feat: rip lanzaboote

flake.lock

@@ -1,20 +1,5 @@
 {
   "nodes": {
-    "crane": {
-      "locked": {
-        "lastModified": 1754269165,
-        "narHash": "sha256-0tcS8FHd4QjbCVoxN9jI+PjHgA4vc/IjkUSp+N3zy0U=",
-        "owner": "ipetkov",
-        "repo": "crane",
-        "rev": "444e81206df3f7d92780680e45858e31d2f07a08",
-        "type": "github"
-      },
-      "original": {
-        "owner": "ipetkov",
-        "repo": "crane",
-        "type": "github"
-      }
-    },
     "disko": {
       "inputs": {
         "nixpkgs": [
@@ -56,22 +41,6 @@
       }
     },
     "flake-compat": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1747046372,
-        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
-        "type": "github"
-      },
-      "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
-    "flake-compat_2": {
       "flake": false,
       "locked": {
         "lastModified": 1733328505,
@@ -87,7 +56,7 @@
         "type": "github"
       }
     },
-    "flake-compat_3": {
+    "flake-compat_2": {
       "flake": false,
       "locked": {
         "lastModified": 1761588595,
@@ -104,27 +73,6 @@
       }
     },
     "flake-parts": {
-      "inputs": {
-        "nixpkgs-lib": [
-          "lanzaboote",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1754091436,
-        "narHash": "sha256-XKqDMN1/Qj1DKivQvscI4vmHfDfvYR2pfuFOJiCeewM=",
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "rev": "67df8c627c2c39c41dbec76a1f201929929ab0bd",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "type": "github"
-      }
-    },
-    "flake-parts_2": {
       "inputs": {
         "nixpkgs-lib": [
           "nix",
@@ -145,7 +93,7 @@
         "type": "github"
       }
     },
-    "flake-parts_3": {
+    "flake-parts_2": {
       "inputs": {
         "nixpkgs-lib": [
           "nvim-flake",
@@ -198,53 +146,6 @@
         "type": "github"
       }
     },
-    "gitignore": {
-      "inputs": {
-        "nixpkgs": [
-          "lanzaboote",
-          "pre-commit-hooks-nix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1709087332,
-        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
-        "owner": "hercules-ci",
-        "repo": "gitignore.nix",
-        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "gitignore.nix",
-        "type": "github"
-      }
-    },
-    "lanzaboote": {
-      "inputs": {
-        "crane": "crane",
-        "flake-compat": "flake-compat",
-        "flake-parts": "flake-parts",
-        "nixpkgs": [
-          "unstable"
-        ],
-        "pre-commit-hooks-nix": "pre-commit-hooks-nix",
-        "rust-overlay": "rust-overlay"
-      },
-      "locked": {
-        "lastModified": 1762205063,
-        "narHash": "sha256-If6vQ+KvtKs3ARBO9G3l+4wFSCYtRBrwX1z+I+B61wQ=",
-        "owner": "nix-community",
-        "repo": "lanzaboote",
-        "rev": "88b8a563ff5704f4e8d8e5118fb911fa2110ca05",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "lanzaboote",
-        "type": "github"
-      }
-    },
     "master": {
       "locked": {
         "lastModified": 1762312580,
@@ -278,7 +179,7 @@
     },
     "neovim-nightly": {
       "inputs": {
-        "flake-parts": "flake-parts_3",
+        "flake-parts": "flake-parts_2",
         "neovim-src": "neovim-src",
         "nixpkgs": "nixpkgs"
       },
@@ -314,8 +215,8 @@
     },
     "nix": {
       "inputs": {
-        "flake-compat": "flake-compat_2",
+        "flake-compat": "flake-compat",
-        "flake-parts": "flake-parts_2",
+        "flake-parts": "flake-parts",
         "git-hooks-nix": "git-hooks-nix",
         "nixpkgs": [
           "stable"
@@ -444,7 +345,7 @@
     },
     "nvim-flake": {
       "inputs": {
-        "flake-compat": "flake-compat_3",
+        "flake-compat": "flake-compat_2",
         "mnw": "mnw",
         "neovim-nightly": "neovim-nightly",
         "nixpkgs": [
@@ -466,37 +367,10 @@
         "type": "github"
       }
     },
-    "pre-commit-hooks-nix": {
-      "inputs": {
-        "flake-compat": [
-          "lanzaboote",
-          "flake-compat"
-        ],
-        "gitignore": "gitignore",
-        "nixpkgs": [
-          "lanzaboote",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1750779888,
-        "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=",
-        "owner": "cachix",
-        "repo": "pre-commit-hooks.nix",
-        "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d",
-        "type": "github"
-      },
-      "original": {
-        "owner": "cachix",
-        "repo": "pre-commit-hooks.nix",
-        "type": "github"
-      }
-    },
     "root": {
       "inputs": {
         "disko": "disko",
         "fetch-rs": "fetch-rs",
-        "lanzaboote": "lanzaboote",
         "master": "master",
         "nix": "nix",
         "nix-index-database": "nix-index-database",
@@ -510,27 +384,6 @@
         "unstable": "unstable"
       }
     },
-    "rust-overlay": {
-      "inputs": {
-        "nixpkgs": [
-          "lanzaboote",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1761791894,
-        "narHash": "sha256-myRIDh+PxaREz+z9LzbqBJF+SnTFJwkthKDX9zMyddY=",
-        "owner": "oxalica",
-        "repo": "rust-overlay",
-        "rev": "59c45eb69d9222a4362673141e00ff77842cd219",
-        "type": "github"
-      },
-      "original": {
-        "owner": "oxalica",
-        "repo": "rust-overlay",
-        "type": "github"
-      }
-    },
     "sops-nix": {
       "inputs": {
         "nixpkgs": [

