diff --git a/common.nix b/common.nix index 979585c..67ae453 100644 --- a/common.nix +++ b/common.nix @@ -1,4 +1,5 @@ { + lib, pkgs, nixpkgs, ragenix, @@ -7,10 +8,16 @@ }: { boot = { kernelPackages = pkgs.linuxKernel.packages.linux_zen; + loader = { - systemd-boot.enable = true; + systemd-boot.enable = lib.mkForce false; efi.canTouchEfiVariables = true; }; + + lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + }; }; hardware = { @@ -174,6 +181,7 @@ environment.systemPackages = with pkgs; [ neovim git + sbctl ]; nixpkgs.config.allowUnfree = true; diff --git a/flake.lock b/flake.lock index 3ac260f..8d2490b 100644 --- a/flake.lock +++ b/flake.lock @@ -24,7 +24,28 @@ }, "crane": { "inputs": { - "flake-compat": "flake-compat_2", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1699218802, + "narHash": "sha256-5l0W4Q7z7A4BCstaF5JuBqXOVrZ3Vqst5+hUnP7EdUc=", + "owner": "ipetkov", + "repo": "crane", + "rev": "2d6c2aaff5a05e443eb15efddc21f9c73720340c", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, + "crane_2": { + "inputs": { + "flake-compat": "flake-compat_3", "flake-utils": [ "ragenix", "flake-utils" @@ -92,6 +113,22 @@ } }, "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_3": { "flake": false, "locked": { "lastModified": 1673956053, @@ -150,11 +187,29 @@ "systems": "systems_2" }, "locked": { - "lastModified": 1685518550, - "narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=", + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", "owner": "numtide", "repo": "flake-utils", - "rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_3": { + "inputs": { + "systems": "systems_3" + }, + "locked": { + "lastModified": 1681202837, + "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "cfacdce06f30d2b68473a46042957675eebb3401", "type": "github" }, "original": { @@ -171,9 +226,7 @@ "parts": [ "flake-parts" ], - "pre-commit": [ - "pre-commit" - ] + "pre-commit": "pre-commit" }, "locked": { "lastModified": 1699416012, @@ -192,6 +245,7 @@ "gitignore": { "inputs": { "nixpkgs": [ + "getchvim", "pre-commit", "nixpkgs" ] @@ -210,6 +264,56 @@ "type": "github" } }, + "gitignore_2": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1660459072, + "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "lanzaboote": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat_2", + "flake-parts": [ + "flake-parts" + ], + "flake-utils": "flake-utils_2", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1699447590, + "narHash": "sha256-galcUm/T+8iYsWE3hKtgmv009hjJWB0jBrLJb9i2K2k=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "241cedde7e4e83a681ad3163c1d4b3d13a56f91a", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "lanzaboote", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1699099776, @@ -225,18 +329,67 @@ "type": "indirect" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1685801374, + "narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c37ca420157f4abc31e26f436c1145f8951ff373", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, "pre-commit": { "inputs": { "flake-compat": "flake-compat", - "flake-utils": "flake-utils_2", + "flake-utils": "flake-utils", "gitignore": "gitignore", "nixpkgs": [ + "getchvim", "nixpkgs" ], "nixpkgs-stable": [ + "getchvim", "nixpkgs" ] }, + "locked": { + "lastModified": 1697746376, + "narHash": "sha256-gu77VkgdfaHgNCVufeb6WP9oqFLjwK4jHcoPZmBVF3E=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "8cc349bfd082da8782b989cad2158c9ad5bd70fd", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "gitignore": "gitignore_2", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, "locked": { "lastModified": 1699271226, "narHash": "sha256-8Jt1KW3xTjolD6c6OjJm9USx/jmL+VVmbooADCkdDfU=", @@ -254,14 +407,12 @@ "ragenix": { "inputs": { "agenix": "agenix", - "crane": "crane", - "flake-utils": [ - "flake-utils" - ], + "crane": "crane_2", + "flake-utils": "flake-utils_3", "nixpkgs": [ "nixpkgs" ], - "rust-overlay": "rust-overlay" + "rust-overlay": "rust-overlay_2" }, "locked": { "lastModified": 1682237245, @@ -280,14 +431,38 @@ "root": { "inputs": { "flake-parts": "flake-parts", - "flake-utils": "flake-utils", "getchvim": "getchvim", + "lanzaboote": "lanzaboote", "nixpkgs": "nixpkgs", - "pre-commit": "pre-commit", "ragenix": "ragenix" } }, "rust-overlay": { + "inputs": { + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1699409596, + "narHash": "sha256-L3g1smIol3dGTxkUQOlNShJtZLvjLzvtbaeTRizwZBU=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "58240e1ac627cef3ea30c7732fedfb4f51afd8e7", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "rust-overlay_2": { "inputs": { "flake-utils": [ "ragenix", @@ -341,6 +516,21 @@ "repo": "default", "type": "github" } + }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 0500062..41b4ca8 100644 --- a/flake.nix +++ b/flake.nix @@ -4,7 +4,6 @@ inputs = { nixpkgs.url = "nixpkgs/nixos-unstable"; - flake-utils.url = "github:numtide/flake-utils"; flake-parts = { url = "github:hercules-ci/flake-parts"; inputs.nixpkgs-lib.follows = "nixpkgs"; @@ -13,7 +12,14 @@ ragenix = { url = "github:yaxitech/ragenix"; inputs.nixpkgs.follows = "nixpkgs"; - inputs.flake-utils.follows = "flake-utils"; + }; + + lanzaboote = { + url = "github:nix-community/lanzaboote"; + inputs = { + nixpkgs.follows = "nixpkgs"; + flake-parts.follows = "flake-parts"; + }; }; getchvim = { @@ -21,15 +27,6 @@ inputs = { nixpkgs.follows = "nixpkgs"; parts.follows = "flake-parts"; - pre-commit.follows = "pre-commit"; - }; - }; - - pre-commit = { - url = "github:cachix/pre-commit-hooks.nix"; - inputs = { - nixpkgs.follows = "nixpkgs"; - nixpkgs-stable.follows = "nixpkgs"; }; }; }; @@ -37,17 +34,20 @@ outputs = { nixpkgs, ragenix, + lanzaboote, ... - } @ inputs: { + } @ inputs: let + modules' = [ragenix.nixosModules.default lanzaboote.nixosModules.lanzaboote]; + in { nixosConfigurations.fuji = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; - modules = [./fuji.nix ragenix.nixosModules.default]; + modules = [./fuji.nix] ++ modules'; specialArgs = inputs; }; nixosConfigurations.kilimandjaro = inputs.nixpkgs.lib.nixosSystem { system = "x86_64-linux"; - modules = [./kilimandjaro.nix ragenix.nixosModules.default]; + modules = [./kilimandjaro.nix] ++ modules'; specialArgs = inputs; };