dachxy/nix-conf
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: secure boot

Browse source
This commit is contained in:
DACHXY 2025-02-18 14:19:29 +08:00
parent 0d86e300e5
commit 6e86a1eb28
5 changed files with 196 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

181
flake.lock generated
View file

@ -70,6 +70,21 @@
"type": "github" "type": "github"
} }
}, },
"crane": {
"locked": {
"lastModified": 1731098351,
"narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=",
"owner": "ipetkov",
"repo": "crane",
"rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"firefox": { "firefox": {
"inputs": { "inputs": {
"cachix": "cachix", "cachix": "cachix",
@ -142,6 +157,22 @@
} }
}, },
"flake-compat_4": { "flake-compat_4": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_5": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1733328505, "lastModified": 1733328505,
@ -157,7 +188,7 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat_5": { "flake-compat_6": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1696426674, "lastModified": 1696426674,
@ -174,6 +205,27 @@
} }
}, },
"flake-parts": { "flake-parts": {
"inputs": {
"nixpkgs-lib": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1730504689,
"narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "506278e768c2a08bec68eb62932193e341f55c90",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_2": {
"inputs": { "inputs": {
"nixpkgs-lib": [ "nixpkgs-lib": [
"neovim-nightly-overlay", "neovim-nightly-overlay",
@ -194,7 +246,7 @@
"type": "github" "type": "github"
} }
}, },
"flake-parts_2": { "flake-parts_3": {
"inputs": { "inputs": {
"nixpkgs-lib": [ "nixpkgs-lib": [
"neovim-nightly-overlay", "neovim-nightly-overlay",
@ -292,8 +344,8 @@
}, },
"git-hooks": { "git-hooks": {
"inputs": { "inputs": {
"flake-compat": "flake-compat_5", "flake-compat": "flake-compat_6",
"gitignore": "gitignore_2", "gitignore": "gitignore_3",
"nixpkgs": [ "nixpkgs": [
"neovim-nightly-overlay", "neovim-nightly-overlay",
"nixpkgs" "nixpkgs"
@ -336,6 +388,28 @@
} }
}, },
"gitignore_2": { "gitignore_2": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"pre-commit-hooks-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"gitignore_3": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"neovim-nightly-overlay", "neovim-nightly-overlay",
@ -359,7 +433,7 @@
}, },
"hercules-ci-effects": { "hercules-ci-effects": {
"inputs": { "inputs": {
"flake-parts": "flake-parts_2", "flake-parts": "flake-parts_3",
"nixpkgs": [ "nixpkgs": [
"neovim-nightly-overlay", "neovim-nightly-overlay",
"nixpkgs" "nixpkgs"
@ -697,6 +771,32 @@
"type": "github" "type": "github"
} }
}, },
"lanzaboote": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat_4",
"flake-parts": "flake-parts",
"nixpkgs": [
"nixpkgs"
],
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1737639419,
"narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "a65905a09e2c43ff63be8c0e86a93712361f871e",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "v0.4.2",
"repo": "lanzaboote",
"type": "github"
}
},
"lib-aggregate": { "lib-aggregate": {
"inputs": { "inputs": {
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
@ -734,8 +834,8 @@
}, },
"neovim-nightly-overlay": { "neovim-nightly-overlay": {
"inputs": { "inputs": {
"flake-compat": "flake-compat_4", "flake-compat": "flake-compat_5",
"flake-parts": "flake-parts", "flake-parts": "flake-parts_2",
"git-hooks": "git-hooks", "git-hooks": "git-hooks",
"hercules-ci-effects": "hercules-ci-effects", "hercules-ci-effects": "hercules-ci-effects",
"neovim-src": "neovim-src", "neovim-src": "neovim-src",
@ -839,6 +939,22 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-stable_2": {
"locked": {
"lastModified": 1730741070,
"narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1733229606, "lastModified": 1733229606,
@ -926,6 +1042,33 @@
"type": "github" "type": "github"
} }
}, },
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"gitignore": "gitignore_2",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable_2"
},
"locked": {
"lastModified": 1731363552,
"narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"Hyprspace": "Hyprspace", "Hyprspace": "Hyprspace",
@ -936,6 +1079,7 @@
"hyprland": "hyprland", "hyprland": "hyprland",
"hyprland-plugins": "hyprland-plugins", "hyprland-plugins": "hyprland-plugins",
"hyprtasking": "hyprtasking", "hyprtasking": "hyprtasking",
"lanzaboote": "lanzaboote",
"neovim-nightly-overlay": "neovim-nightly-overlay", "neovim-nightly-overlay": "neovim-nightly-overlay",
"nix-index-database": "nix-index-database", "nix-index-database": "nix-index-database",
"nixpkgs": "nixpkgs_3", "nixpkgs": "nixpkgs_3",
@ -943,6 +1087,27 @@
} }
}, },
"rust-overlay": { "rust-overlay": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1731897198,
"narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "0be641045af6d8666c11c2c40e45ffc9667839b5",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"rust-overlay_2": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"yazi", "yazi",
@ -1119,7 +1284,7 @@
"inputs": { "inputs": {
"flake-utils": "flake-utils_3", "flake-utils": "flake-utils_3",
"nixpkgs": "nixpkgs_4", "nixpkgs": "nixpkgs_4",
"rust-overlay": "rust-overlay" "rust-overlay": "rust-overlay_2"
}, },
"locked": { "locked": {
"lastModified": 1737047842, "lastModified": 1737047842,

