gerg-l/nixos
1
0
Fork 0
mirror of https://github.com/Gerg-L/nixos.git synced 2025-12-09 16:33:57 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: rip lanzaboote

Browse source
This commit is contained in:
Gerg-L 2025-11-06 22:19:55 -05:00
parent f3c90cfebc
commit 1abe992961
Signed by: gerg-l
SSH key fingerprint: SHA256:FPYDHIkvMocr4wdmZXpgpJjsb2Tw6rASs2ISPbOb0KI
3 changed files with 26 additions and 208 deletions
Download patch file Download diff file Expand all files Collapse all files

159
flake.lock generated
View file

@ -1,20 +1,5 @@
{ {
"nodes": { "nodes": {
"crane": {
"locked": {
"lastModified": 1754269165,
"narHash": "sha256-0tcS8FHd4QjbCVoxN9jI+PjHgA4vc/IjkUSp+N3zy0U=",
"owner": "ipetkov",
"repo": "crane",
"rev": "444e81206df3f7d92780680e45858e31d2f07a08",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"disko": { "disko": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -56,22 +41,6 @@
} }
}, },
"flake-compat": { "flake-compat": {
"flake": false,
"locked": {
"lastModified": 1747046372,
"narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1733328505, "lastModified": 1733328505,
@ -87,7 +56,7 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat_3": { "flake-compat_2": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1761588595, "lastModified": 1761588595,
@ -104,27 +73,6 @@
} }
}, },
"flake-parts": { "flake-parts": {
"inputs": {
"nixpkgs-lib": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1754091436,
"narHash": "sha256-XKqDMN1/Qj1DKivQvscI4vmHfDfvYR2pfuFOJiCeewM=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "67df8c627c2c39c41dbec76a1f201929929ab0bd",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_2": {
"inputs": { "inputs": {
"nixpkgs-lib": [ "nixpkgs-lib": [
"nix", "nix",
@ -145,7 +93,7 @@
"type": "github" "type": "github"
} }
}, },
"flake-parts_3": { "flake-parts_2": {
"inputs": { "inputs": {
"nixpkgs-lib": [ "nixpkgs-lib": [
"nvim-flake", "nvim-flake",
@ -198,53 +146,6 @@
"type": "github" "type": "github"
} }
}, },
"gitignore": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"pre-commit-hooks-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"lanzaboote": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"nixpkgs": [
"unstable"
],
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1762205063,
"narHash": "sha256-If6vQ+KvtKs3ARBO9G3l+4wFSCYtRBrwX1z+I+B61wQ=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "88b8a563ff5704f4e8d8e5118fb911fa2110ca05",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "lanzaboote",
"type": "github"
}
},
"master": { "master": {
"locked": { "locked": {
"lastModified": 1762312580, "lastModified": 1762312580,
@ -278,7 +179,7 @@
}, },
"neovim-nightly": { "neovim-nightly": {
"inputs": { "inputs": {
"flake-parts": "flake-parts_3", "flake-parts": "flake-parts_2",
"neovim-src": "neovim-src", "neovim-src": "neovim-src",
"nixpkgs": "nixpkgs" "nixpkgs": "nixpkgs"
}, },
@ -314,8 +215,8 @@
}, },
"nix": { "nix": {
"inputs": { "inputs": {
"flake-compat": "flake-compat_2", "flake-compat": "flake-compat",
"flake-parts": "flake-parts_2", "flake-parts": "flake-parts",
"git-hooks-nix": "git-hooks-nix", "git-hooks-nix": "git-hooks-nix",
"nixpkgs": [ "nixpkgs": [
"stable" "stable"
@ -444,7 +345,7 @@
}, },
"nvim-flake": { "nvim-flake": {
"inputs": { "inputs": {
"flake-compat": "flake-compat_3", "flake-compat": "flake-compat_2",
"mnw": "mnw", "mnw": "mnw",
"neovim-nightly": "neovim-nightly", "neovim-nightly": "neovim-nightly",
"nixpkgs": [ "nixpkgs": [
@ -466,37 +367,10 @@
"type": "github" "type": "github"
} }
}, },
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"gitignore": "gitignore",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1750779888,
"narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"disko": "disko", "disko": "disko",
"fetch-rs": "fetch-rs", "fetch-rs": "fetch-rs",
"lanzaboote": "lanzaboote",
"master": "master", "master": "master",
"nix": "nix", "nix": "nix",
"nix-index-database": "nix-index-database", "nix-index-database": "nix-index-database",
@ -510,27 +384,6 @@
"unstable": "unstable" "unstable": "unstable"
} }
}, },
"rust-overlay": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1761791894,
"narHash": "sha256-myRIDh+PxaREz+z9LzbqBJF+SnTFJwkthKDX9zMyddY=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "59c45eb69d9222a4362673141e00ff77842cd219",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"sops-nix": { "sops-nix": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [

