diff --git a/bootloaders/lanzaboote/default.nix b/bootloaders/lanzaboote/default.nix new file mode 100644 index 0000000..8fdf742 --- /dev/null +++ b/bootloaders/lanzaboote/default.nix @@ -0,0 +1,10 @@ +{ pkgs, lib, ... }: + +{ + boot.loader.systemd-boot.enable = lib.mkForce false; + + boot.lanzaboote = { + enable = true; + pkiBundle = "/var/lib/sbctl"; + }; +} diff --git a/bootloaders/systemd/default.nix b/bootloaders/systemd/default.nix new file mode 100644 index 0000000..53c5747 --- /dev/null +++ b/bootloaders/systemd/default.nix @@ -0,0 +1,5 @@ +{ pkgs, lib, ... }: + +{ + boot.loader.systemd-boot.enable = lib.mkForce true; +} diff --git a/flake.lock b/flake.lock index 32b9dd0..0e6921b 100644 --- a/flake.lock +++ b/flake.lock @@ -67,6 +67,21 @@ "type": "github" } }, + "crane": { + "locked": { + "lastModified": 1731098351, + "narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=", + "owner": "ipetkov", + "repo": "crane", + "rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "firefox-gnome-theme": { "flake": false, "locked": { @@ -84,6 +99,22 @@ } }, "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { "locked": { "lastModified": 1733328505, "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", @@ -99,6 +130,27 @@ } }, "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1730504689, + "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "506278e768c2a08bec68eb62932193e341f55c90", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { "inputs": { "nixpkgs-lib": [ "stylix", @@ -163,7 +215,7 @@ "stylix", "flake-compat" ], - "gitignore": "gitignore", + "gitignore": "gitignore_2", "nixpkgs": [ "stylix", "nixpkgs" @@ -184,6 +236,28 @@ } }, "gitignore": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "gitignore_2": { "inputs": { "nixpkgs": [ "stylix", @@ -263,6 +337,32 @@ "type": "github" } }, + "lanzaboote": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1737639419, + "narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "a65905a09e2c43ff63be8c0e86a93712361f871e", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "v0.4.2", + "repo": "lanzaboote", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1742889210, @@ -279,6 +379,22 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1730741070, + "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_2": { "locked": { "lastModified": 1741513245, @@ -297,7 +413,7 @@ }, "nur": { "inputs": { - "flake-parts": "flake-parts", + "flake-parts": "flake-parts_2", "nixpkgs": [ "stylix", "nixpkgs" @@ -318,14 +434,63 @@ "type": "github" } }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1731363552, + "narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "root": { "inputs": { "home-manager": "home-manager", + "lanzaboote": "lanzaboote", "nixpkgs": "nixpkgs", "stylix": "stylix", "zen-browser": "zen-browser" } }, + "rust-overlay": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1731897198, + "narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "0be641045af6d8666c11c2c40e45ffc9667839b5", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "stylix": { "inputs": { "base16": "base16", @@ -333,7 +498,7 @@ "base16-helix": "base16-helix", "base16-vim": "base16-vim", "firefox-gnome-theme": "firefox-gnome-theme", - "flake-compat": "flake-compat", + "flake-compat": "flake-compat_2", "flake-utils": "flake-utils", "git-hooks": "git-hooks", "gnome-shell": "gnome-shell", diff --git a/flake.nix b/flake.nix index 5dd2c1a..0ace151 100644 --- a/flake.nix +++ b/flake.nix @@ -14,14 +14,20 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + lanzaboote = { + url = "github:nix-community/lanzaboote/v0.4.2"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + stylix.url = "github:danth/stylix"; }; - outputs = { nixpkgs, ... } @ inputs: let + outputs = { nixpkgs, lanzaboote, ... } @ inputs: let system = "x86_64-linux"; host = "swordfish"; profile = "nvidia-laptop"; username = "marked"; + enableLanzaboote = true; in { nixosConfigurations = { nvidia = nixpkgs.lib.nixosSystem { @@ -32,7 +38,7 @@ inherit host; inherit profile; }; - modules = [ ./profiles/nvidia ]; + modules = [ ./profiles/nvidia ] ++ (if enableLanzaboote == true then [ lanzaboote.nixosModules.lanzaboote ./bootloaders/lanzaboote ] else [ ./bootloaders/systemd ]); }; nvidia-laptop = nixpkgs.lib.nixosSystem { inherit system; @@ -42,7 +48,7 @@ inherit host; inherit profile; }; - modules = [ ./profiles/nvidia-laptop ]; + modules = [ ./profiles/nvidia-laptop ] ++ (if enableLanzaboote == true then [ lanzaboote.nixosModules.lanzaboote ./bootloaders/lanzaboote ] else [ ./bootloaders/systemd ]); }; intel = nixpkgs.lib.nixosSystem { inherit system; @@ -52,7 +58,17 @@ inherit host; inherit profile; }; - modules = [ ./profiles/intel ]; + modules = [ ./profiles/intel ] ++ (if enableLanzaboote == true then [ lanzaboote.nixosModules.lanzaboote ./bootloaders/lanzaboote ] else [ ./bootloaders/systemd ]); + }; + amd = nixpkgs.lib.nixosSystem { + inherit system; + specialArgs = { + inherit inputs; + inherit username; + inherit host; + inherit profile; + }; + modules = [ ./profiles/amd ] ++ (if enableLanzaboote == true then [ lanzaboote.nixosModules.lanzaboote ./bootloaders/lanzaboote ] else [ ./bootloaders/systemd ]); }; }; }; diff --git a/modules/core/packages.nix b/modules/core/packages.nix index c08607d..0707ba7 100644 --- a/modules/core/packages.nix +++ b/modules/core/packages.nix @@ -46,6 +46,8 @@ in fuse # Virtual file systems greetd.tuigreet # Display Manager #(callPackage ../../packages/sddm-rose-pine.nix {}) # SDDM theme + cloudflared # Cloudflare daemon + sbctl # Secure Boot keys ] ++ [ rustup # Rust toolchain manager clang # C compiler diff --git a/modules/home/hyprland/hyprland.nix b/modules/home/hyprland/hyprland.nix index 0196575..58b7e40 100644 --- a/modules/home/hyprland/hyprland.nix +++ b/modules/home/hyprland/hyprland.nix @@ -1,4 +1,4 @@ -{ host, profile, config, pkgs, ... }: +{ lib, host, profile, config, pkgs, enableLanzaboote, ... }: let inherit (import ../../../hosts/${host}/variables.nix) @@ -29,7 +29,7 @@ in wayland.windowManager.hyprland = { enable = true; package = pkgs.hyprland; - systemd = { + systemd = lib.mkIf enableLanzaboote == false { enable = true; enableXdgAutostart = true; variables = [ "--all" ];