From 121653cf1e6ae5e2f523bfa1d8c05ceb3662ab27 Mon Sep 17 00:00:00 2001 From: Jimbo Date: Mon, 7 Oct 2024 23:05:46 -0400 Subject: [PATCH] Add changes for secure boot and how mounts happen --- flake.lock | 219 +++++++++++++++++- flake.nix | 8 + system/hosts/JimDesktop/configuration.nix | 2 +- .../JimDesktop/hardware-configuration.nix | 53 +++-- system/modules/lanzaboote.nix | 6 + 5 files changed, 261 insertions(+), 27 deletions(-) create mode 100644 system/modules/lanzaboote.nix diff --git a/flake.lock b/flake.lock index 5081499..98ba869 100644 --- a/flake.lock +++ b/flake.lock @@ -33,6 +33,27 @@ "type": "gitlab" } }, + "crane": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1717535930, + "narHash": "sha256-1hZ/txnbd/RmiBPNUs7i8UQw2N89uAK3UzrGAWdnFfU=", + "owner": "ipetkov", + "repo": "crane", + "rev": "55e7754ec31dac78980c8be45f8a28e80e370946", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -50,6 +71,22 @@ } }, "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_3": { "flake": false, "locked": { "lastModified": 1673956053, @@ -65,9 +102,48 @@ "type": "github" } }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1717285511, + "narHash": "sha256-iKzJcpdXih14qYVcZ9QC9XuZYnPc6T8YImb6dX166kw=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "flake-utils": { "inputs": { - "systems": "systems_2" + "systems": "systems" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { + "inputs": { + "systems": "systems_3" }, "locked": { "lastModified": 1681202837, @@ -83,6 +159,28 @@ "type": "github" } }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "hardware": { "locked": { "lastModified": 1727665282, @@ -120,10 +218,37 @@ "type": "github" } }, + "lanzaboote": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1718178907, + "narHash": "sha256-eSZyrQ9uoPB9iPQ8Y5H7gAmAgAvCw3InStmU3oEjqsE=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "b627ccd97d0159214cee5c7db1412b75e4be6086", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "v0.4.1", + "repo": "lanzaboote", + "type": "github" + } + }, "mailserver": { "inputs": { "blobs": "blobs", - "flake-compat": "flake-compat", + "flake-compat": "flake-compat_2", "nixpkgs": "nixpkgs_2", "nixpkgs-24_05": "nixpkgs-24_05", "utils": "utils" @@ -145,8 +270,8 @@ }, "minecraft": { "inputs": { - "flake-compat": "flake-compat_2", - "flake-utils": "flake-utils", + "flake-compat": "flake-compat_3", + "flake-utils": "flake-utils_2", "nixpkgs": "nixpkgs_3" }, "locked": { @@ -192,6 +317,22 @@ "type": "indirect" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1710695816, + "narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "614b4613980a522ba49f0d194531beddbb7220d3", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-unstable": { "locked": { "lastModified": 1727348695, @@ -270,11 +411,39 @@ "type": "github" } }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1717664902, + "narHash": "sha256-7XfBuLULizXjXfBYy/VV+SpYMHreNRHk9nKMsm1bgb4=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "cc4d466cb1254af050ff7bdf47f6d404a7c646d1", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "root": { "inputs": { "blender-bin": "blender-bin", "hardware": "hardware", "home-manager": "home-manager", + "lanzaboote": "lanzaboote", "mailserver": "mailserver", "minecraft": "minecraft", "nixpkgs": "nixpkgs_4", @@ -282,6 +451,31 @@ "nur": "nur" } }, + "rust-overlay": { + "inputs": { + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1717813066, + "narHash": "sha256-wqbRwq3i7g5EHIui0bIi84mdqZ/It1AXBSLJ5tafD28=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "6dc3e45fe4aee36efeed24d64fc68b1f989d5465", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, @@ -312,9 +506,24 @@ "type": "github" } }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "utils": { "inputs": { - "systems": "systems" + "systems": "systems_2" }, "locked": { "lastModified": 1709126324, diff --git a/flake.nix b/flake.nix index 0b46cb3..e313862 100644 --- a/flake.nix +++ b/flake.nix @@ -11,6 +11,12 @@ minecraft.url = "github:Infinidoge/nix-minecraft"; hardware.url = "github:nixos/nixos-hardware/master"; + # Secure boot + lanzaboote = { + url = "github:nix-community/lanzaboote/v0.4.1"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + # Home manager home-manager = { url = "github:nix-community/home-manager/release-24.05"; @@ -26,6 +32,7 @@ mailserver, blender-bin, hardware, + lanzaboote, home-manager, ... } @inputs: let @@ -56,6 +63,7 @@ specialArgs = {inherit inputs outputs;}; modules = [ ./system/hosts/JimDesktop/configuration.nix + lanzaboote.nixosModules.lanzaboote ]; }; JimServer = nixpkgs.lib.nixosSystem { diff --git a/system/hosts/JimDesktop/configuration.nix b/system/hosts/JimDesktop/configuration.nix index 3e53a5c..ce9c0e9 100644 --- a/system/hosts/JimDesktop/configuration.nix +++ b/system/hosts/JimDesktop/configuration.nix @@ -24,7 +24,7 @@ # Hardware ./hardware-configuration.nix - ./../../modules/systemdboot.nix + ./../../modules/lanzaboote.nix ./../../modules/opengl.nix ./../../modules/filesystems.nix ./../../modules/nvidia.nix diff --git a/system/hosts/JimDesktop/hardware-configuration.nix b/system/hosts/JimDesktop/hardware-configuration.nix index 7e621d9..7dc5a62 100644 --- a/system/hosts/JimDesktop/hardware-configuration.nix +++ b/system/hosts/JimDesktop/hardware-configuration.nix @@ -22,9 +22,7 @@ in { (modulesPath + "/installer/scan/not-detected.nix") ]; - # Set all boot options boot = { - # Set a kernel version and load/blacklist drivers kernelPackages = pkgs.unstable.linuxPackages_zen; blacklistedKernelModules = [ "pcspkr" @@ -48,6 +46,9 @@ in { "vfio_iommu_type1" "kvm-amd" ]; + + # Encryption and TPM + systemd.enable = true; luks.devices = { "crypt-ssd" = { device = "/dev/disk/by-uuid/52110c74-19b6-40ef-9710-e6c9b157005f"; @@ -61,7 +62,7 @@ in { # Additional entry to boot from the second GPU specialisation = { gputwo.configuration = { - boot.kernelParams = commonKernelParams ++ ["vfio-pci.ids=10de:2504,10de:228e"]; + boot.kernelParams = commonKernelParams ++ [ "vfio-pci.ids=10de:2504,10de:228e" ]; }; }; @@ -92,8 +93,33 @@ in { fsType = "vfat"; options = [ "fmask=0022" "dmask=0022" ]; }; + + # Games and such + "/mnt/Linux1" = { + device = "/dev/disk/by-uuid/b2901f8c-ffda-4b88-bb63-a9ea0c96ccb4"; + options = [ "nosuid" "nodev" "nofail" "x-gvfs-show" ]; + }; + "/mnt/Linux2" = { + device = "/dev/disk/by-uuid/f08e4f38-162c-402f-ba2a-5925151b78bf"; + options = [ "nosuid" "nodev" "nofail" "x-gvfs-show" ]; + }; + "/mnt/Windows1" = { + device = "/dev/disk/by-uuid/10BC97B2BC979138"; + options = [ "nosuid" "nodev" "noauto" ]; + }; + "/mnt/Windows2" = { + device = "/dev/disk/by-uuid/0A5A3420237C863A"; + options = [ "nosuid" "nodev" "noauto" ]; + }; + + # Miscellaneous mounts "/etc/libvirt" = { - device = "/dev/disk/by-label/Qemu"; + device = "/dev/disk/by-uuid/f18a0302-9914-471d-828c-85ab1a67a8be"; + options = [ "nosuid" "nodev" "nofail" ]; + }; + "/etc/libvirt/VMs/Bulk" = { + depends = [ "/etc/libvirt" ]; + device = "/dev/disk/by-uuid/3eb36c3e-81ac-4281-89f0-c89242d88dd6"; options = [ "nosuid" "nodev" "nofail" ]; }; "/var/lib/libvirt" = { @@ -101,22 +127,8 @@ in { device = "/etc/libvirt/varlibvirt"; options = [ "bind" "rw" ]; }; - "/mnt/Linux1" = { - device = "/dev/disk/by-label/Linux1"; - options = [ "nosuid" "nodev" "nofail" "x-gvfs-show" ]; - }; - "/mnt/Linux2" = { - device = "/dev/disk/by-label/Linux2"; - options = [ "nosuid" "nodev" "nofail" "x-gvfs-show" ]; - }; - "/mnt/Windows1" = { - device = "/dev/disk/by-label/Windows1"; - options = [ "nosuid" "nodev" "noauto" ]; - }; - "/mnt/Windows2" = { - device = "/dev/disk/by-label/Windows2"; - options = [ "nosuid" "nodev" "noauto" ]; - }; + + # Network mounts "/home/jimbo/JimboNFS" = { device = "${outputs.ips.server}:/export/JimboNFS"; fsType = "nfs4"; @@ -131,7 +143,6 @@ in { # Enables DHCP on each ethernet and wireless interface. networking.useDHCP = lib.mkDefault true; - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; } diff --git a/system/modules/lanzaboote.nix b/system/modules/lanzaboote.nix new file mode 100644 index 0000000..26dcb01 --- /dev/null +++ b/system/modules/lanzaboote.nix @@ -0,0 +1,6 @@ +{ + boot.lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + }; +}