6
flake.nix
View file

@ -52,12 +52,6 @@
repo = "nix-index-database"; repo = "nix-index-database";
inputs.nixpkgs.follows = "unstable"; inputs.nixpkgs.follows = "unstable";
}; };
lanzaboote = {
type = "github";
owner = "nix-community";
repo = "lanzaboote";
inputs.nixpkgs.follows = "unstable";
};
systems = { systems = {
type = "github"; type = "github";
owner = "nix-systems"; owner = "nix-systems";

69
nixosConfigurations/gerg-desktop/boot.nix
View file

@ -1,67 +1,38 @@
{ {
lanzaboote,
config,
lib, lib,
pkgs, pkgs,
}: }:
let
windowsConf = ''
title Windows
efi /shellx64.efi
options -nointerrupt -noconsolein -noconsoleout HD2d65535a1:EFI\Microsoft\Boot\Bootmgfw.efi
'';
in
{ {
imports = [ lanzaboote.nixosModules.lanzaboote ]; local.packages = {
inherit (pkgs) sbctl;
};
environment.systemPackages = [
pkgs.sbctl
(pkgs.writeShellScriptBin "windows" ''
bootctl set-oneshot windows.conf
bootctl set-timeout-oneshot 1
reboot
'')
];
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"L+ /var/lib/sbctl - - - - /persist/secureboot" "L+ /var/lib/sbctl - - - - /persist/secureboot"
]; ];
boot = { boot = {
lanzaboote = {
enable = true;
pkiBundle = "/var/lib/sbctl";
configurationLimit = 10;
package = lib.mkForce (
pkgs.writeShellApplication {
name = "lzbt";
runtimeInputs = [
lanzaboote.packages.tool
pkgs.coreutils
pkgs.sbctl
];
text = ''
lzbt "$@"
MP='${config.boot.loader.efi.efiSysMountPoint}'
cp -f '${pkgs.edk2-uefi-shell.efi}' "$MP/shellx64.efi"
mkdir -p "$MP/loader/entries"
sbctl sign -s "$MP/shellx64.efi"
cat << EOF > "$MP/loader/entries/windows.conf"
${windowsConf}
EOF
'';
}
);
};
loader = { loader = {
systemd-boot = { limine = {
enable = lib.mkForce false; enable = true;
extraFiles."shellx64.efi" = pkgs.edk2-uefi-shell.efi; biosSupport = false;
extraEntries."windows.conf" = windowsConf; efiSupport = true;
maxGenerations = 10;
enableEditor = false;
secureBoot = {
enable = true;
};
extraEntries = ''
/Windows
protocol: efi
path: uuid(58952b7f-ac08-4fa3-92ad-cac5a3349199):/EFI/Microsoft/Boot/bootmgfw.efi
'';
}; };
efi.efiSysMountPoint = "/efi0E";
# just in case
systemd-boot.enable = lib.mkForce false;
grub.enable = lib.mkForce false; grub.enable = lib.mkForce false;
timeout = lib.mkForce 5; timeout = lib.mkForce 5;
efi.efiSysMountPoint = "/efi22";
}; };
}; };
} }