set up secure boot on eclipse and do some tpm stuff

encrypt ssh private keys with the tpm
2024-12-04 16:09:14 -05:00 · 2024-12-03 16:40:01 -05:00
5 changed files with 276 additions and 21 deletions
--- a/flake.lock
+++ b/flake.lock
@ -38,6 +38,27 @@
        "type": "github"
      }
    },
+    "crane": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1717535930,
+        "narHash": "sha256-1hZ/txnbd/RmiBPNUs7i8UQw2N89uAK3UzrGAWdnFfU=",
+        "owner": "ipetkov",
+        "repo": "crane",
+        "rev": "55e7754ec31dac78980c8be45f8a28e80e370946",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ipetkov",
+        "repo": "crane",
+        "type": "github"
+      }
+    },
    "devshell": {
      "inputs": {
        "nixpkgs": [
@ -76,6 +97,22 @@
      }
    },
    "flake-compat_2": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_3": {
      "locked": {
        "lastModified": 1696426674,
        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
@ -90,6 +127,27 @@
      }
    },
    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1717285511,
+        "narHash": "sha256-iKzJcpdXih14qYVcZ9QC9XuZYnPc6T8YImb6dX166kw=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-parts_2": {
      "inputs": {
        "nixpkgs-lib": [
          "nixvim",
@ -147,6 +205,24 @@
      "inputs": {
        "systems": "systems_2"
      },
+      "locked": {
+        "lastModified": 1710146030,
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_4": {
+      "inputs": {
+        "systems": "systems_3"
+      },
      "locked": {
        "lastModified": 1731533236,
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
@ -167,7 +243,7 @@
          "nixvim",
          "flake-compat"
        ],
-        "gitignore": "gitignore",
+        "gitignore": "gitignore_2",
        "nixpkgs": [
          "nixvim",
          "nixpkgs"
@ -192,6 +268,28 @@
      }
    },
    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "pre-commit-hooks-nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
+    "gitignore_2": {
      "inputs": {
        "nixpkgs": [
          "nixvim",
@ -283,6 +381,33 @@
        "type": "github"
      }
    },
+    "lanzaboote": {
+      "inputs": {
+        "crane": "crane",
+        "flake-compat": "flake-compat",
+        "flake-parts": "flake-parts",
+        "flake-utils": "flake-utils_2",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "pre-commit-hooks-nix": "pre-commit-hooks-nix",
+        "rust-overlay": "rust-overlay"
+      },
+      "locked": {
+        "lastModified": 1718178907,
+        "narHash": "sha256-eSZyrQ9uoPB9iPQ8Y5H7gAmAgAvCw3InStmU3oEjqsE=",
+        "owner": "nix-community",
+        "repo": "lanzaboote",
+        "rev": "b627ccd97d0159214cee5c7db1412b75e4be6086",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "v0.4.1",
+        "repo": "lanzaboote",
+        "type": "github"
+      }
+    },
    "nix-darwin": {
      "inputs": {
        "nixpkgs": [
@ -344,8 +469,8 @@
    },
    "nix-vscode-extensions": {
      "inputs": {
-        "flake-compat": "flake-compat",
-        "flake-utils": "flake-utils_2",
+        "flake-compat": "flake-compat_2",
+        "flake-utils": "flake-utils_3",
        "nixpkgs": "nixpkgs_2"
      },
      "locked": {
@ -378,6 +503,22 @@
        "type": "github"
      }
    },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1710695816,
+        "narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "614b4613980a522ba49f0d194531beddbb7220d3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-23.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1713805509,
@ -429,8 +570,8 @@
    "nixvim": {
      "inputs": {
        "devshell": "devshell",
-        "flake-compat": "flake-compat_2",
-        "flake-parts": "flake-parts",
+        "flake-compat": "flake-compat_3",
+        "flake-parts": "flake-parts_2",
        "git-hooks": "git-hooks",
        "home-manager": "home-manager_2",
        "nix-darwin": "nix-darwin",
@ -456,7 +597,7 @@
    },
    "nuschtosSearch": {
      "inputs": {
-        "flake-utils": "flake-utils_3",
+        "flake-utils": "flake-utils_4",
        "ixx": "ixx",
        "nixpkgs": [
          "nixvim",
@ -522,11 +663,39 @@
        "type": "github"
      }
    },
+    "pre-commit-hooks-nix": {
+      "inputs": {
+        "flake-compat": [
+          "lanzaboote",
+          "flake-compat"
+        ],
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1717664902,
+        "narHash": "sha256-7XfBuLULizXjXfBYy/VV+SpYMHreNRHk9nKMsm1bgb4=",
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "rev": "cc4d466cb1254af050ff7bdf47f6d404a7c646d1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "type": "github"
+      }
+    },
    "root": {
      "inputs": {
        "catppuccin-vsc": "catppuccin-vsc",
        "compose2nix": "compose2nix",
        "home-manager": "home-manager",
+        "lanzaboote": "lanzaboote",
        "nix-flatpak": "nix-flatpak",
        "nix-vscode-extensions": "nix-vscode-extensions",
        "nixpkgs": "nixpkgs_3",
@ -536,6 +705,31 @@
        "zen-browser": "zen-browser"
      }
    },
+    "rust-overlay": {
+      "inputs": {
+        "flake-utils": [
+          "lanzaboote",
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1717813066,
+        "narHash": "sha256-wqbRwq3i7g5EHIui0bIi84mdqZ/It1AXBSLJ5tafD28=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "6dc3e45fe4aee36efeed24d64fc68b1f989d5465",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
    "sops-nix": {
      "inputs": {
        "nixpkgs": [
@ -586,6 +780,21 @@
        "type": "github"
      }
    },
+    "systems_3": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
    "treefmt-nix": {
      "inputs": {
        "nixpkgs": [
--- a/flake.nix
+++ b/flake.nix
@ -15,6 +15,10 @@
      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+    lanzaboote = {
+      url = "github:nix-community/lanzaboote/v0.4.1";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
    nix-flatpak.url = "github:gmodena/nix-flatpak";
    nixvim = {
      url = "github:nix-community/nixvim";
@ -29,7 +33,12 @@
    catppuccin-vsc.url = "https://flakehub.com/f/catppuccin/vscode/*.tar.gz";
  };
  outputs =
-    { nixpkgs, home-manager, ... }@inputs:
+    {
+      self,
+      nixpkgs,
+      home-manager,
+      ...
+    }@inputs:
    let
      user = "cswimr";
      system = "x86_64-linux";
@ -69,6 +78,7 @@
            ./nixos/sudo.nix
            ./nixos/symlinks.nix
            ./nixos/tailscale.nix
+            ./nixos/tpm.nix

