Add lanzaboote

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>

hosts/common/configs/system/lanzaboote/default.nix

@@ -0,0 +1,22 @@
+{
+  inputs,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [ inputs.lanzaboote.nixosModules.lanzaboote ];
+
+  environment = {
+    persistence."/persist/state"."/var/lib/sbctl" = { };
+
+    systemPackages = with pkgs; [ sbctl ];
+  };
+
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+
+  boot.lanzaboote = {
+    enable = true;
+    pkiBundle = "/var/lib/sbctl";
+  };
+}

hosts/common/configs/system/nix-install/install.completion.zsh

@@ -4,6 +4,7 @@ _nix-install_completion() {
     '-m[Mode: 'install' or 'repair']:mode:(install repair)'
     '-h[Host to configure]:host:($(_list_hosts))'
     '-k[Key file to copy to user config]:key:($(_list_keys))'
+    '-s[Enroll secure boot keys on current device]'
     '-c[Copy configuration to target]'
     '-r[Reboot after completion]'
   )

hosts/common/configs/system/nix-install/install.sh

@@ -1,13 +1,14 @@
 # shellcheck shell=bash
 
 usage() {
-  echo "Usage: $0 flake -m install|repair -h host [-k key] [-p password_file] [-c] [-r]"
+  echo "Usage: $0 flake -m install|repair -h host [-k key] [-p password_file] [-s] [-c] [-r]"
   echo
   echo "Options:"
   echo "  flake               Directory containing the flake.nix file."
   echo "  -m mode             Mode: 'install' or 'repair'."
   echo "  -h host             Host to configure."
   echo "  -k key              Key file to copy to user config."
+  echo "  -s                  Enroll secure boot keys on current device."
   echo "  -c                  Copy configuration to target."
   echo "  -r                  Reboot after completion."
   exit 1
@@ -35,7 +36,7 @@ check_flake() {
 }
 
 check_host() {
-  if ! nix flake show --quiet --json "$flake" 2>/dev/null | jq -e ".nixosConfigurations[\"$host\"]" &>/dev/null; then
+  if ! nix flake show --allow-import-from-derivation --quiet --json "$flake" 2>/dev/null | jq -e ".nixosConfigurations[\"$host\"]" &>/dev/null; then
     echo "Host '$host' not found in flake."
     exit 1
   fi
@@ -51,6 +52,7 @@ check_key() {
 set_password_file() {
   SOPS_AGE_KEY_FILE="$flake/secrets/$key/key.txt"
   export SOPS_AGE_KEY_FILE
+  install -m 600 /dev/null /tmp/keyfile
   sops --decrypt --extract "['luks']" "$flake/secrets/hosts/$host/secrets.yaml" > /tmp/keyfile
   unset SOPS_AGE_KEY_FILE
 }
@@ -62,7 +64,7 @@ prepare_disk() {
   disko -m "$disko_mode" --yes-wipe-all-disks --root-mountpoint "$root" "$flake/hosts/$host/format.nix"
 }
 
-copy_keys() {
+copy_sops_keys() {
   mkdir -p "$root/persist/state/etc/ssh"
   cp -f "$flake/secrets/hosts/$host/ssh_host_ed25519_key" "$root/persist/state/etc/ssh/ssh_host_ed25519_key"
 
@@ -87,26 +89,46 @@ copy_keys() {
   done
 }
 
+copy_secure_boot_keys() {
+  mkdir -p "$root/persist/state/var/lib/sbctl/keys"/{db,KEK,PK}
+
+  SOPS_AGE_KEY_FILE="$flake/secrets/$key/key.txt"
+  export SOPS_AGE_KEY_FILE
+
+  sops --decrypt --extract "['guid']" "$flake/secrets/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/GUID"
+  sops --decrypt --extract "['keys']['kek']['key']" "$flake/secrets/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/KEK/KEK.key"
+  sops --decrypt --extract "['keys']['kek']['pem']" "$flake/secrets/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/KEK/KEK.pem"
+  sops --decrypt --extract "['keys']['pk']['key']" "$flake/secrets/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/PK/PK.key"
+  sops --decrypt --extract "['keys']['pk']['pem']" "$flake/secrets/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/PK/PK.pem"
+  sops --decrypt --extract "['keys']['db']['key']" "$flake/secrets/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/db/db.key"
+  sops --decrypt --extract "['keys']['db']['pem']" "$flake/secrets/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/db/db.pem"
+
+  chmod 400 "$root/persist/state/var/lib/sbctl/keys"/*/*
+
+  unset SOPS_AGE_KEY_FILE
+
+  mkdir -p "$root/var/lib/sbctl"
+  mount --bind -o X-fstrim.notrim,x-gvfs-hide "$root/persist/state/var/lib/sbctl" "$root/var/lib/sbctl"
+}
+
 install() {
   nixos-install --root "$root" --flake "$flake#$host" --no-root-passwd
 }
 
