From b340e16eddeb72914cba5d78a2271685fac4131a Mon Sep 17 00:00:00 2001 From: Christoph Urlacher Date: Sat, 16 Aug 2025 11:50:39 +0200 Subject: [PATCH] System/Nixinator: Enable lanzaboote + secure boot --- flake.lock | 179 +++++++++++++++++++++++++++++++++-- flake.nix | 12 ++- system/default.nix | 9 +- system/nixinator/default.nix | 6 ++ 4 files changed, 193 insertions(+), 13 deletions(-) diff --git a/flake.lock b/flake.lock index e6845f59..0ddc8043 100644 --- a/flake.lock +++ b/flake.lock @@ -33,6 +33,21 @@ "type": "github" } }, + "crane": { + "locked": { + "lastModified": 1731098351, + "narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=", + "owner": "ipetkov", + "repo": "crane", + "rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "devshell": { "inputs": { "nixpkgs": "nixpkgs" @@ -89,6 +104,22 @@ } }, "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_3": { "locked": { "lastModified": 1747046372, "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", @@ -103,7 +134,7 @@ "type": "github" } }, - "flake-compat_3": { + "flake-compat_4": { "locked": { "lastModified": 1696426674, "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", @@ -118,6 +149,27 @@ } }, "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1730504689, + "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "506278e768c2a08bec68eb62932193e341f55c90", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { "inputs": { "nixpkgs-lib": [ "nixvim", @@ -138,7 +190,7 @@ "type": "github" } }, - "flake-parts_2": { + "flake-parts_3": { "inputs": { "nixpkgs-lib": [ "nur", @@ -214,6 +266,28 @@ "type": "github" } }, + "gitignore_2": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "hardware": { "locked": { "lastModified": 1753122741, @@ -625,6 +699,32 @@ "type": "github" } }, + "lanzaboote": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat_2", + "flake-parts": "flake-parts", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1737639419, + "narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "a65905a09e2c43ff63be8c0e86a93712361f871e", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "v0.4.2", + "repo": "lanzaboote", + "type": "github" + } + }, "naersk": { "inputs": { "nixpkgs": "nixpkgs_4" @@ -645,7 +745,7 @@ }, "nix-alien": { "inputs": { - "flake-compat": "flake-compat_2", + "flake-compat": "flake-compat_3", "nix-index-database": "nix-index-database", "nixpkgs": "nixpkgs_2" }, @@ -717,6 +817,22 @@ } }, "nixpkgs-stable": { + "locked": { + "lastModified": 1730741070, + "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable_2": { "locked": { "lastModified": 1753115646, "narHash": "sha256-yLuz5cz5Z+sn8DRAfNkrd2Z1cV6DaYO9JMrEz4KZo/c=", @@ -779,7 +895,7 @@ }, "nixvim": { "inputs": { - "flake-parts": "flake-parts", + "flake-parts": "flake-parts_2", "nixpkgs": [ "nixpkgs" ], @@ -802,7 +918,7 @@ }, "nps": { "inputs": { - "flake-compat": "flake-compat_3", + "flake-compat": "flake-compat_4", "flake-utils": "flake-utils_2", "naersk": "naersk", "nixpkgs": [ @@ -825,7 +941,7 @@ }, "nur": { "inputs": { - "flake-parts": "flake-parts_2", + "flake-parts": "flake-parts_3", "nixpkgs": [ "nixpkgs" ] @@ -905,6 +1021,33 @@ "type": "github" } }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "gitignore": "gitignore_2", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1731363552, + "narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "root": { "inputs": { "devshell": "devshell", @@ -916,10 +1059,11 @@ "hyprland-plugins": "hyprland-plugins", "hyprspace": "hyprspace", "impermanence": "impermanence", + "lanzaboote": "lanzaboote", "nix-alien": "nix-alien", "nix-flatpak": "nix-flatpak", "nixpkgs": "nixpkgs_3", - "nixpkgs-stable": "nixpkgs-stable", + "nixpkgs-stable": "nixpkgs-stable_2", "nixvim": "nixvim", "nps": "nps", "nur": "nur", @@ -927,6 +1071,27 @@ "textfox": "textfox" } }, + "rust-overlay": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1731897198, + "narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "0be641045af6d8666c11c2c40e45ffc9667839b5", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "sops-nix": { "inputs": { "nixpkgs": [ diff --git a/flake.nix b/flake.nix index de65fda9..2c895b1d 100644 --- a/flake.nix +++ b/flake.nix @@ -31,6 +31,10 @@ sops-nix.url = "github:Mic92/sops-nix"; sops-nix.inputs.nixpkgs.follows = "nixpkgs"; + # Secure boot + lanzaboote.url = "github:nix-community/lanzaboote/v0.4.2"; + lanzaboote.inputs.nixpkgs.follows = "nixpkgs"; + # Nix User Repository (e.g. Firefox addons) nur.url = "github:nix-community/NUR"; nur.inputs.nixpkgs.follows = "nixpkgs"; @@ -161,8 +165,6 @@ # HM modules are passed through home/modules/default.nix instead. commonModules = [ inputs.sops-nix.nixosModules.sops - inputs.disko.nixosModules.disko - inputs.impermanence.nixosModules.impermanence ]; in { # Local shell for NixFlake directory @@ -188,7 +190,11 @@ username = "christoph"; headless = false; extraModules = - [] + [ + inputs.disko.nixosModules.disko + inputs.impermanence.nixosModules.impermanence + inputs.lanzaboote.nixosModules.lanzaboote + ] ++ commonModules; }; nixtop = mylib.nixos.mkNixosConfigWithHomeManagerModule { diff --git a/system/default.nix b/system/default.nix index 1cf60022..74e69964 100644 --- a/system/default.nix +++ b/system/default.nix @@ -26,9 +26,12 @@ with mylib.networking; { enable = true; loader = - if headless - then "grub" - else "systemd-boot"; + lib.mkDefault + ( + if headless + then "grub" + else "systemd-boot" + ); systemd-boot.bootDevice = "/boot"; grub.bootDevice = "/dev/sda"; }; diff --git a/system/nixinator/default.nix b/system/nixinator/default.nix index 84273b36..27b4ce17 100644 --- a/system/nixinator/default.nix +++ b/system/nixinator/default.nix @@ -1,4 +1,5 @@ { + lib, mylib, pkgs, username, @@ -14,6 +15,11 @@ ]; modules = { + bootloader = { + # Secure boot + loader = "lanzaboote"; + }; + impermanence.enable = true; network = {