diff options
| author | KJ Tsanaktsidis <kj@kjtsanaktsidis.id.au> | 2026-01-07 20:20:11 +1100 |
|---|---|---|
| committer | KJ Tsanaktsidis <kj@kjtsanaktsidis.id.au> | 2026-01-07 20:20:11 +1100 |
| commit | 83a656c9033fec6fd9c6a44d19af3efb1c471891 (patch) | |
| tree | 0205d1a83596adab3c17fdf8994e04cc20f82f07 | |
| parent | 6456bd1bb272de217f08228534c5bc9c3796be73 (diff) | |
secureboot
| -rw-r--r-- | flake.nix | 2 | ||||
| -rw-r--r-- | labsrv01/configuration.nix | 31 | ||||
| -rw-r--r-- | labsrv01/secureboot.nix | 51 | ||||
| -rw-r--r-- | labsrv01/zsh-config.zsh | 2 |
4 files changed, 57 insertions, 29 deletions
@@ -14,7 +14,7 @@ inputs.lanzaboote.url = "github:nix-community/lanzaboote/v1.0.0"; inputs.lanzaboote.inputs.nixpkgs.follows = "nixpkgs-stable"; - outputs = { self, nixpkgs-stable, nixos-anywhere, ... }@inputs: + outputs = { self, nixpkgs-stable, nixos-anywhere, lanzaboote, ... }@inputs: let nixpkgs = nixpkgs-stable; systems = [ "x86_64-linux" "x86_64-darwin" "aarch64-linux" "aarch64-darwin" ]; diff --git a/labsrv01/configuration.nix b/labsrv01/configuration.nix index eda606d..0642b65 100644 --- a/labsrv01/configuration.nix +++ b/labsrv01/configuration.nix @@ -9,6 +9,7 @@ { imports = [ ./disk-config.nix + ./secureboot.nix ]; hardware.facter.reportPath = ./facter.json; @@ -17,9 +18,11 @@ experimental-features = ca-derivations nix-command flakes ''; settings = { + trusted-users = [ "root" "kjtsanaktsidis" ]; substituters = [ "https://cache.nixos.org" - "https://cache.ngi0.nixos.org/" + # the ca-derivations cache seems to be down + # "https://cache.ngi0.nixos.org/" ]; trusted-public-keys = [ "cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=" @@ -42,7 +45,6 @@ }; }; - boot.loader.systemd-boot.enable = true; system.stateVersion = "25.11"; swapDevices = [ { @@ -135,29 +137,4 @@ RemainAfterExit = true; }; }; - - # Create and enroll Secure Boot keys on first boot - systemd.services.sbctl-setup = { - description = "Create and enroll Secure Boot keys"; - wantedBy = [ "multi-user.target" ]; - unitConfig.ConditionPathExists = "!/var/lib/sbctl/GUID"; - - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - - script = '' - echo "Creating Secure Boot keys..." - ${pkgs.sbctl}/bin/sbctl create-keys - - # Check if we're in Setup Mode - if ${pkgs.sbctl}/bin/sbctl status | grep -q "Setup Mode"; then - echo "UEFI is in Setup Mode, enrolling keys..." - ${pkgs.sbctl}/bin/sbctl enroll-keys --microsoft - else - echo "WARNING: UEFI is not in Setup Mode. Please clear Secure Boot keys in UEFI and reboot." - fi - ''; - }; } diff --git a/labsrv01/secureboot.nix b/labsrv01/secureboot.nix new file mode 100644 index 0000000..1e4d171 --- /dev/null +++ b/labsrv01/secureboot.nix @@ -0,0 +1,51 @@ +{ + inputs, + lib, + pkgs, + ... +}: +{ + imports = [ + inputs.lanzaboote.nixosModules.lanzaboote + ]; + + environment.systemPackages = [ + pkgs.sbctl + ]; + + # Lanzaboote currently replaces the systemd-boot module. + # This setting is usually set to true in configuration.nix + # generated at installation time. So we force it to false + # for now. + boot.loader.systemd-boot.enable = lib.mkForce false; + + boot.lanzaboote = { + enable = true; + pkiBundle = "/var/lib/sbctl"; + }; + + # Create and enroll Secure Boot keys on first boot + systemd.services.sbctl-setup = { + description = "Create and enroll Secure Boot keys"; + wantedBy = [ "multi-user.target" ]; + unitConfig.ConditionPathExists = "!/var/lib/sbctl/GUID"; + + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + + script = '' + echo "Creating Secure Boot keys..." + ${pkgs.sbctl}/bin/sbctl create-keys + + # Check if we're in Setup Mode + if ${pkgs.sbctl}/bin/sbctl status | grep -q "Setup Mode"; then + echo "UEFI is in Setup Mode, enrolling keys..." + ${pkgs.sbctl}/bin/sbctl enroll-keys --microsoft + else + echo "WARNING: UEFI is not in Setup Mode. Please clear Secure Boot keys in UEFI and reboot." + fi + ''; + }; +} diff --git a/labsrv01/zsh-config.zsh b/labsrv01/zsh-config.zsh index a1039a4..1c38138 100644 --- a/labsrv01/zsh-config.zsh +++ b/labsrv01/zsh-config.zsh @@ -45,4 +45,4 @@ prompt_themes+=( gentoo ) prompt gentoo # Make sure GPG & SSH keys are properly imported -systemctl --user start --wait manage-secrets.service 2>/dev/null || true +systemctl --user start manage-secrets.service 2>/dev/null || true |