feat: securix flake cleanup for nixfleet integration#2
Open
abstracts33d wants to merge 31 commits into
Open
Conversation
Otherwise updates are not taken into account when deploying without a reboot.
Updated project title and added contribution guidelines.
There was a typo—it said “file,” but the licenses are actually in a folder. 🙂
Co-authored-by: Julien DAUPHANT (DINUM) <julien.dauphant@numerique.gouv.fr>
Co-authored-by: agrimault-dinum <alexandre.grimault.ext@numerique.gouv.fr>
Right now `upgrade test fix/my-branch` is accepted silently: the verb
gets picked up, the trailing argument is ignored, and the rebuild ends
up running on the default branch instead of the one that was asked for.
Check that the verb is one of switch/boot/test/dry-activate, and refuse
any extra positional argument (options like --branch have to come before
the verb). Also guard the "no verb" check with ${1:-} so it still works
under the set -u that writeShellApplication turns on.
Closes cloud-gouv#56
Add a default value for 'REPO_PATH' in permissionless-upgrade.nix
Adds a flake.nix that re-uses Sécurix's existing default.nix entry
point, so npins-based consumers keep working unchanged. Flake inputs
override npins where present; npins remains the fallback for any
source the flake doesn't provide (e.g. git-hooks).
Outputs exposed to flake consumers:
nixosModules.securix-base — composes lanzaboote, agenix,
disko, and ./modules into a
single import. Consumers
import one module and get the
full ANSSI-hardened base.
nixosModules.securix-hardware.<sku> — per-SKU hardware profiles
(x280, t14g6, latitude5340,
elitebook645g11/850g8,
x9-15, e14-g7).
nixosModules.securix-hardware-all — aggregate of all SKUs.
overlays.default — Sécurix package overlay.
lib.forSystem — system-indexed Sécurix lib.
packages.<system>.shell — sx CLI shell.
devShells.<system>.default — Sécurix dev shell.
legacyPackages.<system>.sx — full Sécurix toolkit.
flake.lock pins nixpkgs (nixos-unstable), lanzaboote, agenix, disko,
nixos-hardware, flake-utils. REUSE/SPDX headers added so `reuse lint`
passes on the new files.
Non-flake consumers (the existing npins / nixos-rebuild flow) are
unaffected — flake.nix is purely additive.
Three small changes to let external flake-based deployers consume
nixosModules.securix-base directly, without going through
lib.mkTerminal:
1. modules/bootloader.nix
- boot.loader.systemd-boot.enable: lib.mkForce false → lib.mkDefault false
- boot.lanzaboote.enable: true → lib.mkDefault true
The original mkForce was over-defensive: it blocked legitimate
consumer overrides (VM tests, hardware without UEFI Secure Boot,
virtualized labs, KVM/Qubes-style scenarios). Real-hardware
deployments default to the same posture as before — lanzaboote on,
systemd-boot off. Weakening secure boot now requires an explicit
opt-out at the consumer's call site, which is auditable.
2. modules/module-args-defaults.nix (new)
Sets lib.mkDefault {} for _module.args.operators and
_module.args.vpnProfiles. These are normally injected by
lib.mkTerminal; without defaults, consumers composing modules
directly hit eval errors before they can supply their own values.
3. modules/default.nix imports module-args-defaults so the defaults
are always present. Consumers' own operators/vpnProfiles still
override via standard mkDefault precedence.
Net effect: nixosModules.securix-base composes cleanly under any
flake-based deployer. Hardened defaults are unchanged for
real-hardware deployments; weakening posture requires an explicit
opt-out at the call site.
abstracts33d
force-pushed
the
feat/flake-cleanup
branch
from
a2f856e to
0f6d83c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
10 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Résumé
securix-base— les consommateurs n'ont plus besoin d'importer les dépendances séparémentmkForce/valeurs inconditionnelles parmkDefaultpour le bootloader — les consommateurs peuvent overrider proprementoperators/vpnProfiles— plus besoin du hack_module.argspour les consommateurs externesComment tester
nix-instantiate --parse flake.nixpassenix-instantiate --parse modules/bootloader.nixpassemkTerminalne sont pas affectés (mkDefault < priorité de mkTerminal)