Add changes for secure boot and how mounts happen

This commit is contained in:
Jimbo 2024-10-07 23:05:46 -04:00
parent 796bdd1a42
commit 121653cf1e
5 changed files with 261 additions and 27 deletions

View file

@ -33,6 +33,27 @@
"type": "gitlab" "type": "gitlab"
} }
}, },
"crane": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1717535930,
"narHash": "sha256-1hZ/txnbd/RmiBPNUs7i8UQw2N89uAK3UzrGAWdnFfU=",
"owner": "ipetkov",
"repo": "crane",
"rev": "55e7754ec31dac78980c8be45f8a28e80e370946",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -50,6 +71,22 @@
} }
}, },
"flake-compat_2": { "flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_3": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1673956053, "lastModified": 1673956053,
@ -65,9 +102,48 @@
"type": "github" "type": "github"
} }
}, },
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1717285511,
"narHash": "sha256-iKzJcpdXih14qYVcZ9QC9XuZYnPc6T8YImb6dX166kw=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-utils": { "flake-utils": {
"inputs": { "inputs": {
"systems": "systems_2" "systems": "systems"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems_3"
}, },
"locked": { "locked": {
"lastModified": 1681202837, "lastModified": 1681202837,
@ -83,6 +159,28 @@
"type": "github" "type": "github"
} }
}, },
"gitignore": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"pre-commit-hooks-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"hardware": { "hardware": {
"locked": { "locked": {
"lastModified": 1727665282, "lastModified": 1727665282,
@ -120,10 +218,37 @@
"type": "github" "type": "github"
} }
}, },
"lanzaboote": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
],
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1718178907,
"narHash": "sha256-eSZyrQ9uoPB9iPQ8Y5H7gAmAgAvCw3InStmU3oEjqsE=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "b627ccd97d0159214cee5c7db1412b75e4be6086",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "v0.4.1",
"repo": "lanzaboote",
"type": "github"
}
},
"mailserver": { "mailserver": {
"inputs": { "inputs": {
"blobs": "blobs", "blobs": "blobs",
"flake-compat": "flake-compat", "flake-compat": "flake-compat_2",
"nixpkgs": "nixpkgs_2", "nixpkgs": "nixpkgs_2",
"nixpkgs-24_05": "nixpkgs-24_05", "nixpkgs-24_05": "nixpkgs-24_05",
"utils": "utils" "utils": "utils"
@ -145,8 +270,8 @@
}, },
"minecraft": { "minecraft": {
"inputs": { "inputs": {
"flake-compat": "flake-compat_2", "flake-compat": "flake-compat_3",
"flake-utils": "flake-utils", "flake-utils": "flake-utils_2",
"nixpkgs": "nixpkgs_3" "nixpkgs": "nixpkgs_3"
}, },
"locked": { "locked": {
@ -192,6 +317,22 @@
"type": "indirect" "type": "indirect"
} }
}, },
"nixpkgs-stable": {
"locked": {
"lastModified": 1710695816,
"narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "614b4613980a522ba49f0d194531beddbb7220d3",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1727348695, "lastModified": 1727348695,
@ -270,11 +411,39 @@
"type": "github" "type": "github"
} }
}, },
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"gitignore": "gitignore",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1717664902,
"narHash": "sha256-7XfBuLULizXjXfBYy/VV+SpYMHreNRHk9nKMsm1bgb4=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "cc4d466cb1254af050ff7bdf47f6d404a7c646d1",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"blender-bin": "blender-bin", "blender-bin": "blender-bin",
"hardware": "hardware", "hardware": "hardware",
"home-manager": "home-manager", "home-manager": "home-manager",
"lanzaboote": "lanzaboote",
"mailserver": "mailserver", "mailserver": "mailserver",
"minecraft": "minecraft", "minecraft": "minecraft",
"nixpkgs": "nixpkgs_4", "nixpkgs": "nixpkgs_4",
@ -282,6 +451,31 @@
"nur": "nur" "nur": "nur"
} }
}, },
"rust-overlay": {
"inputs": {
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1717813066,
"narHash": "sha256-wqbRwq3i7g5EHIui0bIi84mdqZ/It1AXBSLJ5tafD28=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "6dc3e45fe4aee36efeed24d64fc68b1f989d5465",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"systems": { "systems": {
"locked": { "locked": {
"lastModified": 1681028828, "lastModified": 1681028828,
@ -312,9 +506,24 @@
"type": "github" "type": "github"
} }
}, },
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"utils": { "utils": {
"inputs": { "inputs": {
"systems": "systems" "systems": "systems_2"
}, },
"locked": { "locked": {
"lastModified": 1709126324, "lastModified": 1709126324,

View file

@ -11,6 +11,12 @@
minecraft.url = "github:Infinidoge/nix-minecraft"; minecraft.url = "github:Infinidoge/nix-minecraft";
hardware.url = "github:nixos/nixos-hardware/master"; hardware.url = "github:nixos/nixos-hardware/master";
# Secure boot
lanzaboote = {
url = "github:nix-community/lanzaboote/v0.4.1";
inputs.nixpkgs.follows = "nixpkgs";
};
# Home manager # Home manager
home-manager = { home-manager = {
url = "github:nix-community/home-manager/release-24.05"; url = "github:nix-community/home-manager/release-24.05";
@ -26,6 +32,7 @@
mailserver, mailserver,
blender-bin, blender-bin,
hardware, hardware,
lanzaboote,
home-manager, home-manager,
... ...
} @inputs: let } @inputs: let
@ -56,6 +63,7 @@
specialArgs = {inherit inputs outputs;}; specialArgs = {inherit inputs outputs;};
modules = [ modules = [
./system/hosts/JimDesktop/configuration.nix ./system/hosts/JimDesktop/configuration.nix
lanzaboote.nixosModules.lanzaboote
]; ];
}; };
JimServer = nixpkgs.lib.nixosSystem { JimServer = nixpkgs.lib.nixosSystem {

