maintainers = [ maintainers.therealr5 ]; - }; -} diff --git a/users/rouven/default.nix b/users/rouven/default.nix index c27aa2a..447d064 100644 --- a/users/rouven/default.nix +++ b/users/rouven/default.nix @@ -3,6 +3,7 @@ imports = [ ./fixes.nix ]; nixpkgs.config.allowUnfree = true; users.users.rouven = { + description = "Rouven Seifert"; isNormalUser = true; extraGroups = [ "wheel" "video" "libvirtd" ]; initialHashedPassword = "$6$X3XERQv28Nt1UUT5$MjdMBDuXyEwexkuKqmNFweez69q4enY5cjMXSbBxOc6Bq7Fhhp7OqmCm02k3OGjoZFXzPV9ZHuMSGKZOtwYIk1";