diff --git a/flake.lock b/flake.lock index f06d8b1..5350e47 100644 --- a/flake.lock +++ b/flake.lock @@ -23,6 +23,39 @@ "type": "github" } }, + "crane": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "rust-overlay": [ + "lanzaboote", + "rust-overlay" + ] + }, + "locked": { + "lastModified": 1681177078, + "narHash": "sha256-ZNIjBDou2GOabcpctiQykEQVkI8BDwk7TyvlWlI4myE=", + "owner": "ipetkov", + "repo": "crane", + "rev": "0c9f468ff00576577d83f5019a66c557ede5acf6", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "darwin": { "inputs": { "nixpkgs": [ @@ -45,10 +78,65 @@ "type": "github" } }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1680392223, + "narHash": "sha256-n3g7QFr85lDODKt250rkZj2IFS3i4/8HBU2yKHO3tqw=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "dcc36e45d054d7bb554c9cdab69093debd91a0b5", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "flake-utils": { "inputs": { "systems": "systems_2" }, + "locked": { + "lastModified": 1681202837, + "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "cfacdce06f30d2b68473a46042957675eebb3401", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { + "inputs": { + "systems": "systems_3" + }, "locked": { "lastModified": 1705309234, "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", @@ -63,6 +151,28 @@ "type": "github" } }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1660459072, + "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -91,11 +201,11 @@ ] }, "locked": { - "lastModified": 1708591310, - "narHash": "sha256-8mQGVs8JccWTnORgoLOTh9zvf6Np+x2JzhIc+LDcJ9s=", + "lastModified": 1708806879, + "narHash": "sha256-MSbxtF3RThI8ANs/G4o1zIqF5/XlShHvwjl9Ws0QAbI=", "owner": "nix-community", "repo": "home-manager", - "rev": "0e0e9669547e45ea6cca2de4044c1a384fd0fe55", + "rev": "4ee704cb13a5a7645436f400b9acc89a67b9c08a", "type": "github" }, "original": { @@ -161,9 +271,36 @@ "type": "github" } }, + "lanzaboote": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1682802423, + "narHash": "sha256-Fb5TeRTdvUlo/5Yi2d+FC8a6KoRLk2h1VE0/peMhWPs=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "64b903ca87d18cef2752c19c098af275c6e51d63", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "v0.3.0", + "repo": "lanzaboote", + "type": "github" + } + }, "microvm": { "inputs": { - "flake-utils": "flake-utils", + "flake-utils": "flake-utils_2", "nixpkgs": [ "nixpkgs" ], @@ -223,11 +360,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1708566995, - "narHash": "sha256-e/THimsoxxMAHSbwMKov5f5Yg+utTj6XVGEo24Lhx+0=", + "lastModified": 1708702655, + "narHash": "sha256-qxT5jSLhelfLhQ07+AUxSTm1VnVH+hQxDkQSZ/m/Smo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3cb4ae6689d2aa3f363516234572613b31212b78", + "rev": "c5101e457206dd437330d283d6626944e28794b3", "type": "github" }, "original": { @@ -237,6 +374,22 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1678872516, + "narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-unstable": { "locked": { "lastModified": 1708655239, @@ -255,11 +408,11 @@ }, "nur": { "locked": { - "lastModified": 1708769742, - "narHash": "sha256-/nCOWn+40MqmgP2erjP9lLCtYzaY19Vhmaqix5JLxHA=", + "lastModified": 1708806201, + "narHash": "sha256-kZv5LWZaR1N1Jz+3S3OBWadCXyOAdmi2heKfCmjmkYw=", "owner": "nix-community", "repo": "NUR", - "rev": "919856228550477509e5a64e0f5bc8303f5103f6", + "rev": "deb67c142317827d32256bb0df1fc96be237a177", "type": "github" }, "original": { @@ -268,6 +421,37 @@ "type": "github" } }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1681413034, + "narHash": "sha256-/t7OjNQcNkeWeSq/CFLYVBfm+IEnkjoSm9iKvArnUUI=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "d3de8f69ca88fb6f8b09e5b598be5ac98d28ede5", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "root": { "inputs": { "agenix": "agenix", @@ -275,6 +459,7 @@ "home-manager-unstable": "home-manager-unstable", "impermanence": "impermanence", "jovian-nixos": "jovian-nixos", + "lanzaboote": "lanzaboote", "microvm": "microvm", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", @@ -282,6 +467,31 @@ "nur": "nur" } }, + "rust-overlay": { + "inputs": { + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1682129965, + "narHash": "sha256-1KRPIorEL6pLpJR04FwAqqnt4Tzcm4MqD84yhlD+XSk=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "2c417c0460b788328220120c698630947547ee83", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "spectrum": { "flake": false, "locked": { @@ -327,6 +537,21 @@ "repo": "default", "type": "github" } + }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 9a4f426..5b26430 100644 --- a/flake.nix +++ b/flake.nix @@ -50,9 +50,14 @@ url = "github:Jovian-Experiments/Jovian-NixOS"; inputs.nixpkgs.follows = "nixpkgs-unstable"; }; + + lanzaboote = { + url = "github:nix-community/lanzaboote/v0.3.0"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; - outputs = inputs @ { self, nixpkgs, nixpkgs-unstable, nixos-hardware, home-manager, home-manager-unstable, nur, agenix, jovian-nixos, microvm, impermanence, ... }: # Function that tells my flake which to use and what do what to do with the dependencies. + outputs = inputs @ { self, nixpkgs, nixpkgs-unstable, nixos-hardware, home-manager, home-manager-unstable, nur, agenix, jovian-nixos, microvm, impermanence, lanzaboote, ... }: # Function that tells my flake which to use and what do what to do with the dependencies. let # Variables that can be used in the config files user = "kabbone"; userdmz = "diablo"; @@ -63,7 +68,7 @@ nixosConfigurations = ( # NixOS configurations import ./hosts { # Imports ./hosts/default.nix inherit (nixpkgs) lib; - inherit inputs nixpkgs nixpkgs-unstable nixos-hardware home-manager home-manager-unstable nur user userdmz userserver location agenix jovian-nixos microvm impermanence; # Also inherit home-manager so it does not need to be defined here. + inherit inputs nixpkgs nixpkgs-unstable nixos-hardware home-manager home-manager-unstable nur user userdmz userserver location agenix jovian-nixos microvm impermanence lanzaboote; # Also inherit home-manager so it does not need to be defined here. nix.allowedUsers = [ "@wheel" ]; security.sudo.execWheelOnly = true; } diff --git a/hosts/default.nix b/hosts/default.nix index b6052a2..5b22f8a 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -11,7 +11,7 @@ # └─ ./home.nix # -{ lib, inputs, nixpkgs, nixpkgs-unstable, nixos-hardware, home-manager, home-manager-unstable, nur, user, userdmz, userserver, location, agenix, jovian-nixos, microvm, impermanence, ... }: +{ lib, inputs, nixpkgs, nixpkgs-unstable, nixos-hardware, home-manager, home-manager-unstable, nur, user, userdmz, userserver, location, agenix, jovian-nixos, microvm, impermanence, lanzaboote, ... }: let system = "x86_64-linux"; # System architecture @@ -28,11 +28,12 @@ in { desktop = lib.nixosSystem { # Desktop profile inherit system; - specialArgs = { inherit inputs user location nixos-hardware nur agenix microvm nixpkgs; }; + specialArgs = { inherit inputs user location nixos-hardware nur agenix microvm nixpkgs lanzaboote; }; modules = [ agenix.nixosModules.default nur.nixosModules.nur microvm.nixosModules.host + lanzaboote.nixosModules.lanzaboote ./desktop ./configuration_desktop.nix ../modules/hardware/remoteBuilder.nix @@ -84,11 +85,12 @@ in steamdeck = nixpkgs-unstable.lib.nixosSystem { # steamdeck profile inherit system; - specialArgs = { inherit inputs user location nixos-hardware nur agenix jovian-nixos; }; + specialArgs = { inherit inputs user location nixos-hardware nur agenix jovian-nixos lanzaboote; }; modules = [ agenix.nixosModules.default nur.nixosModules.nur jovian-nixos.nixosModules.default + lanzaboote.nixosModules.lanzaboote ./steamdeck ./configuration_desktop.nix #../modules/hardware/remoteClient.nix diff --git a/hosts/desktop/default.nix b/hosts/desktop/default.nix index 6ef5033..83723f3 100644 --- a/hosts/desktop/default.nix +++ b/hosts/desktop/default.nix @@ -17,7 +17,7 @@ # └─ default.nix # -{ config, nixpkgs, pkgs, user, ... }: +{ config, nixpkgs, pkgs, user, lib, ... }: { imports = # For now, if applying to other system, swap files @@ -31,13 +31,18 @@ kernelPackages = pkgs.linuxPackages_latest; loader = { # EFI Boot - systemd-boot.enable = true; + systemd-boot.enable = lib.mkForce false; efi = { canTouchEfiVariables = true; efiSysMountPoint = "/boot"; }; timeout = 1; # Grub auto select time }; + + lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + }; }; # hardware.sane = { # Used for scanning with Xsane diff --git a/hosts/steamdeck/default.nix b/hosts/steamdeck/default.nix index 30930f5..84a2aea 100644 --- a/hosts/steamdeck/default.nix +++ b/hosts/steamdeck/default.nix @@ -17,7 +17,7 @@ # └─ default.nix # -{ config, pkgs, user, jovian-nixos, ... }: +{ config, pkgs, user, jovian-nixos, lib, ... }: { imports = # For now, if applying to other system, swap files @@ -31,13 +31,18 @@ kernelPackages = pkgs.linuxPackages_latest; loader = { # EFI Boot - systemd-boot.enable = true; + systemd-boot.enable = lib.mkForce false; efi = { canTouchEfiVariables = true; efiSysMountPoint = "/boot"; }; timeout = 1; # Grub auto select time }; + + lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + }; }; # hardware.sane = { # Used for scanning with Xsane