From 92ec57e83f6abc8538309b27a9b660e3bb6d83bc Mon Sep 17 00:00:00 2001 From: ulic-youthlic Date: Mon, 21 Jul 2025 20:06:01 +0800 Subject: [PATCH] machine(Tytonidae): Enable secure boot --- flake.lock | 271 +++++++++++++++++---- flake.nix | 7 + nixos/configurations/Tytonidae/default.nix | 13 +- 3 files changed, 243 insertions(+), 48 deletions(-) diff --git a/flake.lock b/flake.lock index 557b22f..09ee453 100644 --- a/flake.lock +++ b/flake.lock @@ -101,7 +101,7 @@ "nur-ataraxiasjel", "devenv" ], - "nixpkgs": "nixpkgs_6" + "nixpkgs": "nixpkgs_7" }, "locked": { "lastModified": 1744206633, @@ -140,6 +140,21 @@ "type": "github" } }, + "crane": { + "locked": { + "lastModified": 1731098351, + "narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=", + "owner": "ipetkov", + "repo": "crane", + "rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "dae": { "inputs": { "flake-parts": [ @@ -190,10 +205,10 @@ "devenv": { "inputs": { "cachix": "cachix", - "flake-compat": "flake-compat_3", + "flake-compat": "flake-compat_4", "git-hooks": "git-hooks", "nix": "nix", - "nixpkgs": "nixpkgs_8" + "nixpkgs": "nixpkgs_9" }, "locked": { "lastModified": 1748273445, @@ -274,6 +289,22 @@ } }, "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_3": { "flake": false, "locked": { "lastModified": 1746162366, @@ -289,7 +320,7 @@ "type": "github" } }, - "flake-compat_3": { + "flake-compat_4": { "flake": false, "locked": { "lastModified": 1733328505, @@ -324,6 +355,27 @@ } }, "flake-parts_2": { + "inputs": { + "nixpkgs-lib": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1730504689, + "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "506278e768c2a08bec68eb62932193e341f55c90", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_3": { "inputs": { "nixpkgs-lib": [ "nixvim", @@ -344,7 +396,7 @@ "type": "github" } }, - "flake-parts_3": { + "flake-parts_4": { "inputs": { "nixpkgs-lib": [ "nur", @@ -365,7 +417,7 @@ "type": "github" } }, - "flake-parts_4": { + "flake-parts_5": { "inputs": { "nixpkgs-lib": [ "nur-ataraxiasjel", @@ -388,7 +440,7 @@ "type": "github" } }, - "flake-parts_5": { + "flake-parts_6": { "inputs": { "nixpkgs-lib": "nixpkgs-lib_2" }, @@ -493,7 +545,7 @@ "nur-ataraxiasjel", "devenv" ], - "gitignore": "gitignore", + "gitignore": "gitignore_2", "nixpkgs": [ "nur-ataraxiasjel", "devenv", @@ -515,6 +567,28 @@ } }, "gitignore": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "gitignore_2": { "inputs": { "nixpkgs": [ "nur-ataraxiasjel", @@ -667,6 +741,30 @@ "type": "github" } }, + "lanzaboote": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat_2", + "flake-parts": "flake-parts_2", + "nixpkgs": "nixpkgs_2", + "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "rust-overlay": "rust-overlay_3" + }, + "locked": { + "lastModified": 1737639419, + "narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "a65905a09e2c43ff63be8c0e86a93712361f871e", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "v0.4.2", + "repo": "lanzaboote", + "type": "github" + } + }, "libgit2": { "flake": false, "locked": { @@ -730,7 +828,7 @@ "nixpkgs": [ "nixpkgs" ], - "nixpkgs-stable": "nixpkgs-stable", + "nixpkgs-stable": "nixpkgs-stable_2", "xwayland-satellite-stable": "xwayland-satellite-stable", "xwayland-satellite-unstable": "xwayland-satellite-unstable" }, @@ -787,9 +885,9 @@ "nur-ataraxiasjel", "devenv" ], - "flake-parts": "flake-parts_4", + "flake-parts": "flake-parts_5", "libgit2": "libgit2", - "nixpkgs": "nixpkgs_7", + "nixpkgs": "nixpkgs_8", "nixpkgs-23-11": [ "nur-ataraxiasjel", "devenv" @@ -843,10 +941,10 @@ }, "nixos-cosmic": { "inputs": { - "flake-compat": "flake-compat_2", - "nixpkgs": "nixpkgs_2", - "nixpkgs-stable": "nixpkgs-stable_2", - "rust-overlay": "rust-overlay_3" + "flake-compat": "flake-compat_3", + "nixpkgs": "nixpkgs_3", + "nixpkgs-stable": "nixpkgs-stable_3", + "rust-overlay": "rust-overlay_4" }, "locked": { "lastModified": 1751591814, @@ -925,6 +1023,22 @@ } }, "nixpkgs-stable": { + "locked": { + "lastModified": 1730741070, + "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable_2": { "locked": { "lastModified": 1752866191, "narHash": "sha256-NV4S2Lf2hYmZQ3Qf4t/YyyBaJNuxLPyjzvDma0zPp/M=", @@ -940,7 +1054,7 @@ "type": "github" } }, - "nixpkgs-stable_2": { + "nixpkgs-stable_3": { "locked": { "lastModified": 1751048012, "narHash": "sha256-MYbotu4UjWpTsq01wglhN5xDRfZYLFtNk7SBY0BcjkU=", @@ -957,6 +1071,22 @@ } }, "nixpkgs_10": { + "locked": { + "lastModified": 1748190013, + "narHash": "sha256-R5HJFflOfsP5FBtk+zE8FpL8uqE7n62jqOsADvVshhE=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "62b852f6c6742134ade1abdd2a21685fd617a291", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_11": { "locked": { "lastModified": 1747958103, "narHash": "sha256-qmmFCrfBwSHoWw7cVK4Aj+fns+c54EBP8cGqp/yK410=", @@ -973,6 +1103,22 @@ } }, "nixpkgs_2": { + "locked": { + "lastModified": 1731919951, + "narHash": "sha256-vOM6ETpl1yu9KLi/icTmLJIPbbdJCdAVYUXZceO/Ce4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "04386ac325a813047fc314d4b4d838a5b1e3c7fe", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { "locked": { "lastModified": 1751011381, "narHash": "sha256-krGXKxvkBhnrSC/kGBmg5MyupUUT5R6IBCLEzx9jhMM=", @@ -988,7 +1134,7 @@ "type": "github" } }, - "nixpkgs_3": { + "nixpkgs_4": { "locked": { "lastModified": 1752950548, "narHash": "sha256-NS6BLD0lxOrnCiEOcvQCDVPXafX1/ek1dfJHX1nUIzc=", @@ -1004,7 +1150,7 @@ "type": "github" } }, - "nixpkgs_4": { + "nixpkgs_5": { "locked": { "lastModified": 1752077645, "narHash": "sha256-HM791ZQtXV93xtCY+ZxG1REzhQenSQO020cu6rHtAPk=", @@ -1020,7 +1166,7 @@ "type": "github" } }, - "nixpkgs_5": { + "nixpkgs_6": { "locked": { "lastModified": 1752950548, "narHash": "sha256-NS6BLD0lxOrnCiEOcvQCDVPXafX1/ek1dfJHX1nUIzc=", @@ -1036,7 +1182,7 @@ "type": "github" } }, - "nixpkgs_6": { + "nixpkgs_7": { "locked": { "lastModified": 1733212471, "narHash": "sha256-M1+uCoV5igihRfcUKrr1riygbe73/dzNnzPsmaLCmpo=", @@ -1052,7 +1198,7 @@ "type": "github" } }, - "nixpkgs_7": { + "nixpkgs_8": { "locked": { "lastModified": 1717432640, "narHash": "sha256-+f9c4/ZX5MWDOuB1rKoWj+lBNm0z0rs4CK47HBLxy1o=", @@ -1068,7 +1214,7 @@ "type": "github" } }, - "nixpkgs_8": { + "nixpkgs_9": { "locked": { "lastModified": 1746807397, "narHash": "sha256-zU2z0jlkJGWLhdNr/8AJSxqK8XD0IlQgHp3VZcP56Aw=", @@ -1084,26 +1230,10 @@ "type": "github" } }, - "nixpkgs_9": { - "locked": { - "lastModified": 1748190013, - "narHash": "sha256-R5HJFflOfsP5FBtk+zE8FpL8uqE7n62jqOsADvVshhE=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "62b852f6c6742134ade1abdd2a21685fd617a291", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, "nixvim": { "inputs": { - "flake-parts": "flake-parts_2", - "nixpkgs": "nixpkgs_4", + "flake-parts": "flake-parts_3", + "nixpkgs": "nixpkgs_5", "nuschtosSearch": "nuschtosSearch", "systems": "systems_3" }, @@ -1123,8 +1253,8 @@ }, "nur": { "inputs": { - "flake-parts": "flake-parts_3", - "nixpkgs": "nixpkgs_5" + "flake-parts": "flake-parts_4", + "nixpkgs": "nixpkgs_6" }, "locked": { "lastModified": 1753043887, @@ -1144,8 +1274,8 @@ "inputs": { "devenv": "devenv", "devenv-root": "devenv-root", - "flake-parts": "flake-parts_5", - "nixpkgs": "nixpkgs_9" + "flake-parts": "flake-parts_6", + "nixpkgs": "nixpkgs_10" }, "locked": { "lastModified": 1752784378, @@ -1209,6 +1339,33 @@ "type": "github" } }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1731363552, + "narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "root": { "inputs": { "betterfox-nix": "betterfox-nix", @@ -1220,11 +1377,12 @@ "flake-utils": "flake-utils", "helix": "helix", "home-manager": "home-manager_2", + "lanzaboote": "lanzaboote", "lix-module": "lix-module", "niri-flake": "niri-flake", "nixos-cosmic": "nixos-cosmic", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs_3", + "nixpkgs": "nixpkgs_4", "nixvim": "nixvim", "nur": "nur", "nur-ataraxiasjel": "nur-ataraxiasjel", @@ -1276,6 +1434,27 @@ } }, "rust-overlay_3": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1731897198, + "narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "0be641045af6d8666c11c2c40e45ffc9667839b5", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "rust-overlay_4": { "inputs": { "nixpkgs": [ "nixos-cosmic", @@ -1495,7 +1674,7 @@ }, "treefmt-nix": { "inputs": { - "nixpkgs": "nixpkgs_10" + "nixpkgs": "nixpkgs_11" }, "locked": { "lastModified": 1753006367, diff --git a/flake.nix b/flake.nix index 5aaeaf6..baf23ae 100644 --- a/flake.nix +++ b/flake.nix @@ -194,5 +194,12 @@ owner = "nix-community"; repo = "nixvim"; }; + + lanzaboote = { + type = "github"; + owner = "nix-community"; + repo = "lanzaboote"; + ref = "v0.4.2"; + }; }; } diff --git a/nixos/configurations/Tytonidae/default.nix b/nixos/configurations/Tytonidae/default.nix index c9c2d81..e6ec0d6 100644 --- a/nixos/configurations/Tytonidae/default.nix +++ b/nixos/configurations/Tytonidae/default.nix @@ -17,6 +17,7 @@ ++ (with outputs; [ nixosModules.gui ]) + ++ [inputs.lanzaboote.nixosModules.lanzaboote] ++ (lib.youthlic.loadImports ./.); youthlic = { @@ -90,6 +91,8 @@ waypipe wineWow64Packages.waylandFull iperf3 + + sbctl ]; environment.variables.EDITOR = "hx"; @@ -102,8 +105,14 @@ boot = { kernelPackages = pkgs.linuxPackages_cachyos; - loader.systemd-boot.enable = true; - loader.efi.canTouchEfiVariables = true; + lanzaboote = { + enable = true; + pkiBundle = "/var/lib/sbctl"; + }; + loader = { + systemd-boot.enable = lib.mkForce false; + efi.canTouchEfiVariables = true; + }; initrd.systemd.enable = true; };