tux/nix-config
1
0
Fork 0
mirror of https://github.com/tuxdotrs/nix-config.git synced 2026-06-17 02:06:32 +05:30
Code Issues Actions Packages Projects Releases Wiki Activity

feat: setup secure-boot

Browse Source
This commit is contained in:
tux
2026-05-08 05:09:38 +05:30
parent 718ee760cd
commit 3efd212f04
4 changed files with 200 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

190
flake.lock generated
View File

@@ -97,6 +97,21 @@
"url": "https://codeberg.org/LGFae/awww" "url": "https://codeberg.org/LGFae/awww"
} }
}, },
"crane": {
"locked": {
"lastModified": 1765145449,
"narHash": "sha256-aBVHGWWRzSpfL++LubA0CwOOQ64WNLegrYHwsVuVN7A=",
"owner": "ipetkov",
"repo": "crane",
"rev": "69f538cdce5955fcd47abfed4395dc6d5194c1c5",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"deploy-rs": { "deploy-rs": {
"inputs": { "inputs": {
"flake-compat": "flake-compat_2", "flake-compat": "flake-compat_2",
@@ -186,6 +201,22 @@
} }
}, },
"flake-compat_4": { "flake-compat_4": {
"flake": false,
"locked": {
"lastModified": 1761588595,
"narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_5": {
"locked": { "locked": {
"lastModified": 1733328505, "lastModified": 1733328505,
"narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
@@ -199,7 +230,7 @@
"url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz" "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz"
} }
}, },
"flake-compat_5": { "flake-compat_6": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1767039857, "lastModified": 1767039857,
@@ -349,6 +380,28 @@
"type": "github" "type": "github"
} }
}, },
"gitignore_2": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"pre-commit",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"harfbuzz": { "harfbuzz": {
"flake": false, "flake": false,
"locked": { "locked": {
@@ -779,6 +832,28 @@
"type": "github" "type": "github"
} }
}, },
"lanzaboote": {
"inputs": {
"crane": "crane",
"nixpkgs": "nixpkgs_6",
"pre-commit": "pre-commit",
"rust-overlay": "rust-overlay_3"
},
"locked": {
"lastModified": 1765382359,
"narHash": "sha256-RJmgVDzjRI18BWVogG6wpsl1UCuV6ui8qr4DJ1LfWZ8=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "e8c096ade12ec9130ff931b0f0e25d2f1bc63607",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "v1.0.0",
"repo": "lanzaboote",
"type": "github"
}
},
"libpng": { "libpng": {
"flake": false, "flake": false,
"locked": { "locked": {
@@ -820,9 +895,9 @@
}, },
"nixcord": { "nixcord": {
"inputs": { "inputs": {
"flake-compat": "flake-compat_4", "flake-compat": "flake-compat_5",
"flake-parts": "flake-parts_3", "flake-parts": "flake-parts_3",
"nixpkgs": "nixpkgs_6", "nixpkgs": "nixpkgs_7",
"nixpkgs-nixcord": "nixpkgs-nixcord" "nixpkgs-nixcord": "nixpkgs-nixcord"
}, },
"locked": { "locked": {
@@ -934,6 +1009,22 @@
} }
}, },
"nixpkgs_10": { "nixpkgs_10": {
"locked": {
"lastModified": 1777918403,
"narHash": "sha256-7QiZv0LcW1yIOLo2LNuCQjWon1Z1r99FwK24hbtBOF4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "afc5551119aae6eab73a95c1960891cfe63204f6",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_11": {
"locked": { "locked": {
"lastModified": 1770107345, "lastModified": 1770107345,
"narHash": "sha256-tbS0Ebx2PiA1FRW8mt8oejR0qMXmziJmPaU1d4kYY9g=", "narHash": "sha256-tbS0Ebx2PiA1FRW8mt8oejR0qMXmziJmPaU1d4kYY9g=",
@@ -1014,6 +1105,22 @@
} }
}, },
"nixpkgs_6": { "nixpkgs_6": {
"locked": {
"lastModified": 1764950072,
"narHash": "sha256-BmPWzogsG2GsXZtlT+MTcAWeDK5hkbGRZTeZNW42fwA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "f61125a668a320878494449750330ca58b78c557",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_7": {
"locked": { "locked": {
"lastModified": 1777428379, "lastModified": 1777428379,
"narHash": "sha256-ypxFOeDz+CqADEQNL72haqGjvZQdBR5Vc7pyx2JDttI=", "narHash": "sha256-ypxFOeDz+CqADEQNL72haqGjvZQdBR5Vc7pyx2JDttI=",
@@ -1029,7 +1136,7 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_7": { "nixpkgs_8": {
"locked": { "locked": {
"lastModified": 1777578337, "lastModified": 1777578337,
"narHash": "sha256-Ad49moKWeXtKBJNy2ebiTQUEgdLyvGmTeykAQ9xM+Z4=", "narHash": "sha256-Ad49moKWeXtKBJNy2ebiTQUEgdLyvGmTeykAQ9xM+Z4=",
@@ -1045,7 +1152,7 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_8": { "nixpkgs_9": {
"locked": { "locked": {
"lastModified": 1777954456, "lastModified": 1777954456,
"narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=", "narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=",
@@ -1061,26 +1168,10 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_9": {
"locked": {
"lastModified": 1777918403,
"narHash": "sha256-7QiZv0LcW1yIOLo2LNuCQjWon1Z1r99FwK24hbtBOF4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "afc5551119aae6eab73a95c1960891cfe63204f6",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nur": { "nur": {
"inputs": { "inputs": {
"flake-parts": "flake-parts_4", "flake-parts": "flake-parts_4",
"nixpkgs": "nixpkgs_8" "nixpkgs": "nixpkgs_9"
}, },
"locked": { "locked": {
"lastModified": 1778156530, "lastModified": 1778156530,
@@ -1096,6 +1187,29 @@
"type": "github" "type": "github"
} }
}, },
"pre-commit": {
"inputs": {
"flake-compat": "flake-compat_4",
"gitignore": "gitignore_2",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1765016596,
"narHash": "sha256-rhSqPNxDVow7OQKi4qS5H8Au0P4S3AYbawBSmJNUtBQ=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "548fc44fca28a5e81c5d6b846e555e6b9c2a5a3c",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"pre-commit-hooks": { "pre-commit-hooks": {
"inputs": { "inputs": {
"flake-compat": "flake-compat_3", "flake-compat": "flake-compat_3",
@@ -1130,10 +1244,11 @@
"impermanence": "impermanence", "impermanence": "impermanence",
"import-tree": "import-tree", "import-tree": "import-tree",
"lan-mouse": "lan-mouse", "lan-mouse": "lan-mouse",
"lanzaboote": "lanzaboote",
"mango": "mango", "mango": "mango",
"nixcord": "nixcord", "nixcord": "nixcord",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_7", "nixpkgs": "nixpkgs_8",
"nixpkgs-stable": "nixpkgs-stable", "nixpkgs-stable": "nixpkgs-stable",
"nur": "nur", "nur": "nur",
"sops-nix": "sops-nix", "sops-nix": "sops-nix",
@@ -1187,6 +1302,27 @@
} }
}, },
"rust-overlay_3": { "rust-overlay_3": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1765075567,
"narHash": "sha256-KFDCdQcHJ0hE3Nt5Gm5enRIhmtEifAjpxgUQ3mzSJpA=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "769156779b41e8787a46ca3d7d76443aaf68be6f",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"rust-overlay_4": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"wezterm-flake", "wezterm-flake",
@@ -1230,7 +1366,7 @@
}, },
"sops-nix": { "sops-nix": {
"inputs": { "inputs": {
"nixpkgs": "nixpkgs_9" "nixpkgs": "nixpkgs_10"
}, },
"locked": { "locked": {
"lastModified": 1777944972, "lastModified": 1777944972,
@@ -1349,7 +1485,7 @@
}, },
"treefmt-nix": { "treefmt-nix": {
"inputs": { "inputs": {
"nixpkgs": "nixpkgs_10" "nixpkgs": "nixpkgs_11"
}, },
"locked": { "locked": {
"lastModified": 1775636079, "lastModified": 1775636079,
@@ -1410,7 +1546,7 @@
}, },
"vicinae-extensions": { "vicinae-extensions": {
"inputs": { "inputs": {
"flake-compat": "flake-compat_5", "flake-compat": "flake-compat_6",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
@@ -1440,7 +1576,7 @@
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
"rust-overlay": "rust-overlay_3", "rust-overlay": "rust-overlay_4",
"zlib": "zlib" "zlib": "zlib"
}, },
"locked": { "locked": {

