1
0
Fork 0

Configure secure boot

This commit is contained in:
Avery 2025-01-15 15:29:58 +01:00
parent 048f5d7d20
commit 016d6413a7
3 changed files with 256 additions and 88 deletions

308
flake.lock generated
View file

@ -21,6 +21,27 @@
"type": "github" "type": "github"
} }
}, },
"crane": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1717535930,
"narHash": "sha256-1hZ/txnbd/RmiBPNUs7i8UQw2N89uAK3UzrGAWdnFfU=",
"owner": "ipetkov",
"repo": "crane",
"rev": "55e7754ec31dac78980c8be45f8a28e80e370946",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"devshell": { "devshell": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -29,11 +50,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1728330715, "lastModified": 1735644329,
"narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=", "narHash": "sha256-tO3HrHriyLvipc4xr+Ewtdlo7wM1OjXNjlWRgmM7peY=",
"owner": "numtide", "owner": "numtide",
"repo": "devshell", "repo": "devshell",
"rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef", "rev": "f7795ede5b02664b57035b3b757876703e2c3eac",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -43,6 +64,22 @@
} }
}, },
"flake-compat": { "flake-compat": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"locked": { "locked": {
"lastModified": 1696426674, "lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
@ -57,6 +94,27 @@
} }
}, },
"flake-parts": { "flake-parts": {
"inputs": {
"nixpkgs-lib": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1717285511,
"narHash": "sha256-iKzJcpdXih14qYVcZ9QC9XuZYnPc6T8YImb6dX166kw=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_2": {
"inputs": { "inputs": {
"nixpkgs-lib": [ "nixpkgs-lib": [
"nixvim", "nixvim",
@ -64,11 +122,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1733312601, "lastModified": 1736143030,
"narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", "narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", "rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -81,6 +139,24 @@
"inputs": { "inputs": {
"systems": "systems_2" "systems": "systems_2"
}, },
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems_3"
},
"locked": { "locked": {
"lastModified": 1731533236, "lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
@ -101,22 +177,18 @@
"nixvim", "nixvim",
"flake-compat" "flake-compat"
], ],
"gitignore": "gitignore", "gitignore": "gitignore_2",
"nixpkgs": [ "nixpkgs": [
"nixvim", "nixvim",
"nixpkgs" "nixpkgs"
],
"nixpkgs-stable": [
"nixvim",
"nixpkgs"
] ]
}, },
"locked": { "locked": {
"lastModified": 1733318908, "lastModified": 1735882644,
"narHash": "sha256-SVQVsbafSM1dJ4fpgyBqLZ+Lft+jcQuMtEL3lQWx2Sk=", "narHash": "sha256-3FZAG+pGt3OElQjesCAWeMkQ7C/nB1oTHLRQ8ceP110=",
"owner": "cachix", "owner": "cachix",
"repo": "git-hooks.nix", "repo": "git-hooks.nix",
"rev": "6f4e2a2112050951a314d2733a994fbab94864c6", "rev": "a5a961387e75ae44cc20f0a57ae463da5e959656",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -126,6 +198,28 @@
} }
}, },
"gitignore": { "gitignore": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"pre-commit-hooks-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"gitignore_2": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixvim", "nixvim",
@ -154,11 +248,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1733769654, "lastModified": 1736508663,
"narHash": "sha256-aVvYDt8eitZVF6fdOrSoIzYRkQ5Gh6kfRvqkiaDRLL0=", "narHash": "sha256-ZOaGwa+WnB7Zn3YXimqjmIugAnHePdXCmNu+AHkq808=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "e952e94955dcc6fa2120c1430789fc41363f5237", "rev": "2532b500c3ed2b8940e831039dcec5a5ea093afc",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -175,32 +269,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1733484277, "lastModified": 1736508663,
"narHash": "sha256-i5ay20XsvpW91N4URET/nOc0VQWOAd4c4vbqYtcH8Rc=", "narHash": "sha256-ZOaGwa+WnB7Zn3YXimqjmIugAnHePdXCmNu+AHkq808=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "d00c6f6d0ad16d598bf7e2956f52c1d9d5de3c3a", "rev": "2532b500c3ed2b8940e831039dcec5a5ea093afc",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_3": {
"inputs": {
"nixpkgs": [
"plasma-manager",
"nixpkgs"
]
},
"locked": {
"lastModified": 1714377222,
"narHash": "sha256-UsDsjWCKlWn8vbXi8Zza9Hkq3xyk8fpvFNo2VM5S74E=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "2af7c78b7bb9cf18406a193eba13ef9f99388f49",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -237,6 +310,33 @@
"type": "github" "type": "github"
} }
}, },
"lanzaboote": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
],
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1718178907,
"narHash": "sha256-eSZyrQ9uoPB9iPQ8Y5H7gAmAgAvCw3InStmU3oEjqsE=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "b627ccd97d0159214cee5c7db1412b75e4be6086",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "v0.4.1",
"repo": "lanzaboote",
"type": "github"
}
},
"nix-darwin": { "nix-darwin": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -245,11 +345,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1733570843, "lastModified": 1736370755,
"narHash": "sha256-sQJAxY1TYWD1UyibN/FnN97paTFuwBw3Vp3DNCyKsMk=", "narHash": "sha256-iWcjToBpx4PUd74uqvIGAfqqVfyrvRLRauC/SxEKIF0=",
