CaZzzer/nix-conf
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

laptop: add lanboote for secure boot

Browse Source
This commit is contained in:
Yura
2025-11-23 00:23:41 -08:00
parent 91727dd2df
commit 8593abc8a5
4 changed files with 161 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

148
flake.lock generated
View File

@@ -1,5 +1,79 @@
{ {
"nodes": { "nodes": {
"crane": {
"locked": {
"lastModified": 1754269165,
"narHash": "sha256-0tcS8FHd4QjbCVoxN9jI+PjHgA4vc/IjkUSp+N3zy0U=",
"owner": "ipetkov",
"repo": "crane",
"rev": "444e81206df3f7d92780680e45858e31d2f07a08",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1747046372,
"narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1754091436,
"narHash": "sha256-XKqDMN1/Qj1DKivQvscI4vmHfDfvYR2pfuFOJiCeewM=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "67df8c627c2c39c41dbec76a1f201929929ab0bd",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"pre-commit-hooks-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@@ -20,6 +94,32 @@
"type": "github" "type": "github"
} }
}, },
"lanzaboote": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"nixpkgs": [
"nixpkgs"
],
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1762205063,
"narHash": "sha256-If6vQ+KvtKs3ARBO9G3l+4wFSCYtRBrwX1z+I+B61wQ=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "88b8a563ff5704f4e8d8e5118fb911fa2110ca05",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "v0.4.3",
"repo": "lanzaboote",
"type": "github"
}
},
"nixlib": { "nixlib": {
"locked": { "locked": {
"lastModified": 1736643958, "lastModified": 1736643958,
@@ -95,15 +195,63 @@
"type": "github" "type": "github"
} }
}, },
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"gitignore": "gitignore",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1750779888,
"narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"home-manager": "home-manager", "home-manager": "home-manager",
"lanzaboote": "lanzaboote",
"nixos-generators": "nixos-generators", "nixos-generators": "nixos-generators",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"plasma-manager": "plasma-manager", "plasma-manager": "plasma-manager",
"secrix": "secrix" "secrix": "secrix"
} }
}, },
"rust-overlay": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1761791894,
"narHash": "sha256-myRIDh+PxaREz+z9LzbqBJF+SnTFJwkthKDX9zMyddY=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "59c45eb69d9222a4362673141e00ff77842cd219",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"secrix": { "secrix": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [

7
flake.nix
View File

@@ -22,9 +22,13 @@
url = "github:Platonic-Systems/secrix"; url = "github:Platonic-Systems/secrix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
lanzaboote = {
url = "github:nix-community/lanzaboote/v0.4.3";
inputs.nixpkgs.follows = "nixpkgs";
};
}; };
outputs = { self, nixpkgs, home-manager, plasma-manager, nixos-generators, secrix }: outputs = { self, nixpkgs, home-manager, plasma-manager, nixos-generators, secrix, lanzaboote }:
let let
hmModule = file: { hmModule = file: {
imports = [ home-manager.nixosModules.home-manager ]; imports = [ home-manager.nixosModules.home-manager ];
@@ -70,6 +74,7 @@
Yura-TPX13 = nixpkgs.lib.nixosSystem { Yura-TPX13 = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [
lanzaboote.nixosModules.lanzaboote
./modules ./modules
./hosts/common.nix ./hosts/common.nix
./hosts/common-desktop.nix ./hosts/common-desktop.nix

6
hosts/Yura-TPX13/default.nix
View File

@@ -11,6 +11,12 @@
"sysrq_always_enabled=1" "sysrq_always_enabled=1"
]; ];
boot.loader.systemd-boot.enable = false;
boot.lanzaboote = {
enable = true;
pkiBundle = "/var/lib/sbctl";
};
networking.hostName = "Yura-TPX13"; # Define your hostname. networking.hostName = "Yura-TPX13"; # Define your hostname.
networking.hostId = "8425e349"; # Required for ZFS. networking.hostId = "8425e349"; # Required for ZFS.

5
hosts/common-desktop.nix
View File

@@ -11,10 +11,7 @@
boot.loader = { boot.loader = {
efi.canTouchEfiVariables = true; efi.canTouchEfiVariables = true;
timeout = 3; timeout = 3;
systemd-boot = { systemd-boot.enable = lib.mkDefault true;
enable = true;
configurationLimit = 5;
};
}; };
# https://nixos.wiki/wiki/Accelerated_Video_Playback # https://nixos.wiki/wiki/Accelerated_Video_Playback