            {
              # enable bluetooth
@ -79,6 +89,18 @@
            inputs.nixvim.nixosModules.nixvim
            inputs.nix-flatpak.nixosModules.nix-flatpak

+            inputs.lanzaboote.nixosModules.lanzaboote
+            (
+              { lib, ... }:
+              {
+                boot.loader.systemd-boot.enable = lib.mkForce false;
+                boot.lanzaboote = {
+                  enable = true;
+                  pkiBundle = "/etc/secureboot";
+                };
+              }
+            )
+
            # Home Manager
            home-manager.nixosModules.home-manager
            {
@ -97,6 +119,7 @@
                users.${user} = {
                  imports = [
                    ./home-manager/plasma.nix
+                    ./home-manager/tpm.nix
                    ./home-manager/user.nix
                    ./home-manager/vscode.nix
                    {
--- a/home-manager/tpm.nix
+++ b/home-manager/tpm.nix
@ -0,0 +1,5 @@
+{
+  programs.ssh.extraConfig = ''
+    PKCS11Provider = /run/current-system/sw/lib/libtpm2_pkcs11.so
+  '';
+}
--- a/nixos/configuration.nix
+++ b/nixos/configuration.nix
@ -20,20 +20,21 @@
  boot.kernelPackages = pkgs.linuxPackages_latest;

  # Bootloader.
-  boot.loader.grub = {
-    enable = true;
-    efiSupport = true;
-    device = "nodev";
-    theme = pkgs.catppuccin-grub;
-    extraEntries = ''
-      menuentry "Firmware Setup" --class menu {
-        fwsetup
-      }
-    '';
-    extraFiles = {
-      "theme/icons/menu.png" = "/etc/nixos/assets/img/grub/menu.png";
-    };
-  };
+  boot.loader.systemd-boot.enable = true;
+  # boot.loader.grub = {
+  #   enable = true;
+  #   efiSupport = true;
+  #   device = "nodev";
+  #   theme = pkgs.catppuccin-grub;
+  #   extraEntries = ''
+  #     menuentry "Firmware Setup" --class menu {
+  #       fwsetup
+  #     }
+  #   '';
+  #   extraFiles = {
+  #     "theme/icons/menu.png" = "/etc/nixos/assets/img/grub/menu.png";
+  #   };
+  # };
  boot.loader.efi.canTouchEfiVariables = true;

  networking.hostName = hostname; # Define your hostname.
--- a/nixos/tpm.nix
+++ b/nixos/tpm.nix
@ -0,0 +1,17 @@
+{ user, lib, pkgs, ... }:
+{
+  environment.variables = {
+    TPM2_PKCS11_TCTI = lib.mkDefault "tabrmd:";
+  };
+  security.tpm2 = {
+    enable = true;
+    pkcs11.enable = true;
+    tctiEnvironment.enable = true;
+  };
+  users.users.${user}.extraGroups = [ "tss" ];
+
+  # secure boot configuration
+  environment.systemPackages = with pkgs; [
+    sbctl
+  ];
+}
Author	SHA1	Message	Date
cswimr	c9b44fbf1f	set up secure boot on eclipse and do some tpm stuff	2024-12-04 16:09:14 -05:00
cswimr	d5db083507	encrypt ssh private keys with the tpm	2024-12-03 16:40:01 -05:00