2025-12-09 16:33:57 -05:00
5 changed files with 242 additions and 54 deletions
--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,20 @@
 {
  "nodes": {
+    "crane": {
+      "locked": {
+        "lastModified": 1754269165,
+        "narHash": "sha256-0tcS8FHd4QjbCVoxN9jI+PjHgA4vc/IjkUSp+N3zy0U=",
+        "owner": "ipetkov",
+        "repo": "crane",
+        "rev": "444e81206df3f7d92780680e45858e31d2f07a08",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ipetkov",
+        "repo": "crane",
+        "type": "github"
+      }
+    },
    "disko": {
      "inputs": {
        "nixpkgs": [
@ -41,6 +56,22 @@
      }
    },
    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1747046372,
+        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_2": {
      "flake": false,
      "locked": {
        "lastModified": 1733328505,
@ -56,7 +87,7 @@
        "type": "github"
      }
    },
-    "flake-compat_2": {
+    "flake-compat_3": {
      "flake": false,
      "locked": {
        "lastModified": 1761588595,
@ -73,6 +104,27 @@
      }
    },
    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1754091436,
+        "narHash": "sha256-XKqDMN1/Qj1DKivQvscI4vmHfDfvYR2pfuFOJiCeewM=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "67df8c627c2c39c41dbec76a1f201929929ab0bd",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-parts_2": {
      "inputs": {
        "nixpkgs-lib": [
          "nix",
@ -93,7 +145,7 @@
        "type": "github"
      }
    },
-    "flake-parts_2": {
+    "flake-parts_3": {
      "inputs": {
        "nixpkgs-lib": [
          "nvim-flake",
@ -146,6 +198,53 @@
        "type": "github"
      }
    },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "pre-commit-hooks-nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
+    "lanzaboote": {
+      "inputs": {
+        "crane": "crane",
+        "flake-compat": "flake-compat",
+        "flake-parts": "flake-parts",
+        "nixpkgs": [
+          "unstable"
+        ],
+        "pre-commit-hooks-nix": "pre-commit-hooks-nix",
+        "rust-overlay": "rust-overlay"
+      },
+      "locked": {
+        "lastModified": 1762205063,
+        "narHash": "sha256-If6vQ+KvtKs3ARBO9G3l+4wFSCYtRBrwX1z+I+B61wQ=",
+        "owner": "nix-community",
+        "repo": "lanzaboote",
+        "rev": "88b8a563ff5704f4e8d8e5118fb911fa2110ca05",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "lanzaboote",
+        "type": "github"
+      }
+    },
    "master": {
      "locked": {
        "lastModified": 1762312580,
@ -179,7 +278,7 @@
    },
    "neovim-nightly": {
      "inputs": {
-        "flake-parts": "flake-parts_2",
+        "flake-parts": "flake-parts_3",
        "neovim-src": "neovim-src",
        "nixpkgs": "nixpkgs"
      },
@ -215,8 +314,8 @@
    },
    "nix": {
      "inputs": {
-        "flake-compat": "flake-compat",
-        "flake-parts": "flake-parts",
+        "flake-compat": "flake-compat_2",
+        "flake-parts": "flake-parts_2",
        "git-hooks-nix": "git-hooks-nix",
        "nixpkgs": [
          "stable"
@ -345,7 +444,7 @@
    },
    "nvim-flake": {
      "inputs": {
-        "flake-compat": "flake-compat_2",
+        "flake-compat": "flake-compat_3",
        "mnw": "mnw",
        "neovim-nightly": "neovim-nightly",
        "nixpkgs": [
@ -367,10 +466,37 @@
        "type": "github"
      }
    },
+    "pre-commit-hooks-nix": {
+      "inputs": {
+        "flake-compat": [
+          "lanzaboote",
+          "flake-compat"
+        ],
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1750779888,
+        "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=",
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "type": "github"
+      }
+    },
    "root": {
      "inputs": {
        "disko": "disko",
        "fetch-rs": "fetch-rs",
+        "lanzaboote": "lanzaboote",
        "master": "master",
        "nix": "nix",
        "nix-index-database": "nix-index-database",
@ -384,6 +510,27 @@
        "unstable": "unstable"
      }
    },
+    "rust-overlay": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1761791894,
+        "narHash": "sha256-myRIDh+PxaREz+z9LzbqBJF+SnTFJwkthKDX9zMyddY=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "59c45eb69d9222a4362673141e00ff77842cd219",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
    "sops-nix": {
      "inputs": {
        "nixpkgs": [
--- a/flake.nix
+++ b/flake.nix
@ -52,6 +52,12 @@
      repo = "nix-index-database";
      inputs.nixpkgs.follows = "unstable";
    };
+    lanzaboote = {
+      type = "github";
+      owner = "nix-community";
+      repo = "lanzaboote";
+      inputs.nixpkgs.follows = "unstable";
+    };
    systems = {
      type = "github";
      owner = "nix-systems";
--- a/nixosConfigurations/gerg-desktop/boot.nix
+++ b/nixosConfigurations/gerg-desktop/boot.nix
@ -1,38 +1,67 @@
 {
+  lanzaboote,
+  config,
  lib,
  pkgs,
 }:
+let
+  windowsConf = ''
+    title  Windows
+    efi     /shellx64.efi
+    options -nointerrupt -noconsolein -noconsoleout HD2d65535a1:EFI\Microsoft\Boot\Bootmgfw.efi
+  '';
+in
 {
-  local.packages = {
-    inherit (pkgs) sbctl;
-  };
+  imports = [ lanzaboote.nixosModules.lanzaboote ];