View file

@ -24,7 +24,7 @@
# Hardware # Hardware
./hardware-configuration.nix ./hardware-configuration.nix
./../../modules/systemdboot.nix ./../../modules/lanzaboote.nix
./../../modules/opengl.nix ./../../modules/opengl.nix
./../../modules/filesystems.nix ./../../modules/filesystems.nix
./../../modules/nvidia.nix ./../../modules/nvidia.nix

View file

@ -22,9 +22,7 @@ in {
(modulesPath + "/installer/scan/not-detected.nix") (modulesPath + "/installer/scan/not-detected.nix")
]; ];
# Set all boot options
boot = { boot = {
# Set a kernel version and load/blacklist drivers
kernelPackages = pkgs.unstable.linuxPackages_zen; kernelPackages = pkgs.unstable.linuxPackages_zen;
blacklistedKernelModules = [ blacklistedKernelModules = [
"pcspkr" "pcspkr"
@ -48,6 +46,9 @@ in {
"vfio_iommu_type1" "vfio_iommu_type1"
"kvm-amd" "kvm-amd"
]; ];
# Encryption and TPM
systemd.enable = true;
luks.devices = { luks.devices = {
"crypt-ssd" = { "crypt-ssd" = {
device = "/dev/disk/by-uuid/52110c74-19b6-40ef-9710-e6c9b157005f"; device = "/dev/disk/by-uuid/52110c74-19b6-40ef-9710-e6c9b157005f";
@ -61,7 +62,7 @@ in {
# Additional entry to boot from the second GPU # Additional entry to boot from the second GPU
specialisation = { specialisation = {
gputwo.configuration = { gputwo.configuration = {
boot.kernelParams = commonKernelParams ++ ["vfio-pci.ids=10de:2504,10de:228e"]; boot.kernelParams = commonKernelParams ++ [ "vfio-pci.ids=10de:2504,10de:228e" ];
}; };
}; };
@ -92,8 +93,33 @@ in {
fsType = "vfat"; fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ]; options = [ "fmask=0022" "dmask=0022" ];
}; };
# Games and such
"/mnt/Linux1" = {
device = "/dev/disk/by-uuid/b2901f8c-ffda-4b88-bb63-a9ea0c96ccb4";
options = [ "nosuid" "nodev" "nofail" "x-gvfs-show" ];
};
"/mnt/Linux2" = {
device = "/dev/disk/by-uuid/f08e4f38-162c-402f-ba2a-5925151b78bf";
options = [ "nosuid" "nodev" "nofail" "x-gvfs-show" ];
};
"/mnt/Windows1" = {
device = "/dev/disk/by-uuid/10BC97B2BC979138";
options = [ "nosuid" "nodev" "noauto" ];
};
"/mnt/Windows2" = {
device = "/dev/disk/by-uuid/0A5A3420237C863A";
options = [ "nosuid" "nodev" "noauto" ];
};
# Miscellaneous mounts
"/etc/libvirt" = { "/etc/libvirt" = {
device = "/dev/disk/by-label/Qemu"; device = "/dev/disk/by-uuid/f18a0302-9914-471d-828c-85ab1a67a8be";
options = [ "nosuid" "nodev" "nofail" ];
};
"/etc/libvirt/VMs/Bulk" = {
depends = [ "/etc/libvirt" ];
device = "/dev/disk/by-uuid/3eb36c3e-81ac-4281-89f0-c89242d88dd6";
options = [ "nosuid" "nodev" "nofail" ]; options = [ "nosuid" "nodev" "nofail" ];
}; };
"/var/lib/libvirt" = { "/var/lib/libvirt" = {
@ -101,22 +127,8 @@ in {
device = "/etc/libvirt/varlibvirt"; device = "/etc/libvirt/varlibvirt";
options = [ "bind" "rw" ]; options = [ "bind" "rw" ];
}; };
"/mnt/Linux1" = {
device = "/dev/disk/by-label/Linux1"; # Network mounts
options = [ "nosuid" "nodev" "nofail" "x-gvfs-show" ];
};
"/mnt/Linux2" = {
device = "/dev/disk/by-label/Linux2";
options = [ "nosuid" "nodev" "nofail" "x-gvfs-show" ];
};
"/mnt/Windows1" = {
device = "/dev/disk/by-label/Windows1";
options = [ "nosuid" "nodev" "noauto" ];
};
"/mnt/Windows2" = {
device = "/dev/disk/by-label/Windows2";
options = [ "nosuid" "nodev" "noauto" ];
};
"/home/jimbo/JimboNFS" = { "/home/jimbo/JimboNFS" = {
device = "${outputs.ips.server}:/export/JimboNFS"; device = "${outputs.ips.server}:/export/JimboNFS";
fsType = "nfs4"; fsType = "nfs4";
@ -131,7 +143,6 @@ in {
# Enables DHCP on each ethernet and wireless interface. # Enables DHCP on each ethernet and wireless interface.
networking.useDHCP = lib.mkDefault true; networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
} }

View file

@ -0,0 +1,6 @@
{
boot.lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
}