Kabbone/nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

desktop/steamdeck: enable secureboot

Browse Source
This commit is contained in:
Kabbone 2024-02-25 08:09:17 +01:00
parent e51e3095a1
commit 80178917bb
Signed by: Kabbone
SSH Key Fingerprint: SHA256:A5zPB5I6u5V78V51c362BBdCwhDhfDUVbt7NfKdjWBY
5 changed files with 261 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

245
flake.lock generated
View File

@ -23,6 +23,39 @@
"type": "github"
}
},
"crane": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"rust-overlay": [
"lanzaboote",
"rust-overlay"
]
},
"locked": {
"lastModified": 1681177078,
"narHash": "sha256-ZNIjBDou2GOabcpctiQykEQVkI8BDwk7TyvlWlI4myE=",
"owner": "ipetkov",
"repo": "crane",
"rev": "0c9f468ff00576577d83f5019a66c557ede5acf6",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
@ -45,10 +78,65 @@
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1680392223,
"narHash": "sha256-n3g7QFr85lDODKt250rkZj2IFS3i4/8HBU2yKHO3tqw=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "dcc36e45d054d7bb554c9cdab69093debd91a0b5",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1681202837,
"narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "cfacdce06f30d2b68473a46042957675eebb3401",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems_3"
},
"locked": {
"lastModified": 1705309234,
"narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
@ -63,6 +151,28 @@
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"pre-commit-hooks-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1660459072,
"narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
@ -91,11 +201,11 @@
]
},
"locked": {
"lastModified": 1708591310,
"narHash": "sha256-8mQGVs8JccWTnORgoLOTh9zvf6Np+x2JzhIc+LDcJ9s=",
"lastModified": 1708806879,
"narHash": "sha256-MSbxtF3RThI8ANs/G4o1zIqF5/XlShHvwjl9Ws0QAbI=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "0e0e9669547e45ea6cca2de4044c1a384fd0fe55",
"rev": "4ee704cb13a5a7645436f400b9acc89a67b9c08a",
"type": "github"
},
"original": {
@ -161,9 +271,36 @@
"type": "github"
}
},
"lanzaboote": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
],
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1682802423,
"narHash": "sha256-Fb5TeRTdvUlo/5Yi2d+FC8a6KoRLk2h1VE0/peMhWPs=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "64b903ca87d18cef2752c19c098af275c6e51d63",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "v0.3.0",
"repo": "lanzaboote",
"type": "github"
}
},
"microvm": {
"inputs": {
"flake-utils": "flake-utils",
"flake-utils": "flake-utils_2",
"nixpkgs": [
"nixpkgs"
],
@ -223,11 +360,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1708566995,
"narHash": "sha256-e/THimsoxxMAHSbwMKov5f5Yg+utTj6XVGEo24Lhx+0=",
"lastModified": 1708702655,
"narHash": "sha256-qxT5jSLhelfLhQ07+AUxSTm1VnVH+hQxDkQSZ/m/Smo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "3cb4ae6689d2aa3f363516234572613b31212b78",
"rev": "c5101e457206dd437330d283d6626944e28794b3",
"type": "github"
},
"original": {
@ -237,6 +374,22 @@
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1678872516,
"narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-22.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1708655239,
@ -255,11 +408,11 @@
},
"nur": {
"locked": {
"lastModified": 1708769742,
"narHash": "sha256-/nCOWn+40MqmgP2erjP9lLCtYzaY19Vhmaqix5JLxHA=",
"lastModified": 1708806201,
"narHash": "sha256-kZv5LWZaR1N1Jz+3S3OBWadCXyOAdmi2heKfCmjmkYw=",
"owner": "nix-community",
"repo": "NUR",
"rev": "919856228550477509e5a64e0f5bc8303f5103f6",
"rev": "deb67c142317827d32256bb0df1fc96be237a177",
"type": "github"
},
"original": {
@ -268,6 +421,37 @@
"type": "github"
}
},
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"gitignore": "gitignore",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1681413034,
"narHash": "sha256-/t7OjNQcNkeWeSq/CFLYVBfm+IEnkjoSm9iKvArnUUI=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "d3de8f69ca88fb6f8b09e5b598be5ac98d28ede5",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": {
"inputs": {
"agenix": "agenix",
@ -275,6 +459,7 @@
"home-manager-unstable": "home-manager-unstable",
"impermanence": "impermanence",
"jovian-nixos": "jovian-nixos",
"lanzaboote": "lanzaboote",
"microvm": "microvm",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs",
@ -282,6 +467,31 @@
"nur": "nur"
}
},
"rust-overlay": {
"inputs": {
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1682129965,
"narHash": "sha256-1KRPIorEL6pLpJR04FwAqqnt4Tzcm4MqD84yhlD+XSk=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "2c417c0460b788328220120c698630947547ee83",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"spectrum": {
"flake": false,
"locked": {
@ -327,6 +537,21 @@
"repo": "default",
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",

