diff --git a/flake.lock b/flake.lock index aa8131a..d454daf 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,58 @@ { "nodes": { + "crane": { + "locked": { + "lastModified": 1765145449, + "narHash": "sha256-aBVHGWWRzSpfL++LubA0CwOOQ64WNLegrYHwsVuVN7A=", + "owner": "ipetkov", + "repo": "crane", + "rev": "69f538cdce5955fcd47abfed4395dc6d5194c1c5", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1761588595, + "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -21,6 +74,30 @@ "type": "github" } }, + "lanzaboote": { + "inputs": { + "crane": "crane", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit": "pre-commit", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1765382359, + "narHash": "sha256-RJmgVDzjRI18BWVogG6wpsl1UCuV6ui8qr4DJ1LfWZ8=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "e8c096ade12ec9130ff931b0f0e25d2f1bc63607", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "v1.0.0", + "repo": "lanzaboote", + "type": "github" + } + }, "nix-flatpak": { "locked": { "lastModified": 1767983141, @@ -92,14 +169,59 @@ "type": "github" } }, + "pre-commit": { + "inputs": { + "flake-compat": "flake-compat", + "gitignore": "gitignore", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1765016596, + "narHash": "sha256-rhSqPNxDVow7OQKi4qS5H8Au0P4S3AYbawBSmJNUtBQ=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "548fc44fca28a5e81c5d6b846e555e6b9c2a5a3c", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "root": { "inputs": { "home-manager": "home-manager", + "lanzaboote": "lanzaboote", "nix-flatpak": "nix-flatpak", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", "plasma-manager": "plasma-manager" } + }, + "rust-overlay": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1765075567, + "narHash": "sha256-KFDCdQcHJ0hE3Nt5Gm5enRIhmtEifAjpxgUQ3mzSJpA=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "769156779b41e8787a46ca3d7d76443aaf68be6f", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 466d738..8472307 100644 --- a/flake.nix +++ b/flake.nix @@ -14,6 +14,10 @@ inputs.nixpkgs.follows = "nixpkgs"; inputs.home-manager.follows = "home-manager"; }; + lanzaboote = { + url = "github:nix-community/lanzaboote/v1.0.0"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = { self, nixos-hardware, ... }@inputs: diff --git a/hosts/gaming-pc.nix b/hosts/gaming-pc.nix index 811a2e4..5ffb30d 100644 --- a/hosts/gaming-pc.nix +++ b/hosts/gaming-pc.nix @@ -9,26 +9,46 @@ hardware.enableRedistributableFirmware = true; # Bootloader. - boot.loader.systemd-boot = { + # boot.loader.systemd-boot = { + # enable = true; + # graceful = true; + # windows = { + # "windows" = + # let + # # To determine the name of the windows boot drive, boot into edk2 first, then run + # # `map -c` to get drive aliases, and try out running `FS1:`, then `ls EFI` to check + # # which alias corresponds to which EFI partition. + # boot-drive = "FS0"; + # in + # { + # title = "Windows"; + # efiDeviceHandle = boot-drive; + # sortKey = "y_windows"; + # }; + # }; + # edk2-uefi-shell.enable = true; + # edk2-uefi-shell.sortKey = "z_edk2"; + # # Limiting number of generations to prevent ESP from filling + # configurationLimit = 3; + # }; + + environment.systemPackages = [ + # For debugging and troubleshooting Secure Boot. + pkgs.sbctl + ]; + + # Lanzaboote currently replaces the systemd-boot module. + # This setting is usually set to true in configuration.nix + # generated at installation time. So we force it to false + # for now. + boot.loader.systemd-boot.enable = lib.mkForce false; + + boot.lanzaboote = { enable = true; - graceful = true; - windows = { - "windows" = - let - # To determine the name of the windows boot drive, boot into edk2 first, then run - # `map -c` to get drive aliases, and try out running `FS1:`, then `ls EFI` to check - # which alias corresponds to which EFI partition. - boot-drive = "FS0"; - in - { - title = "Windows"; - efiDeviceHandle = boot-drive; - sortKey = "y_windows"; - }; - }; - edk2-uefi-shell.enable = true; - edk2-uefi-shell.sortKey = "z_edk2"; + pkiBundle = "/var/lib/sbctl"; + configurationLimit = 3; }; + boot.loader.efi.canTouchEfiVariables = true; # Kernel @@ -66,16 +86,19 @@ }; "/boot" = - { device = "/dev/disk/by-uuid/2C6B-5A17"; + { device = "/dev/disk/by-uuid/3C56-F3E7"; fsType = "vfat"; options = [ "fmask=0077" "dmask=0077" ]; }; "/var/games" = { - device = "/dev/disk/by-uuid/d650af28-772a-4b08-a370-4c62ba0dc764"; # Old Gaming Arch partition - fsType = "btrfs"; - options = [ "subvol=/Games" "compress-force=zstd" ]; + device = "/dev/disk/by-uuid/8A3094A230949733"; # "Shared" NTFS partition + fsType = "ntfs-3g"; + options = [ + "uid=1000" "gid=100" # My user account + "nofail" # Don't fail boot if failed to mount because windows left it dirty + ]; }; }; @@ -118,4 +141,4 @@ # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "24.05"; # Did you read the comment? -} \ No newline at end of file +} diff --git a/lib/mkNixosSystem.nix b/lib/mkNixosSystem.nix index 908ed58..0620ca4 100644 --- a/lib/mkNixosSystem.nix +++ b/lib/mkNixosSystem.nix @@ -1,4 +1,4 @@ -{ self, nixpkgs, home-manager, nix-flatpak, plasma-manager, ... }: +{ self, nixpkgs, home-manager, nix-flatpak, plasma-manager, lanzaboote, ... }: hardwareConfig: hostConfig: nixpkgs.lib.nixosSystem { @@ -8,6 +8,7 @@ nixpkgs.lib.nixosSystem { inherit plasma-manager; }; modules = [ + lanzaboote.nixosModules.lanzaboote hardwareConfig home-manager.nixosModules.home-manager ../modules