"owner": "lnl7", "owner": "lnl7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "a35b08d09efda83625bef267eb24347b446c80b8", "rev": "57733bd1dc81900e13438e5b4439239f1b29db0e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -260,11 +360,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1733759999, "lastModified": 1736344531,
"narHash": "sha256-463SNPWmz46iLzJKRzO3Q2b0Aurff3U1n0nYItxq7jU=", "narHash": "sha256-8YVQ9ZbSfuUk2bUf2KRj60NRraLPKPS0Q4QFTbc+c2c=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "a73246e2eef4c6ed172979932bc80e1404ba2d56", "rev": "bffc22eb12172e6db3c5dde9e3e5628f8e3e7912",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -274,11 +374,27 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-stable": {
"locked": {
"lastModified": 1710695816,
"narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "614b4613980a522ba49f0d194531beddbb7220d3",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixvim": { "nixvim": {
"inputs": { "inputs": {
"devshell": "devshell", "devshell": "devshell",
"flake-compat": "flake-compat", "flake-compat": "flake-compat_2",
"flake-parts": "flake-parts", "flake-parts": "flake-parts_2",
"git-hooks": "git-hooks", "git-hooks": "git-hooks",
"home-manager": "home-manager_2", "home-manager": "home-manager_2",
"nix-darwin": "nix-darwin", "nix-darwin": "nix-darwin",
@ -289,11 +405,11 @@
"treefmt-nix": "treefmt-nix" "treefmt-nix": "treefmt-nix"
}, },
"locked": { "locked": {
"lastModified": 1733847310, "lastModified": 1736598781,
"narHash": "sha256-VHzWuZYK/m5OFXzAczrjnI7vH6knj0sfLnziRVDqgFE=", "narHash": "sha256-Y0o9ahm6Kk0DumTo80/vKspkHOkbtFgKCNiICyRjhMs=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixvim", "repo": "nixvim",
"rev": "b752606681ded3f69e99ed568c7075b3578dce48", "rev": "2fc2132a78753fc3d7ec732044eff7ad69530055",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -304,7 +420,7 @@
}, },
"nuschtosSearch": { "nuschtosSearch": {
"inputs": { "inputs": {
"flake-utils": "flake-utils", "flake-utils": "flake-utils_2",
"ixx": "ixx", "ixx": "ixx",
"nixpkgs": [ "nixpkgs": [
"nixvim", "nixvim",
@ -312,11 +428,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1733411491, "lastModified": 1735854821,
"narHash": "sha256-315rJ7O9cOllPDaFscnJhcMleORHbxon0Kq9LAKJ5p4=", "narHash": "sha256-Iv59gMDZajNfezTO0Fw6LHE7uKAShxbvMidmZREit7c=",
"owner": "NuschtOS", "owner": "NuschtOS",
"repo": "search", "repo": "search",
"rev": "68e9fad70d95d08156cf10a030bd39487bed8ffe", "rev": "836908e3bddd837ae0f13e215dd48767aee355f0",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -325,24 +441,30 @@
"type": "github" "type": "github"
} }
}, },
"plasma-manager": { "pre-commit-hooks-nix": {
"inputs": { "inputs": {
"home-manager": "home-manager_3", "flake-compat": [
"lanzaboote",
"flake-compat"
],
"gitignore": "gitignore",
"nixpkgs": [ "nixpkgs": [
"lanzaboote",
"nixpkgs" "nixpkgs"
] ],
"nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1733858086, "lastModified": 1717664902,
"narHash": "sha256-h2BDIDKiqgMpA6E+mu0RgMGy3FeM6k+EuJ9xgOQ1+zw=", "narHash": "sha256-7XfBuLULizXjXfBYy/VV+SpYMHreNRHk9nKMsm1bgb4=",
"owner": "pjones", "owner": "cachix",
"repo": "plasma-manager", "repo": "pre-commit-hooks.nix",
"rev": "7e2010249529931a3848054d5ff0dbf24675ab68", "rev": "cc4d466cb1254af050ff7bdf47f6d404a7c646d1",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "pjones", "owner": "cachix",
"repo": "plasma-manager", "repo": "pre-commit-hooks.nix",
"type": "github" "type": "github"
} }
}, },
@ -350,12 +472,37 @@
"inputs": { "inputs": {
"ags": "ags", "ags": "ags",
"home-manager": "home-manager", "home-manager": "home-manager",
"lanzaboote": "lanzaboote",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixvim": "nixvim", "nixvim": "nixvim",
"plasma-manager": "plasma-manager",
"sops-nix": "sops-nix" "sops-nix": "sops-nix"
} }
}, },
"rust-overlay": {
"inputs": {
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1717813066,
"narHash": "sha256-wqbRwq3i7g5EHIui0bIi84mdqZ/It1AXBSLJ5tafD28=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "6dc3e45fe4aee36efeed24d64fc68b1f989d5465",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"sops-nix": { "sops-nix": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -363,11 +510,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1733785344, "lastModified": 1736515725,
"narHash": "sha256-pm4cfEcPXripE36PYCl0A2Tu5ruwHEvTee+HzNk+SQE=", "narHash": "sha256-4P99yL8vGehwzytkpP87eklBePt6aqeEC5JFsIzhfUs=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "a80af8929781b5fe92ddb8ae52e9027fae780d2a", "rev": "f214c1b76c347a4e9c8fb68c73d4293a6820d125",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -406,6 +553,21 @@
"type": "github" "type": "github"
} }
}, },
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"treefmt-nix": { "treefmt-nix": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -414,11 +576,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1733440889, "lastModified": 1736154270,
"narHash": "sha256-qKL3vjO+IXFQ0nTinFDqNq/sbbnnS5bMI1y0xX215fU=", "narHash": "sha256-p2r8xhQZ3TYIEKBoiEhllKWQqWNJNoT9v64Vmg4q8Zw=",
"owner": "numtide", "owner": "numtide",
"repo": "treefmt-nix", "repo": "treefmt-nix",
"rev": "50862ba6a8a0255b87377b9d2d4565e96f29b410", "rev": "13c913f5deb3a5c08bb810efd89dc8cb24dd968b",
"type": "github" "type": "github"
}, },
"original": { "original": {