1
flake.nix
View File

@@ -57,5 +57,6 @@
awww.url = "git+https://codeberg.org/LGFae/awww"; awww.url = "git+https://codeberg.org/LGFae/awww";
nixcord.url = "github:kaylorben/nixcord"; nixcord.url = "github:kaylorben/nixcord";
nur.url = "github:nix-community/nur"; nur.url = "github:nix-community/nur";
lanzaboote.url = "github:nix-community/lanzaboote/v1.0.0";
}; };
} }

3
modules/hosts/sirius/config.nix
View File

@@ -10,12 +10,14 @@
{ {
imports = with config.flake.modules.nixos; [ imports = with config.flake.modules.nixos; [
boot
networking networking
desktop desktop
virtualisation virtualisation
]; ];
tnix = { tnix = {
boot.secure-boot.enable = true;
services.openssh.enable = true; services.openssh.enable = true;
virtualisation = { virtualisation = {
@@ -52,7 +54,6 @@
# --- Boot --- # --- Boot ---
boot = { boot = {
loader = { loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true; efi.canTouchEfiVariables = true;
}; };
kernelPackages = pkgs.linuxKernel.packages.linux_zen; kernelPackages = pkgs.linuxKernel.packages.linux_zen;

34
modules/nixos/boot/secure-boot.nix Normal file
View File

@@ -0,0 +1,34 @@
{ inputs, ... }:
{
flake.modules.nixos.boot =
{
config,
lib,
pkgs,
...
}:
let
cfg = config.tnix.boot;
in
{
imports = [ inputs.lanzaboote.nixosModules.lanzaboote ];
options.tnix.boot.secure-boot = {
enable = lib.mkEnableOption "Enable secure-boot";
};
config = lib.mkIf cfg.secure-boot.enable {
environment.systemPackages = [
pkgs.sbctl
];
# Lanzaboote currently replaces the systemd-boot module.
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.lanzaboote = {
enable = true;
pkiBundle = "/var/lib/sbctl";
};
};
};
}