marked/dotnix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Initial setup for lanzaboote

Browse source
This commit is contained in:
marked 2025-03-29 19:25:27 +01:00
parent 24a865004a
commit 1908280a34
6 changed files with 207 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
bootloaders/lanzaboote/default.nix Normal file
View file

@ -0,0 +1,10 @@
{ pkgs, lib, ... }:
{
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.lanzaboote = {
enable = true;
pkiBundle = "/var/lib/sbctl";
};
}

5
bootloaders/systemd/default.nix Normal file
View file

@ -0,0 +1,5 @@
{ pkgs, lib, ... }:
{
boot.loader.systemd-boot.enable = lib.mkForce true;
}

171
flake.lock
View file

@ -67,6 +67,21 @@
"type": "github"
}
},
"crane": {
"locked": {
"lastModified": 1731098351,
"narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=",
"owner": "ipetkov",
"repo": "crane",
"rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"firefox-gnome-theme": {
"flake": false,
"locked": {
@ -84,6 +99,22 @@
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"locked": {
"lastModified": 1733328505,
"narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
@ -99,6 +130,27 @@
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1730504689,
"narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "506278e768c2a08bec68eb62932193e341f55c90",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_2": {
"inputs": {
"nixpkgs-lib": [
"stylix",
@ -163,7 +215,7 @@
"stylix",
"flake-compat"
],
"gitignore": "gitignore",
"gitignore": "gitignore_2",
"nixpkgs": [
"stylix",
"nixpkgs"
@ -184,6 +236,28 @@
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"pre-commit-hooks-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"gitignore_2": {
"inputs": {
"nixpkgs": [
"stylix",
@ -263,6 +337,32 @@
"type": "github"
}
},
"lanzaboote": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"nixpkgs": [
"nixpkgs"
],
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1737639419,
"narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "a65905a09e2c43ff63be8c0e86a93712361f871e",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "v0.4.2",
"repo": "lanzaboote",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1742889210,
@ -279,6 +379,22 @@
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1730741070,
"narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1741513245,
@ -297,7 +413,7 @@
},
"nur": {
"inputs": {
"flake-parts": "flake-parts",
"flake-parts": "flake-parts_2",
"nixpkgs": [
"stylix",
"nixpkgs"
@ -318,14 +434,63 @@
"type": "github"
}
},
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"gitignore": "gitignore",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1731363552,
"narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": {
"inputs": {
"home-manager": "home-manager",
"lanzaboote": "lanzaboote",
"nixpkgs": "nixpkgs",
"stylix": "stylix",
"zen-browser": "zen-browser"
}
},
"rust-overlay": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1731897198,
"narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "0be641045af6d8666c11c2c40e45ffc9667839b5",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"stylix": {
"inputs": {
"base16": "base16",
@ -333,7 +498,7 @@
"base16-helix": "base16-helix",
"base16-vim": "base16-vim",
"firefox-gnome-theme": "firefox-gnome-theme",
"flake-compat": "flake-compat",
"flake-compat": "flake-compat_2",
"flake-utils": "flake-utils",
"git-hooks": "git-hooks",
"gnome-shell": "gnome-shell",

24
flake.nix
View file

@ -14,14 +14,20 @@
inputs.nixpkgs.follows = "nixpkgs";
};
lanzaboote = {
url = "github:nix-community/lanzaboote/v0.4.2";
inputs.nixpkgs.follows = "nixpkgs";
};
stylix.url = "github:danth/stylix";
};
outputs = { nixpkgs, ... } @ inputs: let
outputs = { nixpkgs, lanzaboote, ... } @ inputs: let
system = "x86_64-linux";
host = "swordfish";
profile = "nvidia-laptop";
username = "marked";
enableLanzaboote = true;
in {
nixosConfigurations = {
nvidia = nixpkgs.lib.nixosSystem {
@ -32,7 +38,7 @@
inherit host;
inherit profile;
};
modules = [ ./profiles/nvidia ];
modules = [ ./profiles/nvidia ] ++ (if enableLanzaboote == true then [ lanzaboote.nixosModules.lanzaboote ./bootloaders/lanzaboote ] else [ ./bootloaders/systemd ]);
};
nvidia-laptop = nixpkgs.lib.nixosSystem {
inherit system;
@ -42,7 +48,7 @@
inherit host;
inherit profile;
};
modules = [ ./profiles/nvidia-laptop ];
modules = [ ./profiles/nvidia-laptop ] ++ (if enableLanzaboote == true then [ lanzaboote.nixosModules.lanzaboote ./bootloaders/lanzaboote ] else [ ./bootloaders/systemd ]);
};
intel = nixpkgs.lib.nixosSystem {
inherit system;
@ -52,7 +58,17 @@
inherit host;
inherit profile;
};
modules = [ ./profiles/intel ];
modules = [ ./profiles/intel ] ++ (if enableLanzaboote == true then [ lanzaboote.nixosModules.lanzaboote ./bootloaders/lanzaboote ] else [ ./bootloaders/systemd ]);
};
amd = nixpkgs.lib.nixosSystem {
inherit system;
specialArgs = {
inherit inputs;
inherit username;
inherit host;
inherit profile;
};
modules = [ ./profiles/amd ] ++ (if enableLanzaboote == true then [ lanzaboote.nixosModules.lanzaboote ./bootloaders/lanzaboote ] else [ ./bootloaders/systemd ]);
};
};
};

2
modules/core/packages.nix
View file

@ -46,6 +46,8 @@ in
fuse # Virtual file systems
greetd.tuigreet # Display Manager
#(callPackage ../../packages/sddm-rose-pine.nix {}) # SDDM theme
cloudflared # Cloudflare daemon
sbctl # Secure Boot keys
] ++ [
rustup # Rust toolchain manager
clang # C compiler

4
modules/home/hyprland/hyprland.nix
View file

@ -1,4 +1,4 @@
{ host, profile, config, pkgs, ... }:
{ lib, host, profile, config, pkgs, enableLanzaboote, ... }:
let
inherit
(import ../../../hosts/${host}/variables.nix)
@ -29,7 +29,7 @@ in
wayland.windowManager.hyprland = {
enable = true;
package = pkgs.hyprland;
systemd = {
systemd = lib.mkIf enableLanzaboote == false {
enable = true;
enableXdgAutostart = true;
variables = [ "--all" ];