diff options
Diffstat (limited to 'sys/boot')
| -rw-r--r-- | sys/boot/chain.nix | 18 | ||||
| -rw-r--r-- | sys/boot/detached-luks.nix | 91 | ||||
| -rw-r--r-- | sys/boot/efi.nix | 15 | ||||
| -rw-r--r-- | sys/boot/firmware.nix | 14 | ||||
| -rw-r--r-- | sys/boot/fscrypt.nix | 17 | ||||
| -rw-r--r-- | sys/boot/impermanence.nix | 13 | ||||
| -rw-r--r-- | sys/boot/namespaced.nix | 27 | ||||
| -rw-r--r-- | sys/boot/secure-boot.nix | 12 | ||||
| -rw-r--r-- | sys/boot/stack/btrfs-toplevel-multidrive.nix | 21 | ||||
| -rw-r--r-- | sys/boot/stack/luks-ext4-fscrypt-impermanence.nix | 78 | ||||
| -rw-r--r-- | sys/boot/tpm.nix | 13 |
11 files changed, 183 insertions, 136 deletions
diff --git a/sys/boot/chain.nix b/sys/boot/chain.nix index aeb3bbe..43edcb4 100644 --- a/sys/boot/chain.nix +++ b/sys/boot/chain.nix @@ -1,11 +1,15 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: with lib; let cfg = config.local.boot; -in -{ +in { options.local.boot = { loader = mkOption { - type = types.enum [ "none" "grub" "systemd-boot" ]; + type = types.enum ["none" "grub" "systemd-boot"]; }; kernel = mkOption { @@ -18,13 +22,15 @@ in kernelPackages = cfg.kernel; loader = - if cfg.loader == "grub" then { + if cfg.loader == "grub" + then { grub = { enable = true; device = "nodev"; efiSupport = true; }; - } else { + } + else { systemd-boot = { enable = true; editor = true; diff --git a/sys/boot/detached-luks.nix b/sys/boot/detached-luks.nix index 8be7de1..78ae35c 100644 --- a/sys/boot/detached-luks.nix +++ b/sys/boot/detached-luks.nix @@ -1,4 +1,9 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: with lib; let cfg = config.local.boot.detachedLuks; @@ -6,8 +11,7 @@ with lib; let tpmInitrd = config.local.boot.tpm.initrd.enable; pcrList = concatStringsSep "," (map toString config.local.boot.tpm.initrd.pcrs); -in -{ +in { options.local.boot.detachedLuks = { enable = mkEnableOption "detached LUKS header in initrd"; @@ -30,43 +34,43 @@ in }; config = mkIf cfg.enable { - boot.initrd = - let - headerPath = "/initrd-boot/${cfg.headerFromBoot}"; - headerPathEscaped = escapeShellArg headerPath; - - tpmPath = escapeShellArg "/initrd-boot/${cfg.tpmStorageFromBoot}"; - hardwareKeyPath = "/tpm/unsealed.luks-key"; - in - { - preDeviceCommands = '' - mkdir -p `dirname ${headerPathEscaped}` - touch ${headerPathEscaped} - ''; - - postDeviceCommands = mkIf (!config.boot.initrd.systemd.enable) '' - # Set the system time from the hardware clock to work around a - # bug in qemu-kvm > 1.5.2 (where the VM clock is initialised - # to the *boot time* of the host). - hwclock -s - ''; - - #FIXME: Demasiado vulgar - preLVMCommands = optionalString (config.local.boot.efi.enable && config.local.boot.efi.removable) '' - sleep 2 - ''; - - luks.devices.${cfg.target} = { - device = cfg.crypt; - header = headerPath; - preLVM = false; - - keyFile = mkIf tpmInitrd hardwareKeyPath; - fallbackToPassword = tpmInitrd; - - preOpenCommands = '' + boot.initrd = let + headerPath = "/initrd-boot/${cfg.headerFromBoot}"; + headerPathEscaped = escapeShellArg headerPath; + + tpmPath = escapeShellArg "/initrd-boot/${cfg.tpmStorageFromBoot}"; + hardwareKeyPath = "/tpm/unsealed.luks-key"; + in { + preDeviceCommands = '' + mkdir -p `dirname ${headerPathEscaped}` + touch ${headerPathEscaped} + ''; + + postDeviceCommands = mkIf (!config.boot.initrd.systemd.enable) '' + # Set the system time from the hardware clock to work around a + # bug in qemu-kvm > 1.5.2 (where the VM clock is initialised + # to the *boot time* of the host). + hwclock -s + ''; + + #FIXME: Demasiado vulgar + preLVMCommands = optionalString (config.local.boot.efi.enable && config.local.boot.efi.removable) '' + sleep 2 + ''; + + luks.devices.