flake.nix

@@ -52,12 +52,6 @@
       repo = "nix-index-database";
       inputs.nixpkgs.follows = "unstable";
     };
-    lanzaboote = {
-      type = "github";
-      owner = "nix-community";
-      repo = "lanzaboote";
-      inputs.nixpkgs.follows = "unstable";
-    };
     systems = {
       type = "github";
       owner = "nix-systems";

nixosConfigurations/gerg-desktop/boot.nix

@@ -1,67 +1,38 @@
 {
-  lanzaboote,
-  config,
   lib,
   pkgs,
 }:
-let
-  windowsConf = ''
-    title  Windows
-    efi     /shellx64.efi
-    options -nointerrupt -noconsolein -noconsoleout HD2d65535a1:EFI\Microsoft\Boot\Bootmgfw.efi
-  '';
-in
 {
-  imports = [ lanzaboote.nixosModules.lanzaboote ];
+  local.packages = {
+    inherit (pkgs) sbctl;
+  };
 
-  environment.systemPackages = [
-    pkgs.sbctl
-    (pkgs.writeShellScriptBin "windows" ''
-      bootctl set-oneshot windows.conf
-      bootctl set-timeout-oneshot 1
-      reboot
-    '')
-  ];
   systemd.tmpfiles.rules = [
     "L+ /var/lib/sbctl  - - - - /persist/secureboot"
   ];
 
   boot = {
-    lanzaboote = {
-      enable = true;
-      pkiBundle = "/var/lib/sbctl";
-      configurationLimit = 10;
-      package = lib.mkForce (
-        pkgs.writeShellApplication {
-          name = "lzbt";
-          runtimeInputs = [
-            lanzaboote.packages.tool
-            pkgs.coreutils
-            pkgs.sbctl
-          ];
-          text = ''
-            lzbt "$@"
-            MP='${config.boot.loader.efi.efiSysMountPoint}'
-            cp -f '${pkgs.edk2-uefi-shell.efi}' "$MP/shellx64.efi"
-            mkdir -p "$MP/loader/entries"
-            sbctl sign -s "$MP/shellx64.efi"
-            cat << EOF > "$MP/loader/entries/windows.conf"
-            ${windowsConf}
-            EOF
-          '';
-        }
-      );
-    };
-
     loader = {
-      systemd-boot = {
+      limine = {
-        enable = lib.mkForce false;
+        enable = true;
-        extraFiles."shellx64.efi" = pkgs.edk2-uefi-shell.efi;
+        biosSupport = false;
-        extraEntries."windows.conf" = windowsConf;
+        efiSupport = true;
+        maxGenerations = 10;
+        enableEditor = false;
+        secureBoot = {
+          enable = true;
         };
+        extraEntries = ''
+          /Windows
+              protocol: efi
+              path: uuid(58952b7f-ac08-4fa3-92ad-cac5a3349199):/EFI/Microsoft/Boot/bootmgfw.efi
+        '';
+      };
+      efi.efiSysMountPoint = "/efi0E";
+      # just in case
+      systemd-boot.enable = lib.mkForce false;
       grub.enable = lib.mkForce false;
       timeout = lib.mkForce 5;
-      efi.efiSysMountPoint = "/efi22";
     };
   };
 }

nixosConfigurations/gerg-desktop/services/vocard/vocard.nix

@@ -15,8 +15,7 @@ in
   };
 
   sops = {
-    secrets =
+    secrets = {
-      {
       ferretdb = { };
       lavalink = {
         sopsFile = ./secrets.yaml;

nixosModules/misc.nix

@@ -14,14 +14,6 @@
       pciutils # lspci
       nix-janitor
       ;
-    nixos-rebuild-ng = pkgs.symlinkJoin {
-      name = "nixos-rebuild-ng";
-      paths = [ pkgs.nixos-rebuild-ng ];
-      postBuild = ''
-        ln -s "$out/bin/nixos-rebuild-ng" "$out/bin/nixos-rebuild"
-      '';
-    };
-
   };
 
   programs.git.enable = true;
@@ -69,7 +61,10 @@
   # Useless with flakes (without configuring)
   programs.command-not-found.enable = false;
 
-  system.disableInstallerTools = true;
+  system = {
+    disableInstallerTools = true;
+    tools.nixos-rebuild.enable = true;
+  };
 
   services.userborn.enable = true;
   boot.enableContainers = false;