From 1cd3723eba91f98fe28df39e74f1ea1f9ccea655 Mon Sep 17 00:00:00 2001 From: Alexandre Date: Sun, 1 Mar 2026 12:12:14 +0100 Subject: [PATCH] Added secure boot --- flake.lock | 122 +++++++++++++++++++++++++++++++++ flake.nix | 1 + modules/common/environment.nix | 2 +- modules/nixos/secureboot.nix | 5 +- 4 files changed, 128 insertions(+), 2 deletions(-) diff --git a/flake.lock b/flake.lock index 07a2277..e11c979 100644 --- a/flake.lock +++ b/flake.lock @@ -55,6 +55,21 @@ "url": "https://codeberg.org/LGFae/awww" } }, + "crane": { + "locked": { + "lastModified": 1771796463, + "narHash": "sha256-9bCDuUzpwJXcHMQYMS1yNuzYMmKO/CCwCexpjWOl62I=", + "owner": "ipetkov", + "repo": "crane", + "rev": "3d3de3313e263e04894f284ac18177bd26169bad", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -87,6 +102,22 @@ "type": "github" } }, + "flake-compat_3": { + "flake": false, + "locked": { + "lastModified": 1767039857, + "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=", + "owner": "NixOS", + "repo": "flake-compat", + "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": [ @@ -169,6 +200,28 @@ "type": "github" } }, + "gitignore_2": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -510,6 +563,30 @@ "type": "github" } }, + "lanzaboote": { + "inputs": { + "crane": "crane", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit": "pre-commit", + "rust-overlay": "rust-overlay_2" + }, + "locked": { + "lastModified": 1772216104, + "narHash": "sha256-1TnGN26vnCEQk5m4AavJZxGZTb/6aZyphemRPRwFUfs=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "dbe5112de965bbbbff9f0729a9789c20a65ab047", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "master", + "repo": "lanzaboote", + "type": "github" + } + }, "nix-citizen": { "inputs": { "flake-parts": "flake-parts", @@ -668,6 +745,29 @@ "type": "github" } }, + "pre-commit": { + "inputs": { + "flake-compat": "flake-compat_3", + "gitignore": "gitignore_2", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1771858127, + "narHash": "sha256-Gtre9YoYl3n25tJH2AoSdjuwcqij5CPxL3U3xysYD08=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "49bbbfc218bf3856dfa631cead3b052d78248b83", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "pre-commit-hooks": { "inputs": { "flake-compat": "flake-compat_2", @@ -716,6 +816,7 @@ "awww": "awww", "home-manager": "home-manager", "hyprland": "hyprland", + "lanzaboote": "lanzaboote", "nix-citizen": "nix-citizen", "nix-darwin": "nix-darwin", "nixos-hardware": "nixos-hardware", @@ -748,6 +849,27 @@ "type": "github" } }, + "rust-overlay_2": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1771988922, + "narHash": "sha256-Fc6FHXtfEkLtuVJzd0B6tFYMhmcPLuxr90rWfb/2jtQ=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "f4443dc3f0b6c5e6b77d923156943ce816d1fcb9", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "sops-nix": { "inputs": { "nixpkgs": [ diff --git a/flake.nix b/flake.nix index 50b0724..fd21112 100644 --- a/flake.nix +++ b/flake.nix @@ -83,6 +83,7 @@ specialArgs = { inherit inputs; }; modules = [ inputs.nixos-hardware.nixosModules.framework-16-7040-amd + inputs.lanzaboote.nixosModules.lanzaboote ./hosts/framework/configuration.nix inputs.home-manager.nixosModules.default inputs.sops-nix.nixosModules.sops diff --git a/modules/common/environment.nix b/modules/common/environment.nix index 50d0616..38f0634 100644 --- a/modules/common/environment.nix +++ b/modules/common/environment.nix @@ -21,7 +21,7 @@ gnupg cmatrix gh - sbctl + # Browser inputs.zen-browser.packages.${pkgs.stdenv.hostPlatform.system}.default ]; diff --git a/modules/nixos/secureboot.nix b/modules/nixos/secureboot.nix index 20e8409..8fd94a1 100644 --- a/modules/nixos/secureboot.nix +++ b/modules/nixos/secureboot.nix @@ -1,6 +1,7 @@ -{ pkgs, lib, ...}: +{ pkgs, lib, input, ...}: { + boot.loader.systemd-boot.enable = lib.mkForce false; boot.lanzaboote = { @@ -8,4 +9,6 @@ pkiBundle = "/var/lib/sbctl"; }; + environment.systemPackages = [pkgs.sbctl]; + }