+enroll_secure_boot() {
+  sbctl enroll-keys --microsoft
+}
+
 copy_config() {
   echo "Copying configuration..."
-  mkdir -p "$root/persist/user/etc/nixos"
+  mkdir -p "$root/persist/user/etc"
   rm -rf "$root/persist/user/etc/nixos"
   cp -r "$flake" "$root/persist/user/etc/nixos"
 }
 
-finish() {
-  echo "Rebooting system..."
-  trap - EXIT
-  cleanup
-  reboot
-}
-
 cleanup() {
   rm -f /tmp/keyfile
+  if [[ -d "$root" ]]; then umount "$root/var/lib/sbctl"; fi
   if [[ -n "$host" ]]; then disko -m "unmount" "$flake/hosts/$host/format.nix"; fi
   if [[ -d "$root" ]]; then rmdir "$root"; fi
 }
@@ -124,14 +146,16 @@ main() {
   mode=""
   host=""
   key=""
+  enroll_secure_boot_flag="false"
   copy_config_flag="false"
   reboot_flag="false"
 
-  while getopts "m:h:k:cr" opt; do
+  while getopts "m:h:k:scr" opt; do
     case "$opt" in
       m) mode="$OPTARG" ;;
       h) host="$OPTARG" ;;
       k) key="$OPTARG" ;;
+      s) enroll_secure_boot_flag="true" ;;
       c) copy_config_flag="true" ;;
       r) reboot_flag="true" ;;
       *) usage ;;
@@ -153,10 +177,17 @@ main() {
       ;;
   esac
 
-  copy_keys
+  copy_sops_keys
+  copy_secure_boot_keys
+
   install
+
+  [[ "$enroll_secure_boot_flag" == "true" ]] && enroll_secure_boot
   [[ "$copy_config_flag" == "true" ]] && copy_config
-  [[ "$reboot_flag" == "true" ]] && finish
+
+  cleanup
+
+  [[ "$reboot_flag" == "true" ]] && reboot
 }
 
 main "$@"

hosts/elara/configs/ssh/default.nix

@@ -8,16 +8,28 @@
 let
   selfPkgs = inputs.self.packages.${system};
 in
-# Configured for the root user to allow private builds
 {
-  sops.secrets."ssh/sas/ed25519/key" = {
-    sopsFile = "${inputs.secrets}/sas/secrets.yaml";
-    key = "ssh/ed25519/key";
-    path = "/root/.ssh/ssh_sas_ed25519_key";
+  sops.secrets = {
+    "ssh/personal/key" = {
+      sopsFile = "${inputs.secrets}/personal/secrets.yaml";
+      key = "ssh/key";
+      path = "/root/.ssh/ssh_personal_ed25519_key";
+    };
+
+    "ssh/sas/ed25519/key" = {
+      sopsFile = "${inputs.secrets}/sas/secrets.yaml";
+      key = "ssh/ed25519/key";
+      path = "/root/.ssh/ssh_sas_ed25519_key";
+    };
   };
 
   programs.ssh = {
     extraConfig = ''
+      Host karaolidis.com
+        User git
+        HostName karaolidis.com
+        IdentityFile /root/.ssh/ssh_personal_ed25519_key
+
       Host github.com
         User git
         HostName github.com

hosts/elara/default.nix

@@ -21,6 +21,7 @@
     ../common/configs/system/git
     ../common/configs/system/gpg-agent
     ../common/configs/system/impermanence
+    ../common/configs/system/lanzaboote
     ../common/configs/system/libvirt
     ../common/configs/system/neovim
     ../common/configs/system/networkmanager
@@ -47,9 +48,9 @@
     ../common/configs/system/users
     ../common/configs/system/zsh
 
-    ./configs/git
     "${inputs.secrets}/hosts/elara/configs/globalprotect"
     ./configs/pki
+    ./configs/ssh
 
     ./users/nikara
   ];

hosts/himalia/configs/ssh/default.nix

@@ -0,0 +1,14 @@
+{ inputs, ... }:
+{
+  sops.secrets."ssh/key" = {
+    sopsFile = "${inputs.secrets}/personal/secrets.yaml";
+    path = "/root/.ssh/ssh_personal_ed25519_key";
+  };
+
+  programs.ssh.extraConfig = ''
+    Host karaolidis.com
+      User git
+      HostName karaolidis.com
+      IdentityFile /root/.ssh/ssh_personal_ed25519_key
+  '';
+}

hosts/himalia/default.nix

@@ -17,6 +17,7 @@
     ../common/configs/system/git
     ../common/configs/system/gpg-agent
     ../common/configs/system/impermanence
+    ../common/configs/system/lanzaboote
     ../common/configs/system/libvirt
     ../common/configs/system/neovim
     ../common/configs/system/networkmanager
@@ -43,6 +44,8 @@
     ../common/configs/system/users
     ../common/configs/system/zsh
 
