add lanzaboote on gaming-pc

flake.lock

@@ -1,5 +1,58 @@
 {
   "nodes": {
+    "crane": {
+      "locked": {
+        "lastModified": 1765145449,
+        "narHash": "sha256-aBVHGWWRzSpfL++LubA0CwOOQ64WNLegrYHwsVuVN7A=",
+        "owner": "ipetkov",
+        "repo": "crane",
+        "rev": "69f538cdce5955fcd47abfed4395dc6d5194c1c5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ipetkov",
+        "repo": "crane",
+        "type": "github"
+      }
+    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1761588595,
+        "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "pre-commit",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -21,6 +74,30 @@
         "type": "github"
       }
     },
+    "lanzaboote": {
+      "inputs": {
+        "crane": "crane",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "pre-commit": "pre-commit",
+        "rust-overlay": "rust-overlay"
+      },
+      "locked": {
+        "lastModified": 1765382359,
+        "narHash": "sha256-RJmgVDzjRI18BWVogG6wpsl1UCuV6ui8qr4DJ1LfWZ8=",
+        "owner": "nix-community",
+        "repo": "lanzaboote",
+        "rev": "e8c096ade12ec9130ff931b0f0e25d2f1bc63607",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "v1.0.0",
+        "repo": "lanzaboote",
+        "type": "github"
+      }
+    },
     "nix-flatpak": {
       "locked": {
         "lastModified": 1767983141,
@@ -92,14 +169,59 @@
         "type": "github"
       }
     },
+    "pre-commit": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1765016596,
+        "narHash": "sha256-rhSqPNxDVow7OQKi4qS5H8Au0P4S3AYbawBSmJNUtBQ=",
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "rev": "548fc44fca28a5e81c5d6b846e555e6b9c2a5a3c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
         "home-manager": "home-manager",
+        "lanzaboote": "lanzaboote",
         "nix-flatpak": "nix-flatpak",
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs",
         "plasma-manager": "plasma-manager"
       }
+    },
+    "rust-overlay": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1765075567,
+        "narHash": "sha256-KFDCdQcHJ0hE3Nt5Gm5enRIhmtEifAjpxgUQ3mzSJpA=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "769156779b41e8787a46ca3d7d76443aaf68be6f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -14,6 +14,10 @@
       inputs.nixpkgs.follows = "nixpkgs";
       inputs.home-manager.follows = "home-manager";
     };
+    lanzaboote = {
+      url = "github:nix-community/lanzaboote/v1.0.0";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
   
   outputs = { self, nixos-hardware, ... }@inputs:

hosts/gaming-pc.nix

@@ -9,26 +9,46 @@
   hardware.enableRedistributableFirmware = true;
 
   # Bootloader.
-  boot.loader.systemd-boot = {
+  # boot.loader.systemd-boot = {
+  #   enable = true;
+  #   graceful = true;
+  #   windows = {
+  #       "windows" =
+  #         let
+  #           # To determine the name of the windows boot drive, boot into edk2 first, then run
+  #           # `map -c` to get drive aliases, and try out running `FS1:`, then `ls EFI` to check
+  #           # which alias corresponds to which EFI partition.
+  #           boot-drive = "FS0";
+  #         in
+  #         {
+  #           title = "Windows";
+  #           efiDeviceHandle = boot-drive;
+  #           sortKey = "y_windows";
+  #         };
+  #     };
+  #   edk2-uefi-shell.enable = true;
+  #   edk2-uefi-shell.sortKey = "z_edk2";
+  #   # Limiting number of generations to prevent ESP from filling
+  #   configurationLimit = 3;
+  # };
+
+  environment.systemPackages = [
+    # For debugging and troubleshooting Secure Boot.
+    pkgs.sbctl
+  ];
+
+  # Lanzaboote currently replaces the systemd-boot module.
+  # This setting is usually set to true in configuration.nix
+  # generated at installation time. So we force it to false
+  # for now.
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+
+  boot.lanzaboote = {
     enable = true;
-    graceful = true;
+    pkiBundle = "/var/lib/sbctl";
-    windows = {
+    configurationLimit = 3;
-        "windows" =
-          let
-            # To determine the name of the windows boot drive, boot into edk2 first, then run
-            # `map -c` to get drive aliases, and try out running `FS1:`, then `ls EFI` to check
-            # which alias corresponds to which EFI partition.
-            boot-drive = "FS0";
-          in
-          {
-            title = "Windows";
-            efiDeviceHandle = boot-drive;
-            sortKey = "y_windows";
-          };
-      };
-    edk2-uefi-shell.enable = true;
-    edk2-uefi-shell.sortKey = "z_edk2";
   };
+
   boot.loader.efi.canTouchEfiVariables = true;
 
   # Kernel
@@ -66,16 +86,19 @@
         };
 
       "/boot" =
-        { device = "/dev/disk/by-uuid/2C6B-5A17";
+        { device = "/dev/disk/by-uuid/3C56-F3E7";
           fsType = "vfat";
           options = [ "fmask=0077" "dmask=0077" ];
         };
 
       "/var/games" = 
         {
-          device = "/dev/disk/by-uuid/d650af28-772a-4b08-a370-4c62ba0dc764"; # Old Gaming Arch partition
+          device = "/dev/disk/by-uuid/8A3094A230949733"; # "Shared" NTFS partition
-          fsType = "btrfs";
+          fsType = "ntfs-3g";
-          options = [ "subvol=/Games" "compress-force=zstd" ];
+          options = [
+            "uid=1000" "gid=100" # My user account
+            "nofail" # Don't fail boot if failed to mount because windows left it dirty
+          ];
         };
     };
 

lib/mkNixosSystem.nix

@@ -1,4 +1,4 @@
-{ self, nixpkgs, home-manager, nix-flatpak, plasma-manager, ... }:
+{ self, nixpkgs, home-manager, nix-flatpak, plasma-manager, lanzaboote, ... }:
 hardwareConfig: hostConfig:
 
 nixpkgs.lib.nixosSystem {
@@ -8,6 +8,7 @@ nixpkgs.lib.nixosSystem {
     inherit plasma-manager;
   };
   modules = [
+    lanzaboote.nixosModules.lanzaboote
     hardwareConfig
     home-manager.nixosModules.home-manager
     ../modules