+  environment.systemPackages = [
+    pkgs.sbctl
+    (pkgs.writeShellScriptBin "windows" ''
+      bootctl set-oneshot windows.conf
+      bootctl set-timeout-oneshot 1
+      reboot
+    '')
+  ];
  systemd.tmpfiles.rules = [
    "L+ /var/lib/sbctl  - - - - /persist/secureboot"
  ];

  boot = {
+    lanzaboote = {
+      enable = true;
+      pkiBundle = "/var/lib/sbctl";
+      configurationLimit = 10;
+      package = lib.mkForce (
+        pkgs.writeShellApplication {
+          name = "lzbt";
+          runtimeInputs = [
+            lanzaboote.packages.tool
+            pkgs.coreutils
+            pkgs.sbctl
+          ];
+          text = ''
+            lzbt "$@"
+            MP='${config.boot.loader.efi.efiSysMountPoint}'
+            cp -f '${pkgs.edk2-uefi-shell.efi}' "$MP/shellx64.efi"
+            mkdir -p "$MP/loader/entries"
+            sbctl sign -s "$MP/shellx64.efi"
+            cat << EOF > "$MP/loader/entries/windows.conf"
+            ${windowsConf}
+            EOF
+          '';
+        }
+      );
+    };
+
    loader = {
-      limine = {
-        enable = true;
-        biosSupport = false;
-        efiSupport = true;
-        maxGenerations = 10;
-        enableEditor = false;
-        secureBoot = {
-          enable = true;
-        };
-        extraEntries = ''
-          /Windows
-              protocol: efi
-              path: uuid(58952b7f-ac08-4fa3-92ad-cac5a3349199):/EFI/Microsoft/Boot/bootmgfw.efi
-        '';
+      systemd-boot = {
+        enable = lib.mkForce false;
+        extraFiles."shellx64.efi" = pkgs.edk2-uefi-shell.efi;
+        extraEntries."windows.conf" = windowsConf;
      };
-      efi.efiSysMountPoint = "/efi0E";
-      # just in case
-      systemd-boot.enable = lib.mkForce false;
      grub.enable = lib.mkForce false;
      timeout = lib.mkForce 5;
+      efi.efiSysMountPoint = "/efi22";
    };
  };
 }
--- a/nixosConfigurations/gerg-desktop/services/vocard/vocard.nix
+++ b/nixosConfigurations/gerg-desktop/services/vocard/vocard.nix
@ -15,31 +15,32 @@ in
  };

  sops = {
-    secrets = {
-      ferretdb = { };
-      lavalink = {
-        sopsFile = ./secrets.yaml;
-        restartUnits = [
-          "vocard.service"
-          "lavalink.service"
-        ];
-      };
+    secrets =
+      {
+        ferretdb = { };
+        lavalink = {
+          sopsFile = ./secrets.yaml;
+          restartUnits = [
+            "vocard.service"
+            "lavalink.service"
+          ];
+        };

-    }
-    // builtins.listToAttrs (
-      map
-        (x: {
-          name = "vocard/${x}";
-          value.sopsFile = ./secrets.yaml;
-        })
-        [
-          "token"
-          "client_id"
-          "spotify_client_id"
-          "spotify_client_secret"
-          "password"
-        ]
-    );
+      }
+      // builtins.listToAttrs (
+        map
+          (x: {
+            name = "vocard/${x}";
+            value.sopsFile = ./secrets.yaml;
+          })
+          [
+            "token"
+            "client_id"
+            "spotify_client_id"
+            "spotify_client_secret"
+            "password"
+          ]
+      );

    templates.vocard = {
      restartUnits = [
--- a/nixosModules/misc.nix
+++ b/nixosModules/misc.nix
@ -14,6 +14,14 @@
      pciutils # lspci
      nix-janitor
      ;
+    nixos-rebuild-ng = pkgs.symlinkJoin {
+      name = "nixos-rebuild-ng";
+      paths = [ pkgs.nixos-rebuild-ng ];
+      postBuild = ''
+        ln -s "$out/bin/nixos-rebuild-ng" "$out/bin/nixos-rebuild"
+      '';
+    };
+
  };

  programs.git.enable = true;
@ -61,10 +69,7 @@
  # Useless with flakes (without configuring)
  programs.command-not-found.enable = false;

-  system = {
-    disableInstallerTools = true;
-    tools.nixos-rebuild.enable = true;
-  };
+  system.disableInstallerTools = true;

  services.userborn.enable = true;
  boot.enableContainers = false;