From b738736f942b2b368fa87b5079197b9c5fe9212c Mon Sep 17 00:00:00 2001 From: lightly-toasted Date: Thu, 28 Aug 2025 22:37:42 +0900 Subject: [PATCH] feat: add lanzaboote - Added lanzaboote - Disabled systemd-boot in favor of lanzaboote - Added sbctl --- flake.lock | 173 ++++++++++++++++++++++++++++++- flake.nix | 4 + hosts/nixos/configuration.nix | 1 + hosts/nixos/modules/boot.nix | 9 +- hosts/nixos/modules/packages.nix | 1 + 5 files changed, 182 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index ba3f1a5..6ef9790 100644 --- a/flake.lock +++ b/flake.lock @@ -1,6 +1,37 @@ { "nodes": { + "crane": { + "locked": { + "lastModified": 1731098351, + "narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=", + "owner": "ipetkov", + "repo": "crane", + "rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { "locked": { "lastModified": 1733328505, "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", @@ -15,6 +46,27 @@ } }, "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1730504689, + "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "506278e768c2a08bec68eb62932193e341f55c90", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { "inputs": { "nixpkgs-lib": "nixpkgs-lib" }, @@ -32,7 +84,7 @@ "type": "github" } }, - "flake-parts_2": { + "flake-parts_3": { "inputs": { "nixpkgs-lib": [ "nixvim", @@ -71,6 +123,28 @@ "type": "github" } }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -119,6 +193,32 @@ "type": "github" } }, + "lanzaboote": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1737639419, + "narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "a65905a09e2c43ff63be8c0e86a93712361f871e", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "v0.4.2", + "repo": "lanzaboote", + "type": "github" + } + }, "nix-flatpak": { "locked": { "lastModified": 1754513886, @@ -136,8 +236,8 @@ }, "nixcord": { "inputs": { - "flake-compat": "flake-compat", - "flake-parts": "flake-parts", + "flake-compat": "flake-compat_2", + "flake-parts": "flake-parts_2", "nixpkgs": [ "nixpkgs" ] @@ -187,9 +287,25 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1730741070, + "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, "nixvim": { "inputs": { - "flake-parts": "flake-parts_2", + "flake-parts": "flake-parts_3", "nixpkgs": [ "nixpkgs" ], @@ -233,9 +349,37 @@ "type": "github" } }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1731363552, + "narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "root": { "inputs": { "home-manager": "home-manager", + "lanzaboote": "lanzaboote", "nix-flatpak": "nix-flatpak", "nixcord": "nixcord", "nixpkgs": "nixpkgs", @@ -243,6 +387,27 @@ "sops-nix": "sops-nix" } }, + "rust-overlay": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1731897198, + "narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "0be641045af6d8666c11c2c40e45ffc9667839b5", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "sops-nix": { "inputs": { "nixpkgs": [ diff --git a/flake.nix b/flake.nix index 8ac461e..9363141 100644 --- a/flake.nix +++ b/flake.nix @@ -18,6 +18,10 @@ url = "github:Mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs"; }; + lanzaboote = { + url = "github:nix-community/lanzaboote/v0.4.2"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = { self, nixpkgs, home-manager, ... } @ inputs: diff --git a/hosts/nixos/configuration.nix b/hosts/nixos/configuration.nix index a46cedb..f6f6ce5 100644 --- a/hosts/nixos/configuration.nix +++ b/hosts/nixos/configuration.nix @@ -5,6 +5,7 @@ [ inputs.nix-flatpak.nixosModules.nix-flatpak inputs.sops-nix.nixosModules.sops + inputs.lanzaboote.nixosModules.lanzaboote ./hardware-configuration.nix ] ++ ( let diff --git a/hosts/nixos/modules/boot.nix b/hosts/nixos/modules/boot.nix index 2904301..d66e1b8 100644 --- a/hosts/nixos/modules/boot.nix +++ b/hosts/nixos/modules/boot.nix @@ -1,7 +1,12 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: { - boot.loader.systemd-boot.enable = true; + boot.loader.systemd-boot.enable = lib.mkForce false; boot.loader.efi.canTouchEfiVariables = true; boot.supportedFilesystems = [ "ntfs" ]; + + boot.lanzaboote = { + enable = true; + pkiBundle = "/var/lib/sbctl"; + }; } diff --git a/hosts/nixos/modules/packages.nix b/hosts/nixos/modules/packages.nix index 3b57a05..69c2234 100644 --- a/hosts/nixos/modules/packages.nix +++ b/hosts/nixos/modules/packages.nix @@ -4,6 +4,7 @@ environment.systemPackages = with pkgs; [ vim wget + sbctl ]; nixpkgs.config.allowUnfree = true; }