diff --git a/flake.lock b/flake.lock index baa720d..75b372e 100644 --- a/flake.lock +++ b/flake.lock @@ -97,6 +97,21 @@ "url": "https://codeberg.org/LGFae/awww" } }, + "crane": { + "locked": { + "lastModified": 1765145449, + "narHash": "sha256-aBVHGWWRzSpfL++LubA0CwOOQ64WNLegrYHwsVuVN7A=", + "owner": "ipetkov", + "repo": "crane", + "rev": "69f538cdce5955fcd47abfed4395dc6d5194c1c5", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "deploy-rs": { "inputs": { "flake-compat": "flake-compat_2", @@ -186,6 +201,22 @@ } }, "flake-compat_4": { + "flake": false, + "locked": { + "lastModified": 1761588595, + "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_5": { "locked": { "lastModified": 1733328505, "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", @@ -199,7 +230,7 @@ "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz" } }, - "flake-compat_5": { + "flake-compat_6": { "flake": false, "locked": { "lastModified": 1767039857, @@ -349,6 +380,28 @@ "type": "github" } }, + "gitignore_2": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "harfbuzz": { "flake": false, "locked": { @@ -779,6 +832,28 @@ "type": "github" } }, + "lanzaboote": { + "inputs": { + "crane": "crane", + "nixpkgs": "nixpkgs_6", + "pre-commit": "pre-commit", + "rust-overlay": "rust-overlay_3" + }, + "locked": { + "lastModified": 1765382359, + "narHash": "sha256-RJmgVDzjRI18BWVogG6wpsl1UCuV6ui8qr4DJ1LfWZ8=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "e8c096ade12ec9130ff931b0f0e25d2f1bc63607", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "v1.0.0", + "repo": "lanzaboote", + "type": "github" + } + }, "libpng": { "flake": false, "locked": { @@ -820,9 +895,9 @@ }, "nixcord": { "inputs": { - "flake-compat": "flake-compat_4", + "flake-compat": "flake-compat_5", "flake-parts": "flake-parts_3", - "nixpkgs": "nixpkgs_6", + "nixpkgs": "nixpkgs_7", "nixpkgs-nixcord": "nixpkgs-nixcord" }, "locked": { @@ -934,6 +1009,22 @@ } }, "nixpkgs_10": { + "locked": { + "lastModified": 1777918403, + "narHash": "sha256-7QiZv0LcW1yIOLo2LNuCQjWon1Z1r99FwK24hbtBOF4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "afc5551119aae6eab73a95c1960891cfe63204f6", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_11": { "locked": { "lastModified": 1770107345, "narHash": "sha256-tbS0Ebx2PiA1FRW8mt8oejR0qMXmziJmPaU1d4kYY9g=", @@ -1014,6 +1105,22 @@ } }, "nixpkgs_6": { + "locked": { + "lastModified": 1764950072, + "narHash": "sha256-BmPWzogsG2GsXZtlT+MTcAWeDK5hkbGRZTeZNW42fwA=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "f61125a668a320878494449750330ca58b78c557", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_7": { "locked": { "lastModified": 1777428379, "narHash": "sha256-ypxFOeDz+CqADEQNL72haqGjvZQdBR5Vc7pyx2JDttI=", @@ -1029,7 +1136,7 @@ "type": "github" } }, - "nixpkgs_7": { + "nixpkgs_8": { "locked": { "lastModified": 1777578337, "narHash": "sha256-Ad49moKWeXtKBJNy2ebiTQUEgdLyvGmTeykAQ9xM+Z4=", @@ -1045,7 +1152,7 @@ "type": "github" } }, - "nixpkgs_8": { + "nixpkgs_9": { "locked": { "lastModified": 1777954456, "narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=", @@ -1061,26 +1168,10 @@ "type": "github" } }, - "nixpkgs_9": { - "locked": { - "lastModified": 1777918403, - "narHash": "sha256-7QiZv0LcW1yIOLo2LNuCQjWon1Z1r99FwK24hbtBOF4=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "afc5551119aae6eab73a95c1960891cfe63204f6", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, "nur": { "inputs": { "flake-parts": "flake-parts_4", - "nixpkgs": "nixpkgs_8" + "nixpkgs": "nixpkgs_9" }, "locked": { "lastModified": 