${cfg.target} = { + device = cfg.crypt; + header = headerPath; + preLVM = false; + + keyFile = mkIf tpmInitrd hardwareKeyPath; + fallbackToPassword = tpmInitrd; + + preOpenCommands = + '' mount -o ro -t ${bootFs.fsType} ${bootFs.device} /initrd-boot - '' + optionalString tpmInitrd '' + '' + + optionalString tpmInitrd '' mkdir /tpm touch ${escapeShellArg hardwareKeyPath} @@ -92,18 +96,19 @@ in unseal_tpm_key ''; - postOpenCommands = mkBefore ('' + postOpenCommands = mkBefore ('' umount /initrd-boot - '' + optionalString tpmInitrd '' + '' + + optionalString tpmInitrd '' rm -r /tpm ''); - }; }; + }; local.boot = { stack = { btrfsToplevelMultidrive.toplevel.device = "/dev/mapper/${cfg.target}"; - luksExt4FscryptImpermanence = { inherit (cfg) target; }; + luksExt4FscryptImpermanence = {inherit (cfg) target;}; }; tpm.initrd.enable = mkDefault config.local.boot.tpm.enable; diff --git a/sys/boot/efi.nix b/sys/boot/efi.nix index cbcefd9..71c42c8 100644 --- a/sys/boot/efi.nix +++ b/sys/boot/efi.nix @@ -1,14 +1,17 @@ -{ config, lib, ... }: +{ + config, + lib, + ... +}: with lib; let cfg = config.local.boot.efi; -in -{ +in { options.local.boot.efi = { enable = mkEnableOption "EFI with FAT32 system partition"; esp = { mountpoint = mkOption { - type = types.enum [ "/boot" "/boot/efi" ]; + type = types.enum ["/boot" "/boot/efi"]; default = "/boot"; }; @@ -24,7 +27,7 @@ in config = mkIf cfg.enable { boot = { - initrd.supportedFilesystems = [ "vfat" ]; + initrd.supportedFilesystems = ["vfat"]; loader = { efi = { @@ -39,7 +42,7 @@ in fileSystems.${cfg.esp.mountpoint} = { device = "/dev/disk/by-uuid/${cfg.esp.uuid}"; fsType = "vfat"; - options = [ "noatime" "umask=027" "sync" ]; + options = ["noatime" "umask=027" "sync"]; neededForBoot = true; }; }; diff --git a/sys/boot/firmware.nix b/sys/boot/firmware.nix index 70a3c4b..b3598a7 100644 --- a/sys/boot/firmware.nix +++ b/sys/boot/firmware.nix @@ -1,15 +1,19 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: with lib; let cfg = config.local.boot.firmware; -in -{ +in { options.local.boot.firmware = { mode = mkOption { - type = types.enum [ "none" "redistributable" "all" ]; + type = types.enum ["none" "redistributable" "all"]; }; cpuVendor = mkOption { - type = types.enum [ "amd" "intel" ]; + type = types.enum ["amd" "intel"]; }; }; diff --git a/sys/boot/fscrypt.nix b/sys/boot/fscrypt.nix index e6a745c..459e02b 100644 --- a/sys/boot/fscrypt.nix +++ b/sys/boot/fscrypt.nix @@ -1,18 +1,25 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: with lib; let cfg = config.local.boot.fscrypt; -in -{ +in { options.local.boot.fscrypt = { enable = mkEnableOption "fscrypt support"; }; config = mkIf cfg.enable { - environment.systemPackages = [ pkgs.fscrypt-experimental ]; + environment.systemPackages = [pkgs.fscrypt-experimental]; local.boot.impermanence = { directories = [ - { directory = "/.fscrypt"; mode = "u=rwx,g=rx,o=rx"; } + { + directory = "/.fscrypt"; + mode = "u=rwx,g=rx,o=rx"; + } ]; files = [ diff --git a/sys/boot/impermanence.nix b/sys/boot/impermanence.nix index 4902239..632094b 100644 --- a/sys/boot/impermanence.nix +++ b/sys/boot/impermanence.nix @@ -1,8 +1,11 @@ -{ config, lib, ... }: +{ + config, + lib, + ... +}: with lib; let cfg = config.local.boot.impermanence; -in -{ +in { options.local.boot.impermanence = { enable = mkEnableOption "root fs impermanence"; @@ -10,12 +13,12 @@ in directories = mkOption { type = with lib.types; listOf (either str attrs); - default = [ ]; + default = []; }; files = mkOption { type = with lib.types; listOf (either str attrs); - default = [ ]; + default = []; }; }; diff --git a/sys/boot/namespaced.nix b/sys/boot/namespaced.nix index db01d55..3f95960 100644 --- a/sys/boot/namespaced.nix +++ b/sys/boot/namespaced.nix @@ -1,8 +1,12 @@ -{ config, lib, options, ... }: +{ + config, + lib, + options, + ... +}: with lib; let cfg = config.local.boot.namespaced; -in -{ +in { options.local.boot.namespaced = { enable = mkEnableOption "system containerization"; }; @@ -11,15 +15,16 @@ in boot.isContainer = true; local.boot = mkMerge ([ - { - loader = mkForce "none"; + { + loader = mkForce "none"; - efi.enable = mkForce false; - firmware.mode = mkForce "none"; - secureBoot.enable = mkForce false; - impermanence.enable = mkForce false; - } - ] ++ map + efi.enable = mkForce false; + firmware.mode = mkForce "none"; + secureBoot.enable = mkForce false; + impermanence.enable = mkForce false; + } + ] + ++ map (name: { stack.${name}.enable = mkForce false; }) diff --git a/sys/boot/secure-boot.nix b/sys/boot/secure-boot.nix index 3e874c3..b13ab7c 100644 --- a/sys/boot/secure-boot.nix +++ b/sys/boot/secure-boot.nix @@ -1,4 +1,9 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: with lib; let cfg = config.local.boot.secureBoot; @@ -6,8 +11,7 @@ with lib; let if cfg.legacyPath then "/etc/secureboot" else "/var/lib/sbctl"; -in -{ +in { options.local.boot.secureBoot = { enable = mkEnableOption "secure boot"; @@ -42,6 +46,6 @@ in pkgs.sbctl ]; - local.boot.impermanence.directories = [ pkiBundle ]; + local.boot.impermanence.directories = [pkiBundle]; }; } diff --git a/sys/boot/stack/btrfs-toplevel-multidrive.nix b/sys/boot/stack/btrfs-toplevel-multidrive.nix index 1dbfa14..52db865 100644 --- a/sys/boot/stack/btrfs-toplevel-multidrive.nix +++ b/sys/boot/stack/btrfs-toplevel-multidrive.nix @@ -1,8 +1,11 @@ -{ config, lib, ... }: +{ + config, + lib, + ... +}: with lib; let cfg = config.local.boot.stack.btrfsToplevelMultidrive; -in -{ +in { options.local.boot.stack.btrfsToplevelMultidrive = { enable = mkEnableOption "filesystem stack: persistent btrfs toplevel with optional hdd drive"; @@ -80,15 +83,17 @@ in }; }; - snapper = optionalAttrs cfg.toplevel.snapshot + snapper = + optionalAttrs cfg.toplevel.snapshot { root = "/"; - } // optionalAttrs cfg.secondary.snapshot { - home = "/home"; - }; + } + // optionalAttrs cfg.secondary.snapshot { + home = "/home"; + }; }; # Asegura que /hdd sea descifrado antes de intentar montar /home - fileSystems."/home".depends = [ "/hdd" ]; + fileSystems."/home".depends = ["/hdd"]; }; } diff --git a/sys/boot/stack/luks-ext4-fscrypt-impermanence.nix b/sys/boot/stack/luks-ext4-fscrypt-impermanence.nix index 72336d6..81feb60 100644 --- a/sys/boot/stack/luks-ext4-fscrypt-impermanence.nix +++ b/sys/boot/stack/luks-ext4-fscrypt-impermanence.nix @@ -1,8 +1,12 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: with lib; let cfg = config.local.boot.stack.luksExt4FscryptImpermanence; -in -{ +in { options.local.boot.stack.luksExt4FscryptImpermanence = { enable = mkEnableOption "filesystem stack: whatever LUKS approach+ext4+impermanence with per-boot keys"; @@ -30,60 +34,58 @@ in # - /toplevel/boots/... # - /toplevel/boots/last -> 2000-01-01T00:00:00-06:00 (mounted as /) config = mkIf cfg.enable { - boot.initrd.luks.devices.