+    ./configs/ssh
+
     ./users/nick
   ];
 

hosts/installer/README.md

@@ -1,12 +1,16 @@
 # installer
 
-I have automated myself out of a job. How to use:
+I have automated myself out of a job. Here's how to use the installer to create a new host:
 
-1. Boot into installer
+1. Enable Secure Boot Setup Mode on the target device's UEFI menu - this will vary depending on the manufacturer
 
-2. Connect to the internet with `sudo nmcli device wifi connect "<SSID>" [--ask]`
+2. Boot into the installer
 
-3. Run `sudo nix-install /etc/nixos -m install|repair -h host [-k key] [-c] [-r]"`
+3. Connect to the internet with `sudo nmcli device wifi connect "<SSID>" [--ask]`
+
+4. Run `sudo nix-install /etc/nixos -m install|repair -s -h host [-k key] [-c] [-r]"`
+
+5. Enable Secure Boot on the device's UEFI menu.
 
 ## Reinstalling the Installer
 
@@ -65,4 +69,4 @@ I have automated myself out of a job. How to use:
 
 6. I really hope you had a backup of the keys, because you must copy them to the repository before the next step.
 
-7. Run `nix --experimental-features "nix-command flakes" shell nixpkgs#disko nixpkgs#jq -c bash hosts/common/configs/system/nix-install/install.sh nix -m install -h installer -k personal -c`
+7. Run `nix --experimental-features "nix-command flakes" shell nixpkgs#disko nixpkgs#sbctl nixpkgs#jq -c bash hosts/common/configs/system/nix-install/install.sh . -m install -h installer -k personal -c`

hosts/installer/configs/ssh/default.nix

@@ -0,0 +1,14 @@
+{ inputs, ... }:
+{
+  sops.secrets."ssh/key" = {
+    sopsFile = "${inputs.secrets}/personal/secrets.yaml";
+    path = "/root/.ssh/ssh_personal_ed25519_key";
+  };
+
+  programs.ssh.extraConfig = ''
+    Host karaolidis.com
+      User git
+      HostName karaolidis.com
+      IdentityFile /root/.ssh/ssh_personal_ed25519_key
+  '';
+}

hosts/installer/default.nix

@@ -15,6 +15,7 @@
     ../common/configs/system/git
     ../common/configs/system/gpg-agent
     ../common/configs/system/impermanence
+    ../common/configs/system/lanzaboote
     ../common/configs/system/neovim
     ../common/configs/system/networkmanager
     ../common/configs/system/nix
@@ -35,6 +36,8 @@
     ../common/configs/system/users
     ../common/configs/system/zsh
 
+    ./configs/ssh
+
     ./users/nick
   ];
 

hosts/jupiter-vps/configs/ssh/default.nix

@@ -0,0 +1,14 @@
+{ inputs, ... }:
+{
+  sops.secrets."ssh/key" = {
+    sopsFile = "${inputs.secrets}/personal/secrets.yaml";
+    path = "/root/.ssh/ssh_personal_ed25519_key";
+  };
+
+  programs.ssh.extraConfig = ''
+    Host karaolidis.com
+      User git
+      HostName karaolidis.com
+      IdentityFile /root/.ssh/ssh_personal_ed25519_key
+  '';
+}

hosts/jupiter-vps/default.nix

@@ -23,6 +23,7 @@
 
     ./configs/boot
     ./configs/podman
+    ./configs/ssh
     ./configs/wireguard
   ];
 

hosts/jupiter/configs/ssh/default.nix

@@ -0,0 +1,14 @@
+{ inputs, ... }:
+{
+  sops.secrets."ssh/key" = {
+    sopsFile = "${inputs.secrets}/personal/secrets.yaml";
+    path = "/root/.ssh/ssh_personal_ed25519_key";
+  };
+
+  programs.ssh.extraConfig = ''
+    Host karaolidis.com
+      User git
+      HostName karaolidis.com
+      IdentityFile /root/.ssh/ssh_personal_ed25519_key
+  '';
+}

hosts/jupiter/default.nix

@@ -14,6 +14,7 @@
     ../common/configs/system/documentation
     ../common/configs/system/git
     ../common/configs/system/impermanence
+    ../common/configs/system/lanzaboote
     ../common/configs/system/neovim
     ../common/configs/system/networkmanager
     ../common/configs/system/nix
@@ -32,6 +33,7 @@
     ../common/configs/system/zsh
 
     ./configs/btrbk
+    ./configs/ssh
     ./configs/tv
     ./configs/wireguard