servius/dotfiles
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

[feat] Add secureboot

Browse Source
This commit is contained in:
uttarayan21
2024-02-22 17:44:20 +05:30
parent ed82e4eec4
commit 4a7cc1121c
5 changed files with 237 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

222
config/nix/flake.lock generated
View File

@@ -115,6 +115,27 @@
"type": "github"
}
},
"crane_2": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1707685877,
"narHash": "sha256-XoXRS+5whotelr1rHiZle5t5hDg9kpguS5yk8c8qzOc=",
"owner": "ipetkov",
"repo": "crane",
"rev": "2c653e4478476a52c6aa3ac0495e4dea7449ea0e",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
@@ -131,6 +152,22 @@
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
@@ -173,7 +210,7 @@
"flake-parts_3": {
"inputs": {
"nixpkgs-lib": [
"neovim-nightly-overlay",
"lanzaboote",
"nixpkgs"
]
},
@@ -192,6 +229,27 @@
}
},
"flake-parts_4": {
"inputs": {
"nixpkgs-lib": [
"neovim-nightly-overlay",
"nixpkgs"
]
},
"locked": {
"lastModified": 1706830856,
"narHash": "sha256-a0NYyp+h9hlb7ddVz4LUn1vT/PLwqfrWYcHMvFB1xYg=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "b253292d9c0a5ead9bc98c4e9a26c6312e27d69f",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_5": {
"inputs": {
"nixpkgs-lib": [
"neovim-nightly-overlay",
@@ -287,6 +345,24 @@
"inputs": {
"systems": "systems_5"
},
"locked": {
"lastModified": 1705309234,
"narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_6": {
"inputs": {
"systems": "systems_6"
},
"locked": {
"lastModified": 1701680307,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
@@ -301,9 +377,31 @@
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"pre-commit-hooks-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703887061,
"narHash": "sha256-gGPa9qWNc6eCXT/+Z5/zMkyYOuRZqeFZBDbopNZQkuY=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "43e1aa1308018f37118e34d3a9cb4f5e75dc11d5",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"hercules-ci-effects": {
"inputs": {
"flake-parts": "flake-parts_4",
"flake-parts": "flake-parts_5",
"nixpkgs": [
"neovim-nightly-overlay",
"nixpkgs"
@@ -366,6 +464,32 @@
"type": "github"
}
},
"lanzaboote": {
"inputs": {
"crane": "crane_2",
"flake-compat": "flake-compat",
"flake-parts": "flake-parts_3",
"flake-utils": "flake-utils_5",
"nixpkgs": [
"nixpkgs"
],
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay_4"
},
"locked": {
"lastModified": 1708388174,
"narHash": "sha256-mLROAGNyOykYwWOLga24BX05GnRE+acms0Ru10tye2o=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "73fec69386e8005911e15f3abe6bb6cee7fd9711",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "lanzaboote",
"type": "github"
}
},
"naersk": {
"inputs": {
"nixpkgs": "nixpkgs_3"
@@ -386,7 +510,7 @@
},
"neovim-flake": {
"inputs": {
"flake-utils": "flake-utils_5",
"flake-utils": "flake-utils_6",
"nixpkgs": [
"neovim-nightly-overlay",
"nixpkgs"
@@ -410,8 +534,8 @@
},
"neovim-nightly-overlay": {
"inputs": {
"flake-compat": "flake-compat",
"flake-parts": "flake-parts_3",
"flake-compat": "flake-compat_2",
"flake-parts": "flake-parts_4",
"hercules-ci-effects": "hercules-ci-effects",
"neovim-flake": "neovim-flake",
"nixpkgs": [
@@ -487,6 +611,22 @@
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1704874635,
"narHash": "sha256-YWuCrtsty5vVZvu+7BchAxmcYzTMfolSPP5io8+WYCg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "3dc440faeee9e889fe2d1b4d25ad0f430d449356",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1706487304,
@@ -533,6 +673,37 @@
"type": "github"
}
},
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"gitignore": "gitignore",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1708018599,
"narHash": "sha256-M+Ng6+SePmA8g06CmUZWi1AjG2tFBX9WCXElBHEKnyM=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "5df5a70ad7575f6601d91f0efec95dd9bc619431",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": {
"inputs": {
"anyrun": "anyrun",
@@ -542,6 +713,7 @@
"flake-utils": "flake-utils_3",
"home-manager": "home-manager",
"ironbar": "ironbar",
"lanzaboote": "lanzaboote",
"neovim-nightly-overlay": "neovim-nightly-overlay",
"nix-darwin": "nix-darwin",
"nixpkgs": "nixpkgs_4"
@@ -607,6 +779,31 @@
"type": "github"
}
},
"rust-overlay_4": {
"inputs": {
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1708241671,
"narHash": "sha256-zSulX9tP4R35Y8A842dGSzaHMVP91W2Ry0SXvQKD2BQ=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "d500e370b26f9b14303cb39bf1509df0a920c8b0",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
@@ -681,6 +878,21 @@
"repo": "default",
"type": "github"
}
},
"systems_6": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",

5
config/nix/flake.nix
View File

@@ -42,6 +42,11 @@
inputs.nixpkgs.follows = "nixpkgs";
};
lanzaboote = {
url = "github:nix-community/lanzaboote";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = { nixpkgs,

3
config/nix/linux/default.nix
View File

@@ -1,4 +1,4 @@
{ pkgs, ... }: {
{ pkgs, device, ... }: {
imports = [
../common/firefox.nix
../linux/hyprland.nix
@@ -17,6 +17,7 @@
ExecStart = "${pkgs.spotify-player}/bin/spotify_player -d";
Restart = "on-failure";
RestartSec = "5";
User = "${device.user}";
};
};
}

8
config/nix/nixos/configuration.nix
View File

@@ -7,6 +7,11 @@
./hardware-configuration.nix
];
boot.lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
environment.etc = {
"wireplumber/bluetooth.lua.d/51-bluez-config.lua".text = ''
bluez_monitor.properties = {
@@ -21,7 +26,8 @@
hardware.bluetooth.enable = true;
hardware.bluetooth.powerOnBoot = true;
# Bootloader.
boot.loader.systemd-boot.enable = true;
boot.loader.systemd-boot.enable = pkgs.lib.mkForce false;
boot.loader.efi.canTouchEfiVariables = true;
boot.bootspec.enable = true;

6
config/nix/nixos/device.nix
View File

@@ -3,11 +3,15 @@ builtins.listToAttrs (builtins.map (device: {
name = device.name;
value = nixpkgs.lib.nixosSystem {
system = device.system;
specialArgs = { inherit device; };
specialArgs = {
inherit device;
lanzaboote = inputs.lanzaboote;
};
modules = [
{ nixpkgs.overlays = overlays; }
./configuration.nix
home-manager.nixosModules.home-manager
inputs.lanzaboote.nixosModules.lanzaboote
{
nixpkgs.config.allowUnfree = true;
home-manager = {