feat(pm/redhead): enable secure boot · freshlybakedca.ke/patisserie@698f17c

Your one-stop-cake-shop for everything Freshly Baked has to offer

feat(pm/redhead): enable secure boot

I want to make booting not need a PIN/security key press, and therefore
I want to make sure that I'm booting only what is explicitly permitted.

Therefore, let's use lanzaboote! I've set it up before, so it's
relatively simple

authored by a.starrysky.fyi and committed by

Tangled 5 months ago 698f17cc a845aab4

github.yml

failed 10s

+49

2 changed files

expand all

packetmix

npins

sources.json

systems

redhead

lanzaboote.nix

+16

packetmix/npins/sources.json

··· 159 159 "url": "https://github.com/nix-community/impermanence/archive/4b3e914cdf97a5b536a889e939fb2fd2b043a170.tar.gz", 160 160 "hash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=" 161 161 }, 162 + "lanzaboote": { 163 + "type": "GitRelease", 164 + "repository": { 165 + "type": "GitHub", 166 + "owner": "nix-community", 167 + "repo": "lanzaboote" 168 + }, 169 + "pre_releases": false, 170 + "version_upper_bound": null, 171 + "release_prefix": null, 172 + "submodules": false, 173 + "version": "v0.4.2", 174 + "revision": "f0212638a2ec787a7841882f4477d40ae24f0a5d", 175 + "url": "https://api.github.com/repos/nix-community/lanzaboote/tarball/refs/tags/v0.4.2", 176 + "hash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=" 177 + }, 162 178 "lix": { 163 179 "type": "Git", 164 180 "repository": {

+33

packetmix/systems/redhead/lanzaboote.nix

··· 1 + # SPDX-FileCopyrightText: 2025 FreshlyBakedCake 2 + # 3 + # SPDX-License-Identifier: MIT 4 + 5 + { 6 + project, 7 + pkgs, 8 + lib, 9 + ... 10 + }: 11 + { 12 + imports = [ project.inputs.lanzaboote.result.nixosModules.lanzaboote ]; 13 + 14 + environment.systemPackages = [ 15 + pkgs.sbctl 16 + ]; 17 + 18 + boot.loader.systemd-boot.enable = lib.mkForce false; 19 + boot.lanzaboote = { 20 + enable = true; 21 + pkiBundle = "/var/lib/sbctl"; 22 + publicKeyFile = "/secrets/lanzaboote/db/db.pem"; 23 + privateKeyFile = "/secrets/lanzaboote/db/db.key"; 24 + }; 25 + 26 + environment.etc."sbctl/sbctl.conf".text = builtins.toJSON { 27 + keydir = "/secrets/lanzaboote"; 28 + }; 29 + 30 + clicks.storage.impermanence.persist.directories = [ 31 + "/var/lib/sbctl" 32 + ]; 33 + }