View file

@ -15,15 +15,15 @@
url = "github:Mic92/sops-nix"; url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
plasma-manager = {
url = "github:pjones/plasma-manager";
inputs.nixpkgs.follows = "nixpkgs";
};
ags = { ags = {
# url = "github:Aylur/ags"; # url = "github:Aylur/ags";
url = "github:aveeryy/ags"; url = "github:aveeryy/ags";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
lanzaboote = {
url = "github:nix-community/lanzaboote/v0.4.1";
inputs.nixpkgs.follows = "nixpkgs";
};
}; };
outputs = { self, nixpkgs, ... }@inputs: { outputs = { self, nixpkgs, ... }@inputs: {
@ -35,6 +35,7 @@
./hosts/totsugeki/nixos ./hosts/totsugeki/nixos
inputs.sops-nix.nixosModules.sops inputs.sops-nix.nixosModules.sops
inputs.home-manager.nixosModules.home-manager inputs.home-manager.nixosModules.home-manager
inputs.lanzaboote.nixosModules.lanzaboote
{ {
home-manager = { home-manager = {
backupFileExtension = "bak"; backupFileExtension = "bak";
@ -43,7 +44,6 @@
imports = [ imports = [
inputs.ags.homeManagerModules.default inputs.ags.homeManagerModules.default
inputs.nixvim.homeManagerModules.nixvim inputs.nixvim.homeManagerModules.nixvim
inputs.plasma-manager.homeManagerModules.plasma-manager
./common/home.nix ./common/home.nix
./common/zsh.nix ./common/zsh.nix
./hosts/totsugeki/home-manager ./hosts/totsugeki/home-manager

View file

@ -8,21 +8,27 @@
kernelParams = [ "video=DP-1:2560x1440@165" ]; kernelParams = [ "video=DP-1:2560x1440@165" ];
initrd.availableKernelModules = initrd.availableKernelModules =
[ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
lanzaboote = {
enable = true;
pkiBundle = "/var/lib/sbctl";
};
loader = { loader = {
grub = { systemd-boot = {
enable = true; enable = lib.mkForce false;
device = "nodev"; configurationLimit = 10;
efiSupport = true; consoleMode = "max";
gfxmodeEfi = "2560x1440"; editor = false;
useOSProber = true; windows."11" = {
title = "Windows 11 Pro N";
efiDeviceHandle = "HD2d";
};
}; };
systemd-boot.enable = false;
efi.canTouchEfiVariables = true; efi.canTouchEfiVariables = true;
}; };
supportedFilesystems = [ "ntfs" ]; supportedFilesystems = [ "ntfs" ];
}; };
environment.systemPackages = with pkgs; [ ffmpeg-full gparted ]; environment.systemPackages = with pkgs; [ ffmpeg-full gparted sbctl ];
hardware.i2c.enable = true; hardware.i2c.enable = true;
@ -125,8 +131,8 @@
}; };
udisks2.enable = true; udisks2.enable = true;
udev.extraRules = '' udev.extraRules = ''
SUBSYSTEM=="usb", ATTRS{idVendor}=="057e", ATTRS{idProduct}=="3000", MODE="0666" SUBSYSTEM=="usb", ATTRS{idVendor}=="057e", ATTRS{idProduct}=="3000", MODE="0666"
# Atmel DFU # Atmel DFU
### ATmega16U2 ### ATmega16U2
SUBSYSTEMS=="usb", ATTRS{idVendor}=="03eb", ATTRS{idProduct}=="2fef", TAG+="uaccess" SUBSYSTEMS=="usb", ATTRS{idVendor}=="03eb", ATTRS{idProduct}=="2fef", TAG+="uaccess"
### ATmega32U2 ### ATmega32U2