diff --git a/disko/gerg-desktop.nix b/disko/gerg-desktop.nix index 5a88aa7..32f2b5c 100644 --- a/disko/gerg-desktop.nix +++ b/disko/gerg-desktop.nix @@ -17,6 +17,7 @@ lib: { content = { type = "gpt"; partitions = { + #BOOT is unused BOOT = { device = "${fullName}-part1"; type = "EF00"; @@ -25,7 +26,6 @@ lib: { content = { type = "filesystem"; format = "vfat"; - mountpoint = "/efi${name}"; }; }; swap = { diff --git a/flake.lock b/flake.lock index 46f7218..a2a2096 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,26 @@ { "nodes": { + "crane": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1711299236, + "narHash": "sha256-6/JsyozOMKN8LUGqWMopKTSiK8N79T8Q+hcxu2KkTXg=", + "owner": "ipetkov", + "repo": "crane", + "rev": "880573f80d09e18a11713f402b9e6172a085449f", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "disko": { "inputs": { "nixpkgs": [ @@ -43,11 +64,11 @@ "flake-compat": { "flake": false, "locked": { - "lastModified": 1673956053, - "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", "owner": "edolstra", "repo": "flake-compat", - "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", "type": "github" }, "original": { @@ -59,11 +80,11 @@ "flake-compat_2": { "flake": false, "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", "owner": "edolstra", "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", "type": "github" }, "original": { @@ -88,6 +109,109 @@ "type": "github" } }, + "flake-compat_4": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709336216, + "narHash": "sha256-Dt/wOWeW6Sqm11Yh+2+t0dfEWxoMxGBvv3JpIocFl9E=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "f7b3c975cf067e56e7cda6cb098ebe3fb4d74ca2", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "lanzaboote": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "flake-utils": "flake-utils", + "nixpkgs": [ + "unstable" + ], + "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1713369831, + "narHash": "sha256-G4OGxvlIIjphpkxcRAkf1QInYsAeqbfNh6Yl1JLy2uM=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "850f27322239f8cfa56b122cc9a278ab99a49015", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "lanzaboote", + "type": "github" + } + }, "libgit2": { "flake": false, "locked": { @@ -139,7 +263,7 @@ }, "nix": { "inputs": { - "flake-compat": "flake-compat", + "flake-compat": "flake-compat_2", "libgit2": "libgit2", "nixpkgs": [ "stable" @@ -214,6 +338,22 @@ } }, "nixpkgs-stable": { + "locked": { + "lastModified": 1710695816, + "narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "614b4613980a522ba49f0d194531beddbb7220d3", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable_2": { "locked": { "lastModified": 1713638189, "narHash": "sha256-q7APLfB6FmmSMI1Su5ihW9IwntBsk2hWNXh8XtSdSIk=", @@ -231,7 +371,7 @@ }, "nvim-flake": { "inputs": { - "flake-compat": "flake-compat_2", + "flake-compat": "flake-compat_3", "neovim-src": "neovim-src", "nixpkgs": [ "unstable" @@ -251,10 +391,42 @@ "type": "github" } }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1710923068, + "narHash": "sha256-6hOpUiuxuwpXXc/xfJsBUJeqqgGI+JMJuLo45aG3cKc=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "e611897ddfdde3ed3eaac4758635d7177ff78673", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "root": { "inputs": { "disko": "disko", "fetch-rs": "fetch-rs", + "lanzaboote": "lanzaboote", "master": "master", "nix": "nix", "nixos-generators": "nixos-generators", @@ -266,12 +438,37 @@ "unstable": "unstable" } }, + "rust-overlay": { + "inputs": { + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1711246447, + "narHash": "sha256-g9TOluObcOEKewFo2fR4cn51Y/jSKhRRo4QZckHLop0=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "dcc802a6ec4e9cc6a1c8c393327f0c42666f22e4", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "sops-nix": { "inputs": { "nixpkgs": [ "unstable" ], - "nixpkgs-stable": "nixpkgs-stable" + "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { "lastModified": 1713892811, @@ -289,7 +486,7 @@ }, "spicetify-nix": { "inputs": { - "flake-compat": "flake-compat_3", + "flake-compat": "flake-compat_4", "nixpkgs": [ "unstable" ] @@ -344,6 +541,21 @@ "type": "github" } }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "unstable": { "locked": { "lastModified": 1714253743, diff --git a/flake.nix b/flake.nix index 155ed98..88c0cba 100644 --- a/flake.nix +++ b/flake.nix @@ -45,6 +45,12 @@ repo = "disko"; inputs.nixpkgs.follows = "unstable"; }; + lanzaboote = { + type = "github"; + owner = "nix-community"; + repo = "lanzaboote"; + inputs.nixpkgs.follows = "unstable"; + }; #my own packages spicetify-nix = { type = "github"; diff --git a/hosts/gerg-desktop/zfs.nix b/hosts/gerg-desktop/zfs.nix index c5de70a..1b6ffef 100644 --- a/hosts/gerg-desktop/zfs.nix +++ b/hosts/gerg-desktop/zfs.nix @@ -1,4 +1,4 @@ -_: +{ lanzaboote, ... }: { config, lib, @@ -6,8 +6,19 @@ _: ... }: { + imports = [ lanzaboote.nixosModules.lanzaboote ]; + + environment.systemPackages = [ pkgs.sbctl ]; + + boot.lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + configurationLimit = 10; + }; + #link some stuff systemd.tmpfiles.rules = [ + "L+ /etc/secureboot - - - - /persist/secureboot" "L+ /etc/ssh/ssh_host_ed25519_key - - - - /persist/ssh/ssh_host_ed25519_key" "L+ /etc/ssh/ssh_host_ed25519_key.pub - - - - /persist/ssh/ssh_host_ed25519_key.pub" "L /etc/nixos/flake.nix - - - - /home/gerg/Projects/nixos/flake.nix" @@ -21,8 +32,17 @@ _: sops.age.sshKeyPaths = lib.mkForce [ "/persist/ssh/ssh_host_ed25519_key" ]; fileSystems = { "/persist".neededForBoot = true; - "/efi22".options = [ "nofail" ]; - "/efi0E".options = [ "nofail" ]; + # These are my Windows drives partitions + "/efi".device = "/dev/disk/by-id/ata-Samsung_SSD_870_EVO_500GB_S6PXNM0T402828A-part1"; + "/boot".device = "/dev/disk/by-id/ata-Samsung_SSD_870_EVO_500GB_S6PXNM0T402828A-part4"; + "/efi/EFI/Linux" = { + device = "/boot/EFI/Linux"; + options = [ "bind" ]; + }; + "/efi/EFI/nixos" = { + device = "/boot/EFI/nixos"; + options = [ "bind" ]; + }; }; boot = { @@ -61,27 +81,14 @@ _: }; }; loader = { - generationsDir.copyKernels = true; - #override default - systemd-boot.enable = false; - efi.canTouchEfiVariables = false; - grub = { - enable = true; - copyKernels = true; - efiInstallAsRemovable = true; - efiSupport = true; - mirroredBoots = [ - { - path = "/efi22"; - devices = [ "nodev" ]; - } - { - path = "/efi0E"; - devices = [ "nodev" ]; - } - ]; - splashImage = null; + systemd-boot = { + enable = lib.mkForce false; + xbootldrMountPoint = "/boot"; }; + + grub.enable = lib.mkForce false; + timeout = lib.mkForce 5; + efi.efiSysMountPoint = "/efi"; }; }; #_file