a.starrysky.fyi
I want to make booting not need a PIN/security key press, and therefore I want to make sure that I'm booting only what is explicitly permitted.
Therefore, let's use lanzaboote! I've set it up before, so it's relatively simple
+16
packetmix/npins/sources.json
+16
packetmix/npins/sources.json
···
159
159
"url": "https://github.com/nix-community/impermanence/archive/4b3e914cdf97a5b536a889e939fb2fd2b043a170.tar.gz",
160
160
"hash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI="
161
161
},
162
+
"lanzaboote": {
163
+
"type": "GitRelease",
164
+
"repository": {
165
+
"type": "GitHub",
166
+
"owner": "nix-community",
167
+
"repo": "lanzaboote"
168
+
},
169
+
"pre_releases": false,
170
+
"version_upper_bound": null,
171
+
"release_prefix": null,
172
+
"submodules": false,
173
+
"version": "v0.4.2",
174
+
"revision": "f0212638a2ec787a7841882f4477d40ae24f0a5d",
175
+
"url": "https://api.github.com/repos/nix-community/lanzaboote/tarball/refs/tags/v0.4.2",
176
+
"hash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU="
177
+
},
162
178
"lix": {
163
179
"type": "Git",
164
180
"repository": {
+33
packetmix/systems/redhead/lanzaboote.nix
+33
packetmix/systems/redhead/lanzaboote.nix
···
1
+
# SPDX-FileCopyrightText: 2025 FreshlyBakedCake
2
+
#
3
+
# SPDX-License-Identifier: MIT
4
+
5
+
{
6
+
project,
7
+
pkgs,
8
+
lib,
9
+
...
10
+
}:
11
+
{
12
+
imports = [ project.inputs.lanzaboote.result.nixosModules.lanzaboote ];
13
+
14
+
environment.systemPackages = [
15
+
pkgs.sbctl
16
+
];
17
+
18
+
boot.loader.systemd-boot.enable = lib.mkForce false;
19
+
boot.lanzaboote = {
20
+
enable = true;
21
+
pkiBundle = "/var/lib/sbctl";
22
+
publicKeyFile = "/secrets/lanzaboote/db/db.pem";
23
+
privateKeyFile = "/secrets/lanzaboote/db/db.key";
24
+
};
25
+
26
+
environment.etc."sbctl/sbctl.conf".text = builtins.toJSON {
27
+
keydir = "/secrets/lanzaboote";
28
+
};
29
+
30
+
clicks.storage.impermanence.persist.directories = [
31
+
"/var/lib/sbctl"
32
+
];
33
+
}