Added secure boot

2026-03-09 15:59:46 +01:00 · 2026-03-01 12:12:14 +01:00 · 2026-03-01 12:12:14 +01:00 · 1cd3723eba
commit 1cd3723eba
parent 445856d98a
4 changed files with 128 additions and 2 deletions
--- a/flake.lock
+++ b/flake.lock
@ -55,6 +55,21 @@
        "url": "https://codeberg.org/LGFae/awww"
      }
    },
+    "crane": {
+      "locked": {
+        "lastModified": 1771796463,
+        "narHash": "sha256-9bCDuUzpwJXcHMQYMS1yNuzYMmKO/CCwCexpjWOl62I=",
+        "owner": "ipetkov",
+        "repo": "crane",
+        "rev": "3d3de3313e263e04894f284ac18177bd26169bad",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ipetkov",
+        "repo": "crane",
+        "type": "github"
+      }
+    },
    "flake-compat": {
      "flake": false,
      "locked": {
@ -87,6 +102,22 @@
        "type": "github"
      }
    },
+    "flake-compat_3": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1767039857,
+        "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
+        "owner": "NixOS",
+        "repo": "flake-compat",
+        "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
    "flake-parts": {
      "inputs": {
        "nixpkgs-lib": [
@ -169,6 +200,28 @@
        "type": "github"
      }
    },
+    "gitignore_2": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "pre-commit",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@ -510,6 +563,30 @@
        "type": "github"
      }
    },
+    "lanzaboote": {
+      "inputs": {
+        "crane": "crane",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "pre-commit": "pre-commit",
+        "rust-overlay": "rust-overlay_2"
+      },
+      "locked": {
+        "lastModified": 1772216104,
+        "narHash": "sha256-1TnGN26vnCEQk5m4AavJZxGZTb/6aZyphemRPRwFUfs=",
+        "owner": "nix-community",
+        "repo": "lanzaboote",
+        "rev": "dbe5112de965bbbbff9f0729a9789c20a65ab047",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "master",
+        "repo": "lanzaboote",
+        "type": "github"
+      }
+    },
    "nix-citizen": {
      "inputs": {
        "flake-parts": "flake-parts",
@ -668,6 +745,29 @@
        "type": "github"
      }
    },
+    "pre-commit": {
+      "inputs": {
+        "flake-compat": "flake-compat_3",
+        "gitignore": "gitignore_2",
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1771858127,
+        "narHash": "sha256-Gtre9YoYl3n25tJH2AoSdjuwcqij5CPxL3U3xysYD08=",
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "rev": "49bbbfc218bf3856dfa631cead3b052d78248b83",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "type": "github"
+      }
+    },
    "pre-commit-hooks": {
      "inputs": {
        "flake-compat": "flake-compat_2",
@ -716,6 +816,7 @@
        "awww": "awww",
        "home-manager": "home-manager",
        "hyprland": "hyprland",
+        "lanzaboote": "lanzaboote",
        "nix-citizen": "nix-citizen",
        "nix-darwin": "nix-darwin",
        "nixos-hardware": "nixos-hardware",
@ -748,6 +849,27 @@
        "type": "github"
      }
    },
+    "rust-overlay_2": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1771988922,
+        "narHash": "sha256-Fc6FHXtfEkLtuVJzd0B6tFYMhmcPLuxr90rWfb/2jtQ=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "f4443dc3f0b6c5e6b77d923156943ce816d1fcb9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
    "sops-nix": {
      "inputs": {
        "nixpkgs": [
--- a/flake.nix
+++ b/flake.nix
@ -83,6 +83,7 @@
      specialArgs = { inherit inputs; };
      modules = [
      	inputs.nixos-hardware.nixosModules.framework-16-7040-amd
+        inputs.lanzaboote.nixosModules.lanzaboote
        ./hosts/framework/configuration.nix
        inputs.home-manager.nixosModules.default
        inputs.sops-nix.nixosModules.sops
--- a/modules/common/environment.nix
+++ b/modules/common/environment.nix
@ -21,7 +21,7 @@
          gnupg
          cmatrix
          gh
-          sbctl
+
 	  # Browser
 	  inputs.zen-browser.packages.${pkgs.stdenv.hostPlatform.system}.default
    ];
--- a/modules/nixos/secureboot.nix
+++ b/modules/nixos/secureboot.nix
@ -1,6 +1,7 @@
-{ pkgs, lib, ...}:
+{ pkgs, lib, input, ...}:

 {
+
  boot.loader.systemd-boot.enable = lib.mkForce false;

  boot.lanzaboote = {
@ -8,4 +9,6 @@
    pkiBundle = "/var/lib/sbctl";
  };

+  environment.systemPackages = [pkgs.sbctl];
+
 }