From 8e7b9456f5e1d8ff9fcbc839763472f4d6b3df53 Mon Sep 17 00:00:00 2001 From: "Lennart J. Kurzweg (Nx2)" Date: Thu, 2 May 2024 00:10:49 +0200 Subject: [PATCH] lanzabote --- flake.lock | 241 +++++++++++++++++++++++++++++++++++++++- flake.nix | 5 +- system-modules/boot.nix | 47 ++++---- 3 files changed, 269 insertions(+), 24 deletions(-) diff --git a/flake.lock b/flake.lock index ff9f0fa..b3bd7ec 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,115 @@ { "nodes": { + "crane": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "rust-overlay": [ + "lanzaboote", + "rust-overlay" + ] + }, + "locked": { + "lastModified": 1681177078, + "narHash": "sha256-ZNIjBDou2GOabcpctiQykEQVkI8BDwk7TyvlWlI4myE=", + "owner": "ipetkov", + "repo": "crane", + "rev": "0c9f468ff00576577d83f5019a66c557ede5acf6", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1680392223, + "narHash": "sha256-n3g7QFr85lDODKt250rkZj2IFS3i4/8HBU2yKHO3tqw=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "dcc36e45d054d7bb554c9cdab69093debd91a0b5", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1681202837, + "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "cfacdce06f30d2b68473a46042957675eebb3401", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1660459072, + "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -175,6 +285,31 @@ "type": "github" } }, + "lanzaboote": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs_2", + "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1682802423, + "narHash": "sha256-Fb5TeRTdvUlo/5Yi2d+FC8a6KoRLk2h1VE0/peMhWPs=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "64b903ca87d18cef2752c19c098af275c6e51d63", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "v0.3.0", + "repo": "lanzaboote", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1714076141, @@ -191,6 +326,22 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1678872516, + "narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-unstable": { "locked": { "lastModified": 1714076141, @@ -207,6 +358,22 @@ } }, "nixpkgs_2": { + "locked": { + "lastModified": 1714556388, + "narHash": "sha256-Mxp8hX2gH30HoIQ+INvWY5P0sKBli8BmiGzZcKVD6co=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c10b1bb002e7414ecf7c9d9e5f7ebaeaeae32c92", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { "locked": { "lastModified": 1713995372, "narHash": "sha256-fFE3M0vCoiSwCX02z8VF58jXFRj9enYUSTqjyHAjrds=", @@ -221,15 +388,72 @@ "type": "indirect" } }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1681413034, + "narHash": "sha256-/t7OjNQcNkeWeSq/CFLYVBfm+IEnkjoSm9iKvArnUUI=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "d3de8f69ca88fb6f8b09e5b598be5ac98d28ede5", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "root": { "inputs": { "home-manager": "home-manager", "hyprland": "hyprland", "hyprland-plugins": "hyprland-plugins", - "nixpkgs": "nixpkgs_2", + "lanzaboote": "lanzaboote", + "nixpkgs": "nixpkgs_3", "nixpkgs-unstable": "nixpkgs-unstable" } }, + "rust-overlay": { + "inputs": { + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1682129965, + "narHash": "sha256-1KRPIorEL6pLpJR04FwAqqnt4Tzcm4MqD84yhlD+XSk=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "2c417c0460b788328220120c698630947547ee83", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1689347949, @@ -245,6 +469,21 @@ "type": "github" } }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "wlroots": { "flake": false, "locked": { diff --git a/flake.nix b/flake.nix index 9dc2595..f31232f 100644 --- a/flake.nix +++ b/flake.nix @@ -26,7 +26,10 @@ # url = "github:nix-community/nixvim/nixos-23.11"; # inputs.nixpkgs.follows = "nixpkgs"; # }; - + lanzaboote = { + url = "github:nix-community/lanzaboote/v0.3.0"; + # inputs.nixpkgs.follows = "nixpkgs-unstable"; + }; }; outputs = { self, nixpkgs, nixpkgs-unstable, home-manager, ... }@inputs: diff --git a/system-modules/boot.nix b/system-modules/boot.nix index 8397542..3322798 100644 --- a/system-modules/boot.nix +++ b/system-modules/boot.nix @@ -9,6 +9,11 @@ }); in { + imports = [ + inputs.lanzaboote.nixosModules.lanzaboote + ]; + + config = if host == "NxXPS" then { boot.loader.efi.canTouchEfiVariables = true; boot.loader.grub = { @@ -34,32 +39,30 @@ ''; }; } else { - boot.loader = { - systemd-boot = { - enable = true; - configurationLimit = 10; - }; - timeout = 30; - }; + # boot.loader = { + # systemd-boot = { + # enable = true; + # configurationLimit = 10; + # }; + # timeout = 30; + # }; # I have to boot with secureboot becasue of the chineese spyware called Vanguard - # imports = [ - # inputs.lanzaboote.nixosModules.lanzaboote - # ]; - # environment.systemPackages = with pkgs; [ - # sbctl - # ]; - # boot = { - # lanzaboote = { - # enable = true; - # pkiBundle = "/etc/secureboot"; - # }; - # # we let lanzaboote install systemd-boot - # loader.systemd-boot.enable = false; - # }; + environment.systemPackages = with pkgs; [ + sbctl + ]; + boot = { + lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + }; + + # we let lanzaboote install systemd-boot + loader.systemd-boot.enable = false; + }; }; -} \ No newline at end of file +}