freshlybakedca.ke / patisserie
Your one-stop-cake-shop for everything Freshly Baked has to offer
fork atom

feat(pm/redhead): enable secure boot

I want to make booting not need a PIN/security key press, and therefore
I want to make sure that I'm booting only what is explicitly permitted.

Therefore, let's use lanzaboote! I've set it up before, so it's
relatively simple

a.starrysky.fyi cbaa1d71 a845aab4

3/5
deadnix.yml
packetmix-build.yml
packetmix-npins-duplicate-check.yml
packetmix-treefmt.yaml
reuse.yml
options
unified split
Changed files
+44
packetmix
npins
sources.json
systems
redhead
lanzaboote.nix
+16
packetmix/npins/sources.json
··· 159 "url": "https://github.com/nix-community/impermanence/archive/4b3e914cdf97a5b536a889e939fb2fd2b043a170.tar.gz", 160 "hash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=" 161 }, 162 "lix": { 163 "type": "Git", 164 "repository": {
··· 159 "url": "https://github.com/nix-community/impermanence/archive/4b3e914cdf97a5b536a889e939fb2fd2b043a170.tar.gz", 160 "hash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=" 161 }, 162 + "lanzaboote": { 163 + "type": "GitRelease", 164 + "repository": { 165 + "type": "GitHub", 166 + "owner": "nix-community", 167 + "repo": "lanzaboote" 168 + }, 169 + "pre_releases": false, 170 + "version_upper_bound": null, 171 + "release_prefix": null, 172 + "submodules": false, 173 + "version": "v0.4.2", 174 + "revision": "f0212638a2ec787a7841882f4477d40ae24f0a5d", 175 + "url": "https://api.github.com/repos/nix-community/lanzaboote/tarball/refs/tags/v0.4.2", 176 + "hash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=" 177 + }, 178 "lix": { 179 "type": "Git", 180 "repository": {
+28
packetmix/systems/redhead/lanzaboote.nix
···
··· 1 + # SPDX-FileCopyrightText: 2025 FreshlyBakedCake 2 + # 3 + # SPDX-License-Identifier: MIT 4 + 5 + { project, pkgs, lib, ... }: 6 + { 7 + imports = [ project.inputs.lanzaboote.result.nixosModules.lanzaboote ]; 8 + 9 + environment.systemPackages = [ 10 + pkgs.sbctl 11 + ]; 12 + 13 + boot.loader.systemd-boot.enable = lib.mkForce false; 14 + boot.lanzaboote = { 15 + enable = true; 16 + pkiBundle = "/var/lib/sbctl"; 17 + publicKeyFile = "/secrets/lanzaboote/db/db.pem"; 18 + privateKeyFile = "/secrets/lanzaboote/db/db.key"; 19 + }; 20 + 21 + environment.etc."sbctl/sbctl.conf".text = builtins.toJSON { 22 + keydir = "/secrets/lanzaboote"; 23 + }; 24 + 25 + clicks.storage.impermanence.persist.directories = [ 26 + "/var/lib/sbctl" 27 + ]; 28 + }