diff --git a/flake.lock b/flake.lock index 21cd68a..45b200c 100644 --- a/flake.lock +++ b/flake.lock @@ -70,6 +70,21 @@ "type": "github" } }, + "crane": { + "locked": { + "lastModified": 1731098351, + "narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=", + "owner": "ipetkov", + "repo": "crane", + "rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "firefox": { "inputs": { "cachix": "cachix", @@ -142,6 +157,22 @@ } }, "flake-compat_4": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_5": { "flake": false, "locked": { "lastModified": 1733328505, @@ -157,7 +188,7 @@ "type": "github" } }, - "flake-compat_5": { + "flake-compat_6": { "flake": false, "locked": { "lastModified": 1696426674, @@ -174,6 +205,27 @@ } }, "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1730504689, + "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "506278e768c2a08bec68eb62932193e341f55c90", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { "inputs": { "nixpkgs-lib": [ "neovim-nightly-overlay", @@ -194,7 +246,7 @@ "type": "github" } }, - "flake-parts_2": { + "flake-parts_3": { "inputs": { "nixpkgs-lib": [ "neovim-nightly-overlay", @@ -292,8 +344,8 @@ }, "git-hooks": { "inputs": { - "flake-compat": "flake-compat_5", - "gitignore": "gitignore_2", + "flake-compat": "flake-compat_6", + "gitignore": "gitignore_3", "nixpkgs": [ "neovim-nightly-overlay", "nixpkgs" @@ -336,6 +388,28 @@ } }, "gitignore_2": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "gitignore_3": { "inputs": { "nixpkgs": [ "neovim-nightly-overlay", @@ -359,7 +433,7 @@ }, "hercules-ci-effects": { "inputs": { - "flake-parts": "flake-parts_2", + "flake-parts": "flake-parts_3", "nixpkgs": [ "neovim-nightly-overlay", "nixpkgs" @@ -697,6 +771,32 @@ "type": "github" } }, + "lanzaboote": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat_4", + "flake-parts": "flake-parts", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1737639419, + "narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "a65905a09e2c43ff63be8c0e86a93712361f871e", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "v0.4.2", + "repo": "lanzaboote", + "type": "github" + } + }, "lib-aggregate": { "inputs": { "flake-utils": "flake-utils", @@ -734,8 +834,8 @@ }, "neovim-nightly-overlay": { "inputs": { - "flake-compat": "flake-compat_4", - "flake-parts": "flake-parts", + "flake-compat": "flake-compat_5", + "flake-parts": "flake-parts_2", "git-hooks": "git-hooks", "hercules-ci-effects": "hercules-ci-effects", "neovim-src": "neovim-src", @@ -839,6 +939,22 @@ "type": "github" } }, + "nixpkgs-stable_2": { + "locked": { + "lastModified": 1730741070, + "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-unstable": { "locked": { "lastModified": 1733229606, @@ -926,6 +1042,33 @@ "type": "github" } }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "gitignore": "gitignore_2", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable_2" + }, + "locked": { + "lastModified": 1731363552, + "narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "root": { "inputs": { "Hyprspace": "Hyprspace", @@ -936,6 +1079,7 @@ "hyprland": "hyprland", "hyprland-plugins": "hyprland-plugins", "hyprtasking": "hyprtasking", + "lanzaboote": "lanzaboote", "neovim-nightly-overlay": "neovim-nightly-overlay", "nix-index-database": "nix-index-database", "nixpkgs": "nixpkgs_3", @@ -943,6 +1087,27 @@ } }, "rust-overlay": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1731897198, + "narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "0be641045af6d8666c11c2c40e45ffc9667839b5", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "rust-overlay_2": { "inputs": { "nixpkgs": [ "yazi", @@ -1119,7 +1284,7 @@ "inputs": { "flake-utils": "flake-utils_3", "nixpkgs": "nixpkgs_4", - "rust-overlay": "rust-overlay" + "rust-overlay": "rust-overlay_2" }, "locked": { "lastModified": 1737047842, diff --git a/flake.nix b/flake.nix index 73bb501..2182267 100644 --- a/flake.nix +++ b/flake.nix @@ -50,12 +50,18 @@ }; neovim-nightly-overlay.url = "github:nix-community/neovim-nightly-overlay"; + + lanzaboote = { + url = "github:nix-community/lanzaboote/v0.4.2"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = { nixpkgs, nix-index-database, + lanzaboote, ... }@inputs: let @@ -77,6 +83,7 @@ dn-pre7780 = nixpkgs.lib.nixosSystem { modules = [ nix-index-database.nixosModules.nix-index + lanzaboote.nixosModules.lanzaboote ./system/dev/dn-pre7780 ]; specialArgs = { @@ -93,6 +100,7 @@ dn-lap = nixpkgs.lib.nixosSystem { modules = [ nix-index-database.nixosModules.nix-index + lanzaboote.nixosModules.lanzaboote ./system/dev/dn-lap ]; specialArgs = { diff --git a/home/user/packages.nix b/home/user/packages.nix index 8108faf..81e8511 100644 --- a/home/user/packages.nix +++ b/home/user/packages.nix @@ -34,6 +34,8 @@ in { home.packages = (with pkgs; [ + opera + # Dev stuff gcc go diff --git a/system/dev/dn-pre7780/default.nix b/system/dev/dn-pre7780/default.nix index 17db029..5234f8c 100644 --- a/system/dev/dn-pre7780/default.nix +++ b/system/dev/dn-pre7780/default.nix @@ -37,6 +37,7 @@ in offload = nvidia-offload-enabled; }) ../../modules/wine.nix + # ../../modules/secure-boot.nix ]; # Overrides diff --git a/system/modules/secure-boot.nix b/system/modules/secure-boot.nix new file mode 100644 index 0000000..095a9e1 --- /dev/null +++ b/system/modules/secure-boot.nix @@ -0,0 +1,12 @@ +{ pkgs, lib, ... }: +{ + environment.systemPackages = with pkgs; [ + sbctl + ]; + + boot.loader.systemd-boot.enable = lib.mkForce false; + boot.lanzaboote = { + enable = true; + pkiBundle = "/var/lib/sbctl/"; + }; +}