${cfg.target}.postOpenCommands = - let - fscryptctl = "${pkgs.fscryptctl}/bin/fscryptctl"; - in - '' - # FIXME: posiblemente algunos --make-* son innecesarios a partir de aquí - mkdir -p /mnt-root /mnt-toplevel - mount -o noatime /dev/mapper/${cfg.target} /mnt-toplevel - mount --make-private /mnt-toplevel + boot.initrd.luks.devices.${cfg.target}.postOpenCommands = let + fscryptctl = "${pkgs.fscryptctl}/bin/fscryptctl"; + in '' + # FIXME: posiblemente algunos --make-* son innecesarios a partir de aquí + mkdir -p /mnt-root /mnt-toplevel + mount -o noatime /dev/mapper/${cfg.target} /mnt-toplevel + mount --make-private /mnt-toplevel - boot_stamp="$(date -Is)" - root_from_toplevel="/mnt-toplevel/boots/$boot_stamp" + boot_stamp="$(date -Is)" + root_from_toplevel="/mnt-toplevel/boots/$boot_stamp" - mkdir -p "$root_from_toplevel" /mnt-toplevel/boot-keys - chmod 700 /mnt-toplevel/boot-keys + mkdir -p "$root_from_toplevel" /mnt-toplevel/boot-keys + chmod 700 /mnt-toplevel/boot-keys - head -c64 /dev/urandom >/boot-key - key_id=$(${fscryptctl} add_key /mnt-toplevel </boot-key) - ${fscryptctl} set_policy "$key_id" "$root_from_toplevel" - (umask 077; test -f /mnt-toplevel/boot-archive.pub && \ - ${pkgs.openssl}/bin/openssl pkeyutl -encrypt \ - -in /boot-key -pubin -inkey /mnt-toplevel/boot-archive.pub \ - -out "/mnt-toplevel/boot-keys/$boot_stamp.key.crypt") - rm -f /boot-key + head -c64 /dev/urandom >/boot-key + key_id=$(${fscryptctl} add_key /mnt-toplevel </boot-key) + ${fscryptctl} set_policy "$key_id" "$root_from_toplevel" + (umask 077; test -f /mnt-toplevel/boot-archive.pub && \ + ${pkgs.openssl}/bin/openssl pkeyutl -encrypt \ + -in /boot-key -pubin -inkey /mnt-toplevel/boot-archive.pub \ + -out "/mnt-toplevel/boot-keys/$boot_stamp.key.crypt") + rm -f /boot-key - ln -Tsf "$boot_stamp" /mnt-toplevel/boots/last - ln -Tsf "$boot_stamp.key.crypt" /mnt-toplevel/boot-keys/last.key.crypt + ln -Tsf "$boot_stamp" /mnt-toplevel/boots/last + ln -Tsf "$boot_stamp.key.crypt" /mnt-toplevel/boot-keys/last.key.crypt - mount --bind "$root_from_toplevel" /mnt-root - mount --make-shared /mnt-root + mount --bind "$root_from_toplevel" /mnt-root + mount --make-shared /mnt-root - # mount --move es mala idea, ya que "moving a mount residing under a - # shared mount is unsupported" - mkdir -p /mnt-root/toplevel - mount --bind /mnt-toplevel /mnt-root/toplevel - mount --make-private /mnt-root/toplevel - umount /mnt-toplevel - ''; + # mount --move es mala idea, ya que "moving a mount residing under a + # shared mount is unsupported" + mkdir -p /mnt-root/toplevel + mount --bind /mnt-toplevel /mnt-root/toplevel + mount --make-private /mnt-root/toplevel + umount /mnt-toplevel + ''; fileSystems = { "/" = { device = "none"; fsType = "ext4"; - options = [ "remount" ]; + options = ["remount"]; }; "/nix" = { device = "/persist/nix"; - options = [ "bind" ]; + options = ["bind"]; }; "/persist" = { device = "/toplevel/persist"; - options = [ "bind" ]; + options = ["bind"]; neededForBoot = true; }; }; diff --git a/sys/boot/tpm.nix b/sys/boot/tpm.nix index 0e29066..ecc115b 100644 --- a/sys/boot/tpm.nix +++ b/sys/boot/tpm.nix @@ -1,4 +1,9 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: with lib; let cfg = config.local.boot.tpm; @@ -52,13 +57,12 @@ with lib; let openssl dgst -sha256 -sign /dev/stdin -out auth.sig auth.policy ''; }; -in -{ +in { options.local.boot.tpm = { enable = mkEnableOption "Trusted Platform Module 2.0"; driver = mkOption { - type = types.enum [ "tis" "crb" ]; + type = types.enum ["tis" "crb"]; }; initrd = { @@ -81,7 +85,6 @@ in 12 # kernel-config 13 # sysexts 14 # shim-policy - ]; }; }; |