9
flake.nix
View File

@ -50,9 +50,14 @@
url = "github:Jovian-Experiments/Jovian-NixOS";
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
lanzaboote = {
url = "github:nix-community/lanzaboote/v0.3.0";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = inputs @ { self, nixpkgs, nixpkgs-unstable, nixos-hardware, home-manager, home-manager-unstable, nur, agenix, jovian-nixos, microvm, impermanence, ... }: # Function that tells my flake which to use and what do what to do with the dependencies.
outputs = inputs @ { self, nixpkgs, nixpkgs-unstable, nixos-hardware, home-manager, home-manager-unstable, nur, agenix, jovian-nixos, microvm, impermanence, lanzaboote, ... }: # Function that tells my flake which to use and what do what to do with the dependencies.
let # Variables that can be used in the config files
user = "kabbone";
userdmz = "diablo";
@ -63,7 +68,7 @@
nixosConfigurations = ( # NixOS configurations
import ./hosts { # Imports ./hosts/default.nix
inherit (nixpkgs) lib;
inherit inputs nixpkgs nixpkgs-unstable nixos-hardware home-manager home-manager-unstable nur user userdmz userserver location agenix jovian-nixos microvm impermanence; # Also inherit home-manager so it does not need to be defined here.
inherit inputs nixpkgs nixpkgs-unstable nixos-hardware home-manager home-manager-unstable nur user userdmz userserver location agenix jovian-nixos microvm impermanence lanzaboote; # Also inherit home-manager so it does not need to be defined here.
nix.allowedUsers = [ "@wheel" ];
security.sudo.execWheelOnly = true;
}

8
hosts/default.nix
View File

@ -11,7 +11,7 @@
# └─ ./home.nix
#
{ lib, inputs, nixpkgs, nixpkgs-unstable, nixos-hardware, home-manager, home-manager-unstable, nur, user, userdmz, userserver, location, agenix, jovian-nixos, microvm, impermanence, ... }:
{ lib, inputs, nixpkgs, nixpkgs-unstable, nixos-hardware, home-manager, home-manager-unstable, nur, user, userdmz, userserver, location, agenix, jovian-nixos, microvm, impermanence, lanzaboote, ... }:
let
system = "x86_64-linux"; # System architecture
@ -28,11 +28,12 @@ in
{
desktop = lib.nixosSystem { # Desktop profile
inherit system;
specialArgs = { inherit inputs user location nixos-hardware nur agenix microvm nixpkgs; };
specialArgs = { inherit inputs user location nixos-hardware nur agenix microvm nixpkgs lanzaboote; };
modules = [
agenix.nixosModules.default
nur.nixosModules.nur
microvm.nixosModules.host
lanzaboote.nixosModules.lanzaboote
./desktop
./configuration_desktop.nix
../modules/hardware/remoteBuilder.nix
@ -84,11 +85,12 @@ in
steamdeck = nixpkgs-unstable.lib.nixosSystem { # steamdeck profile
inherit system;
specialArgs = { inherit inputs user location nixos-hardware nur agenix jovian-nixos; };
specialArgs = { inherit inputs user location nixos-hardware nur agenix jovian-nixos lanzaboote; };
modules = [
agenix.nixosModules.default
nur.nixosModules.nur
jovian-nixos.nixosModules.default
lanzaboote.nixosModules.lanzaboote
./steamdeck
./configuration_desktop.nix
#../modules/hardware/remoteClient.nix

9
hosts/desktop/default.nix
View File

@ -17,7 +17,7 @@
# └─ default.nix
#
{ config, nixpkgs, pkgs, user, ... }:
{ config, nixpkgs, pkgs, user, lib, ... }:
{
imports = # For now, if applying to other system, swap files
@ -31,13 +31,18 @@
kernelPackages = pkgs.linuxPackages_latest;
loader = { # EFI Boot
systemd-boot.enable = true;
systemd-boot.enable = lib.mkForce false;
efi = {
canTouchEfiVariables = true;
efiSysMountPoint = "/boot";
};
timeout = 1; # Grub auto select time
};
lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
};
# hardware.sane = { # Used for scanning with Xsane

9
hosts/steamdeck/default.nix
View File

@ -17,7 +17,7 @@
# └─ default.nix
#
{ config, pkgs, user, jovian-nixos, ... }:
{ config, pkgs, user, jovian-nixos, lib, ... }:
{
imports = # For now, if applying to other system, swap files
@ -31,13 +31,18 @@
kernelPackages = pkgs.linuxPackages_latest;
loader = { # EFI Boot
systemd-boot.enable = true;
systemd-boot.enable = lib.mkForce false;
efi = {
canTouchEfiVariables = true;
efiSysMountPoint = "/boot";
};
timeout = 1; # Grub auto select time
};
lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
};
# hardware.sane = { # Used for scanning with Xsane