1778156530, @@ -1096,6 +1187,29 @@ "type": "github" } }, + "pre-commit": { + "inputs": { + "flake-compat": "flake-compat_4", + "gitignore": "gitignore_2", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1765016596, + "narHash": "sha256-rhSqPNxDVow7OQKi4qS5H8Au0P4S3AYbawBSmJNUtBQ=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "548fc44fca28a5e81c5d6b846e555e6b9c2a5a3c", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "pre-commit-hooks": { "inputs": { "flake-compat": "flake-compat_3", @@ -1130,10 +1244,11 @@ "impermanence": "impermanence", "import-tree": "import-tree", "lan-mouse": "lan-mouse", + "lanzaboote": "lanzaboote", "mango": "mango", "nixcord": "nixcord", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs_7", + "nixpkgs": "nixpkgs_8", "nixpkgs-stable": "nixpkgs-stable", "nur": "nur", "sops-nix": "sops-nix", @@ -1187,6 +1302,27 @@ } }, "rust-overlay_3": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1765075567, + "narHash": "sha256-KFDCdQcHJ0hE3Nt5Gm5enRIhmtEifAjpxgUQ3mzSJpA=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "769156779b41e8787a46ca3d7d76443aaf68be6f", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "rust-overlay_4": { "inputs": { "nixpkgs": [ "wezterm-flake", @@ -1230,7 +1366,7 @@ }, "sops-nix": { "inputs": { - "nixpkgs": "nixpkgs_9" + "nixpkgs": "nixpkgs_10" }, "locked": { "lastModified": 1777944972, @@ -1349,7 +1485,7 @@ }, "treefmt-nix": { "inputs": { - "nixpkgs": "nixpkgs_10" + "nixpkgs": "nixpkgs_11" }, "locked": { "lastModified": 1775636079, @@ -1410,7 +1546,7 @@ }, "vicinae-extensions": { "inputs": { - "flake-compat": "flake-compat_5", + "flake-compat": "flake-compat_6", "nixpkgs": [ "nixpkgs" ], @@ -1440,7 +1576,7 @@ "nixpkgs": [ "nixpkgs" ], - "rust-overlay": "rust-overlay_3", + "rust-overlay": "rust-overlay_4", "zlib": "zlib" }, "locked": { diff --git a/flake.nix b/flake.nix index 8e60bb2..3bd1765 100644 --- a/flake.nix +++ b/flake.nix @@ -57,5 +57,6 @@ awww.url = "git+https://codeberg.org/LGFae/awww"; nixcord.url = "github:kaylorben/nixcord"; nur.url = "github:nix-community/nur"; + lanzaboote.url = "github:nix-community/lanzaboote/v1.0.0"; }; } diff --git a/modules/hosts/sirius/config.nix b/modules/hosts/sirius/config.nix index fc7ae3a..fdf87a0 100644 --- a/modules/hosts/sirius/config.nix +++ b/modules/hosts/sirius/config.nix @@ -10,12 +10,14 @@ { imports = with config.flake.modules.nixos; [ + boot networking desktop virtualisation ]; tnix = { + boot.secure-boot.enable = true; services.openssh.enable = true; virtualisation = { @@ -52,7 +54,6 @@ # --- Boot --- boot = { loader = { - systemd-boot.enable = true; efi.canTouchEfiVariables = true; }; kernelPackages = pkgs.linuxKernel.packages.linux_zen; diff --git a/modules/nixos/boot/secure-boot.nix b/modules/nixos/boot/secure-boot.nix new file mode 100644 index 0000000..dc7fded --- /dev/null +++ b/modules/nixos/boot/secure-boot.nix @@ -0,0 +1,34 @@ +{ inputs, ... }: +{ + flake.modules.nixos.boot = + { + config, + lib, + pkgs, + ... + }: + let + cfg = config.tnix.boot; + in + { + imports = [ inputs.lanzaboote.nixosModules.lanzaboote ]; + + options.tnix.boot.secure-boot = { + enable = lib.mkEnableOption "Enable secure-boot"; + }; + + config = lib.mkIf cfg.secure-boot.enable { + environment.systemPackages = [ + pkgs.sbctl + ]; + + # Lanzaboote currently replaces the systemd-boot module. + boot.loader.systemd-boot.enable = lib.mkForce false; + + boot.lanzaboote = { + enable = true; + pkiBundle = "/var/lib/sbctl"; + }; + }; + }; +}