diff --git a/flake.lock b/flake.lock index a6f6126..6b7bc39 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,20 @@ { "nodes": { + "crane": { + "locked": { + "lastModified": 1754269165, + "narHash": "sha256-0tcS8FHd4QjbCVoxN9jI+PjHgA4vc/IjkUSp+N3zy0U=", + "owner": "ipetkov", + "repo": "crane", + "rev": "444e81206df3f7d92780680e45858e31d2f07a08", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "disko": { "inputs": { "nixpkgs": [ @@ -41,6 +56,22 @@ } }, "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1747046372, + "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { "flake": false, "locked": { "lastModified": 1733328505, @@ -56,7 +87,7 @@ "type": "github" } }, - "flake-compat_2": { + "flake-compat_3": { "flake": false, "locked": { "lastModified": 1761588595, @@ -73,6 +104,27 @@ } }, "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1754091436, + "narHash": "sha256-XKqDMN1/Qj1DKivQvscI4vmHfDfvYR2pfuFOJiCeewM=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "67df8c627c2c39c41dbec76a1f201929929ab0bd", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { "inputs": { "nixpkgs-lib": [ "nix", @@ -93,7 +145,7 @@ "type": "github" } }, - "flake-parts_2": { + "flake-parts_3": { "inputs": { "nixpkgs-lib": [ "nvim-flake", @@ -146,6 +198,53 @@ "type": "github" } }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "lanzaboote": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "nixpkgs": [ + "unstable" + ], + "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1762205063, + "narHash": "sha256-If6vQ+KvtKs3ARBO9G3l+4wFSCYtRBrwX1z+I+B61wQ=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "88b8a563ff5704f4e8d8e5118fb911fa2110ca05", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "lanzaboote", + "type": "github" + } + }, "master": { "locked": { "lastModified": 1762312580, @@ -179,7 +278,7 @@ }, "neovim-nightly": { "inputs": { - "flake-parts": "flake-parts_2", + "flake-parts": "flake-parts_3", "neovim-src": "neovim-src", "nixpkgs": "nixpkgs" }, @@ -215,8 +314,8 @@ }, "nix": { "inputs": { - "flake-compat": "flake-compat", - "flake-parts": "flake-parts", + "flake-compat": "flake-compat_2", + "flake-parts": "flake-parts_2", "git-hooks-nix": "git-hooks-nix", "nixpkgs": [ "stable" @@ -345,7 +444,7 @@ }, "nvim-flake": { "inputs": { - "flake-compat": "flake-compat_2", + "flake-compat": "flake-compat_3", "mnw": "mnw", "neovim-nightly": "neovim-nightly", "nixpkgs": [ @@ -367,10 +466,37 @@ "type": "github" } }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1750779888, + "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "root": { "inputs": { "disko": "disko", "fetch-rs": "fetch-rs", + "lanzaboote": "lanzaboote", "master": "master", "nix": "nix", "nix-index-database": "nix-index-database", @@ -384,6 +510,27 @@ "unstable": "unstable" } }, + "rust-overlay": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1761791894, + "narHash": "sha256-myRIDh+PxaREz+z9LzbqBJF+SnTFJwkthKDX9zMyddY=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "59c45eb69d9222a4362673141e00ff77842cd219", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "sops-nix": { "inputs": { "nixpkgs": [ diff --git a/flake.nix b/flake.nix index 53587bb..01fd0bb 100644 --- a/flake.nix +++ b/flake.nix @@ -52,6 +52,12 @@ repo = "nix-index-database"; inputs.nixpkgs.follows = "unstable"; }; + lanzaboote = { + type = "github"; + owner = "nix-community"; + repo = "lanzaboote"; + inputs.nixpkgs.follows = "unstable"; + }; systems = { type = "github"; owner = "nix-systems"; diff --git a/nixosConfigurations/gerg-desktop/boot.nix b/nixosConfigurations/gerg-desktop/boot.nix index 8cd4c06..4529d28 100644 --- a/nixosConfigurations/gerg-desktop/boot.nix +++ b/nixosConfigurations/gerg-desktop/boot.nix @@ -1,38 +1,67 @@ { + lanzaboote, + config, lib, pkgs, }: +let + windowsConf = '' + title Windows + efi /shellx64.efi + options -nointerrupt -noconsolein -noconsoleout HD2d65535a1:EFI\Microsoft\Boot\Bootmgfw.efi + ''; +in { - local.packages = { - inherit (pkgs) sbctl; - }; + imports = [ lanzaboote.nixosModules.lanzaboote ]; + environment.systemPackages = [ + pkgs.sbctl + (pkgs.writeShellScriptBin "windows" '' + bootctl set-oneshot windows.conf + bootctl set-timeout-oneshot 1 + reboot + '') + ]; systemd.tmpfiles.rules = [ "L+ /var/lib/sbctl - - - - /persist/secureboot" ]; boot = { + lanzaboote = { + enable = true; + pkiBundle = "/var/lib/sbctl"; + configurationLimit = 10; + package = lib.mkForce ( + pkgs.writeShellApplication { + name = "lzbt"; + runtimeInputs = [ + lanzaboote.packages.tool + pkgs.coreutils + pkgs.sbctl + ]; + text = '' + lzbt "$@" + MP='${config.boot.loader.efi.efiSysMountPoint}' + cp -f '${pkgs.edk2-uefi-shell.efi}' "$MP/shellx64.efi" + mkdir -p "$MP/loader/entries" + sbctl sign -s "$MP/shellx64.efi" + cat << EOF > "$MP/loader/entries/windows.conf" + ${windowsConf} + EOF + ''; + } + ); + }; + loader = { - limine = { - enable = true; - biosSupport = false; - efiSupport = true; - maxGenerations = 10; - enableEditor = false; - secureBoot = { - enable = true; - }; - extraEntries = '' - /Windows - protocol: efi - path: uuid(58952b7f-ac08-4fa3-92ad-cac5a3349199):/EFI/Microsoft/Boot/bootmgfw.efi - ''; + systemd-boot = { + enable = lib.mkForce false; + extraFiles."shellx64.efi" = pkgs.edk2-uefi-shell.efi; + extraEntries."windows.conf" = windowsConf; }; - efi.efiSysMountPoint = "/efi0E"; - # just in case - systemd-boot.enable = lib.mkForce false; grub.enable = lib.mkForce false; timeout = lib.mkForce 5; + efi.efiSysMountPoint = "/efi22"; }; }; } diff --git a/nixosConfigurations/gerg-desktop/services/vocard/vocard.nix b/nixosConfigurations/gerg-desktop/services/vocard/vocard.nix index acefeec..8b65174 100644 --- a/nixosConfigurations/gerg-desktop/services/vocard/vocard.nix +++ b/nixosConfigurations/gerg-desktop/services/vocard/vocard.nix @@ -15,31 +15,32 @@ in }; sops = { - secrets = { - ferretdb = { }; - lavalink = { - sopsFile = ./secrets.yaml; - restartUnits = [ - "vocard.service" - "lavalink.service" - ]; - }; + secrets = + { + ferretdb = { }; + lavalink = { + sopsFile = ./secrets.yaml; + restartUnits = [ + "vocard.service" + "lavalink.service" + ]; + }; - } - // builtins.listToAttrs ( - map - (x: { - name = "vocard/${x}"; - value.sopsFile = ./secrets.yaml; - }) - [ - "token" - "client_id" - "spotify_client_id" - "spotify_client_secret" - "password" - ] - ); + } + // builtins.listToAttrs ( + map + (x: { + name = "vocard/${x}"; + value.sopsFile = ./secrets.yaml; + }) + [ + "token" + "client_id" + "spotify_client_id" + "spotify_client_secret" + "password" + ] + ); templates.vocard = { restartUnits = [ diff --git a/nixosModules/misc.nix b/nixosModules/misc.nix index b7e8ecc..0fe9460 100644 --- a/nixosModules/misc.nix +++ b/nixosModules/misc.nix @@ -14,6 +14,14 @@ pciutils # lspci nix-janitor ; + nixos-rebuild-ng = pkgs.symlinkJoin { + name = "nixos-rebuild-ng"; + paths = [ pkgs.nixos-rebuild-ng ]; + postBuild = '' + ln -s "$out/bin/nixos-rebuild-ng" "$out/bin/nixos-rebuild" + ''; + }; + }; programs.git.enable = true; @@ -61,10 +69,7 @@ # Useless with flakes (without configuring) programs.command-not-found.enable = false; - system = { - disableInstallerTools = true; - tools.nixos-rebuild.enable = true; - }; + system.disableInstallerTools = true; services.userborn.enable = true; boot.enableContainers = false;