uku/flake
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add lanzaboote

Browse source
This commit is contained in:
uku 2023-11-08 15:18:44 +01:00
parent fbd95e8ba6
commit b0bb4318e5
Signed by: uku
GPG key ID: 7D01D7B105E77166
3 changed files with 228 additions and 30 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
common.nix
View file

@ -1,4 +1,5 @@
{
lib,
pkgs,
nixpkgs,
ragenix,
@ -7,10 +8,16 @@
}: {
boot = {
kernelPackages = pkgs.linuxKernel.packages.linux_zen;
loader = {
systemd-boot.enable = true;
systemd-boot.enable = lib.mkForce false;
efi.canTouchEfiVariables = true;
};
lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
};
hardware = {
@ -174,6 +181,7 @@
environment.systemPackages = with pkgs; [
neovim
git
sbctl
];
nixpkgs.config.allowUnfree = true;

220
flake.lock
View file

@ -24,7 +24,28 @@
},
"crane": {
"inputs": {
"flake-compat": "flake-compat_2",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1699218802,
"narHash": "sha256-5l0W4Q7z7A4BCstaF5JuBqXOVrZ3Vqst5+hUnP7EdUc=",
"owner": "ipetkov",
"repo": "crane",
"rev": "2d6c2aaff5a05e443eb15efddc21f9c73720340c",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"crane_2": {
"inputs": {
"flake-compat": "flake-compat_3",
"flake-utils": [
"ragenix",
"flake-utils"
@ -92,6 +113,22 @@
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1673956053,
@ -150,11 +187,29 @@
"systems": "systems_2"
},
"locked": {
"lastModified": 1685518550,
"narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=",
"lastModified": 1694529238,
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef",
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_3": {
"inputs": {
"systems": "systems_3"
},
"locked": {
"lastModified": 1681202837,
"narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "cfacdce06f30d2b68473a46042957675eebb3401",
"type": "github"
},
"original": {
@ -171,9 +226,7 @@
"parts": [
"flake-parts"
],
"pre-commit": [
"pre-commit"
]
"pre-commit": "pre-commit"
},
"locked": {
"lastModified": 1699416012,
@ -192,6 +245,7 @@
"gitignore": {
"inputs": {
"nixpkgs": [
"getchvim",
"pre-commit",
"nixpkgs"
]
@ -210,6 +264,56 @@
"type": "github"
}
},
"gitignore_2": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"pre-commit-hooks-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1660459072,
"narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"lanzaboote": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat_2",
"flake-parts": [
"flake-parts"
],
"flake-utils": "flake-utils_2",
"nixpkgs": [
"nixpkgs"
],
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1699447590,
"narHash": "sha256-galcUm/T+8iYsWE3hKtgmv009hjJWB0jBrLJb9i2K2k=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "241cedde7e4e83a681ad3163c1d4b3d13a56f91a",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "lanzaboote",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1699099776,
@ -225,18 +329,67 @@
"type": "indirect"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1685801374,
"narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "c37ca420157f4abc31e26f436c1145f8951ff373",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"pre-commit": {
"inputs": {
"flake-compat": "flake-compat",
"flake-utils": "flake-utils_2",
"flake-utils": "flake-utils",
"gitignore": "gitignore",
"nixpkgs": [
"getchvim",
"nixpkgs"
],
"nixpkgs-stable": [
"getchvim",
"nixpkgs"
]
},
"locked": {
"lastModified": 1697746376,
"narHash": "sha256-gu77VkgdfaHgNCVufeb6WP9oqFLjwK4jHcoPZmBVF3E=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "8cc349bfd082da8782b989cad2158c9ad5bd70fd",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"gitignore": "gitignore_2",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1699271226,
"narHash": "sha256-8Jt1KW3xTjolD6c6OjJm9USx/jmL+VVmbooADCkdDfU=",
@ -254,14 +407,12 @@
"ragenix": {
"inputs": {
"agenix": "agenix",
"crane": "crane",
"flake-utils": [
"flake-utils"
],
"crane": "crane_2",
"flake-utils": "flake-utils_3",
"nixpkgs": [
"nixpkgs"
],
"rust-overlay": "rust-overlay"
"rust-overlay": "rust-overlay_2"
},
"locked": {
"lastModified": 1682237245,
@ -280,14 +431,38 @@
"root": {
"inputs": {
"flake-parts": "flake-parts",
"flake-utils": "flake-utils",
"getchvim": "getchvim",
"lanzaboote": "lanzaboote",
"nixpkgs": "nixpkgs",
"pre-commit": "pre-commit",
"ragenix": "ragenix"
}
},
"rust-overlay": {
"inputs": {
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1699409596,
"narHash": "sha256-L3g1smIol3dGTxkUQOlNShJtZLvjLzvtbaeTRizwZBU=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "58240e1ac627cef3ea30c7732fedfb4f51afd8e7",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"rust-overlay_2": {
"inputs": {
"flake-utils": [
"ragenix",
@ -341,6 +516,21 @@
"repo": "default",
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",

28
flake.nix
View file

@ -4,7 +4,6 @@
inputs = {
nixpkgs.url = "nixpkgs/nixos-unstable";
flake-utils.url = "github:numtide/flake-utils";
flake-parts = {
url = "github:hercules-ci/flake-parts";
inputs.nixpkgs-lib.follows = "nixpkgs";
@ -13,7 +12,14 @@
ragenix = {
url = "github:yaxitech/ragenix";
inputs.nixpkgs.follows = "nixpkgs";
inputs.flake-utils.follows = "flake-utils";
};
lanzaboote = {
url = "github:nix-community/lanzaboote";
inputs = {
nixpkgs.follows = "nixpkgs";
flake-parts.follows = "flake-parts";
};
};
getchvim = {
@ -21,15 +27,6 @@
inputs = {
nixpkgs.follows = "nixpkgs";
parts.follows = "flake-parts";
pre-commit.follows = "pre-commit";
};
};
pre-commit = {
url = "github:cachix/pre-commit-hooks.nix";
inputs = {
nixpkgs.follows = "nixpkgs";
nixpkgs-stable.follows = "nixpkgs";
};
};
};
@ -37,17 +34,20 @@
outputs = {
nixpkgs,
ragenix,
lanzaboote,
...
} @ inputs: {
} @ inputs: let
modules' = [ragenix.nixosModules.default lanzaboote.nixosModules.lanzaboote];
in {
nixosConfigurations.fuji = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [./fuji.nix ragenix.nixosModules.default];
modules = [./fuji.nix] ++ modules';
specialArgs = inputs;
};
nixosConfigurations.kilimandjaro = inputs.nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [./kilimandjaro.nix ragenix.nixosModules.default];
modules = [./kilimandjaro.nix] ++ modules';
specialArgs = inputs;
};