8
flake.nix
View file

@ -50,12 +50,18 @@
}; };
neovim-nightly-overlay.url = "github:nix-community/neovim-nightly-overlay"; neovim-nightly-overlay.url = "github:nix-community/neovim-nightly-overlay";
lanzaboote = {
url = "github:nix-community/lanzaboote/v0.4.2";
inputs.nixpkgs.follows = "nixpkgs";
};
}; };
outputs = outputs =
{ {
nixpkgs, nixpkgs,
nix-index-database, nix-index-database,
lanzaboote,
... ...
}@inputs: }@inputs:
let let
@ -77,6 +83,7 @@
dn-pre7780 = nixpkgs.lib.nixosSystem { dn-pre7780 = nixpkgs.lib.nixosSystem {
modules = [ modules = [
nix-index-database.nixosModules.nix-index nix-index-database.nixosModules.nix-index
lanzaboote.nixosModules.lanzaboote
./system/dev/dn-pre7780 ./system/dev/dn-pre7780
]; ];
specialArgs = { specialArgs = {
@ -93,6 +100,7 @@
dn-lap = nixpkgs.lib.nixosSystem { dn-lap = nixpkgs.lib.nixosSystem {
modules = [ modules = [
nix-index-database.nixosModules.nix-index nix-index-database.nixosModules.nix-index
lanzaboote.nixosModules.lanzaboote
./system/dev/dn-lap ./system/dev/dn-lap
]; ];
specialArgs = { specialArgs = {

2
home/user/packages.nix
View file

@ -34,6 +34,8 @@ in
{ {
home.packages = home.packages =
(with pkgs; [ (with pkgs; [
opera
# Dev stuff # Dev stuff
gcc gcc
go go

1
system/dev/dn-pre7780/default.nix
View file

@ -37,6 +37,7 @@ in
offload = nvidia-offload-enabled; offload = nvidia-offload-enabled;
}) })
../../modules/wine.nix ../../modules/wine.nix
# ../../modules/secure-boot.nix
]; ];
# Overrides # Overrides

12
system/modules/secure-boot.nix Normal file
View file

@ -0,0 +1,12 @@
{ pkgs, lib, ... }:
{
environment.systemPackages = with pkgs; [
sbctl
];
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.lanzaboote = {
enable = true;
pkiBundle = "/var/lib/sbctl/";
};
}