Better lanzaboote control, better ssh host keys · bwc9876.dev/nixos-config@e281bd0

bwc9876.dev / nixos-config

fork atom

Flake for my NixOS devices

fork atom

Better lanzaboote control, better ssh host keys

bwc9876.dev 4 months ago e281bd0e 3b93c447

verified

+49 -34

2 changed files

expand all

unified split

nixosModules

imperm.nix

lanzaboote.nix

+48 -29

nixosModules/imperm.nix

··· 1 - { ... }: 2 - { 1 + {...}: { 3 2 config, 4 3 lib, 5 4 inputs, 6 5 ... 7 - }: 8 - { 9 - imports = [ inputs.imperm.nixosModules.default ]; 6 + }: { 7 + imports = [inputs.imperm.nixosModules.default]; 10 8 11 9 options.cow.imperm = { 12 10 enable = lib.mkEnableOption "Impermanence, turns off mutable users and expects you to define their password hashes"; ··· 23 21 keep = lib.mkOption { 24 22 type = lib.types.listOf lib.types.str; 25 23 description = "Paths to keep that should be backed up"; 26 - default = [ ]; 24 + default = []; 27 25 }; 28 26 keepCache = lib.mkOption { 29 27 type = lib.types.listOf lib.types.str; 30 28 description = "Paths to keep that shouldn't be backed up"; 31 - default = [ ]; 29 + default = []; 32 30 }; 33 31 }; 34 32 35 - config = 36 - let 37 - users = if config.cow.hm.enable then config.home-manager.users else { }; 38 - persistRoot = config.cow.imperm.persistRoot; # Anything important we want backed up 39 - cacheRoot = config.cow.imperm.cacheRoot; # Anything not as important that we can stand losing 40 - in 33 + config = let 34 + users = 35 + if config.cow.hm.enable 36 + then config.home-manager.users 37 + else {}; 38 + persistRoot = config.cow.imperm.persistRoot; # Anything important we want backed up 39 + cacheRoot = config.cow.imperm.cacheRoot; # Anything not as important that we can stand losing 40 + in 41 41 lib.mkIf config.cow.imperm.enable { 42 42 users.mutableUsers = false; 43 43 44 + boot.lanzaboote.pkiBundle = lib.mkIf config.cow.lanzaboote.enable "${persistRoot}/secure/secureboot"; 45 + 46 + services.openssh.hostKeys = lib.mkIf config.cow.ssh-server.enable [ 47 + { 48 + bits = 4096; 49 + path = "${persistRoot}/secure/ssh_host_rsa_key"; 50 + type = "rsa"; 51 + } 52 + { 53 + path = "${persistRoot}/secure/ssh_host_ed25519_key"; 54 + type = "ed25519"; 55 + } 56 + ]; 57 + 44 58 environment.persistence = { 45 59 "${cacheRoot}" = { 46 60 enable = true; 47 61 hideMounts = true; 48 - directories = [ 49 - "/var/log" 50 - "/var/lib/nixos" 51 - "/var/lib/systemd/coredump" 52 - "/var/lib/systemd/timers" 53 - "/var/lib/systemd/rfkill" 54 - "/var/lib/systemd/backlight" 55 - ] 56 - ++ config.cow.imperm.keepCache; 57 - users = builtins.mapAttrs (_: v: { 58 - directories = v.cow.imperm.keepCache or [ ]; 59 - }) users; 62 + directories = 63 + [ 64 + "/var/log" 65 + "/var/lib/nixos" 66 + "/var/lib/systemd/coredump" 67 + "/var/lib/systemd/timers" 68 + "/var/lib/systemd/rfkill" 69 + "/var/lib/systemd/backlight" 70 + ] 71 + ++ config.cow.imperm.keepCache; 72 + users = 73 + builtins.mapAttrs (_: v: { 74 + directories = v.cow.imperm.keepCache or []; 75 + }) 76 + users; 60 77 }; 61 78 "${persistRoot}" = { 62 79 enable = true; 63 80 hideMounts = true; 64 81 directories = config.cow.imperm.keep; 65 - users = builtins.mapAttrs (_: v: { 66 - directories = v.cow.imperm.keep or [ ]; 67 - files = v.cow.imperm.keepFiles or [ ]; 68 - }) users; 82 + users = 83 + builtins.mapAttrs (_: v: { 84 + directories = v.cow.imperm.keep or []; 85 + files = v.cow.imperm.keepFiles or []; 86 + }) 87 + users; 69 88 }; 70 89 }; 71 90 };

+1 -5

nixosModules/lanzaboote.nix

··· 14 14 15 15 lanzaboote = { 16 16 enable = true; 17 - pkiBundle = lib.mkDefault ( 18 - if config.cow.imperm.enable 19 - then "/nix/persist/secure/secureboot" 20 - else "/etc/secureboot" 21 - ); 17 + pkiBundle = lib.mkDefault "/var/lib/sbctl"; 22 18 }; 23 19 }; 24 20 }