From 3b5c369c7642fa7a65fe60f18cea3f5b893500b2 Mon Sep 17 00:00:00 2001 From: Crony Akatsuki Date: Sun, 18 Jan 2026 11:32:53 +0100 Subject: [PATCH 1/2] feat: setup secure boot with lazanboote. --- flake.nix | 9 +++++++++ hosts/skadi/configuration.nix | 16 ++++++++++++++-- 2 files changed, 23 insertions(+), 2 deletions(-) diff --git a/flake.nix b/flake.nix index b45458e..b987beb 100644 --- a/flake.nix +++ b/flake.nix @@ -140,6 +140,12 @@ # Some gaming related stuff ( actual osu! ) nix-gaming.url = "github:cronyakatsuki/nix-gaming"; + + # Secure boot with nixos + lanzaboote = { + url = "github:nix-community/lanzaboote/v1.0.0"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = { @@ -154,6 +160,7 @@ agenix, nix-flatpak, chaotic, + lanzaboote, ... } @ inputs: let hostsData = import ./hosts.nix; @@ -363,6 +370,8 @@ nix-flatpak.nixosModules.nix-flatpak # Use chaotic for some packages chaotic.nixosModules.default + # Setup secure boot + lanzaboote.nixosModules.lanzaboote # Setup home manager for my user home-manager.nixosModules.home-manager { diff --git a/hosts/skadi/configuration.nix b/hosts/skadi/configuration.nix index 47384ec..f74e70d 100644 --- a/hosts/skadi/configuration.nix +++ b/hosts/skadi/configuration.nix @@ -2,6 +2,7 @@ inputs, config, pkgs, + lib, ... }: { imports = [ @@ -11,9 +12,20 @@ inputs.home-manager.nixosModules.home-manager ]; + # For tpm unlock + boot.initrd.systemd.enable = true; + + # To explicitly disable systemd-boot, lanzaboote takes care of that. + boot.loader.systemd-boot.enable = lib.mkForce false; + # Bootloader. - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; + boot.lanzaboote = { + enable = true; + pkiBundle = "/var/lib/sbctl"; + autoEnrollKeys = { + enable = true; + }; + }; # Enable aarch64 emulation boot.binfmt.emulatedSystems = ["aarch64-linux"]; From 22565726b336bbbbfeaec0245fd5918d3384b81d Mon Sep 17 00:00:00 2001 From: Crony Akatsuki Date: Sun, 18 Jan 2026 11:33:01 +0100 Subject: [PATCH 2/2] chore: update flake.lock --- flake.lock | 126 ++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 124 insertions(+), 2 deletions(-) diff --git a/flake.lock b/flake.lock index 75f1a9a..2e0bf0e 100644 --- a/flake.lock +++ b/flake.lock @@ -191,6 +191,21 @@ "type": "github" } }, + "crane": { + "locked": { + "lastModified": 1765145449, + "narHash": "sha256-aBVHGWWRzSpfL++LubA0CwOOQ64WNLegrYHwsVuVN7A=", + "owner": "ipetkov", + "repo": "crane", + "rev": "69f538cdce5955fcd47abfed4395dc6d5194c1c5", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "darwin": { "inputs": { "nixpkgs": [ @@ -411,6 +426,22 @@ } }, "flake-compat_7": { + "flake": false, + "locked": { + "lastModified": 1761588595, + "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_8": { "flake": false, "locked": { "lastModified": 1747046372, @@ -716,6 +747,28 @@ } }, "gitignore_5": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "gitignore_6": { "inputs": { "nixpkgs": [ "lnxlink", @@ -1385,6 +1438,30 @@ "type": "github" } }, + "lanzaboote": { + "inputs": { + "crane": "crane", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit": "pre-commit", + "rust-overlay": "rust-overlay_3" + }, + "locked": { + "lastModified": 1765382359, + "narHash": "sha256-RJmgVDzjRI18BWVogG6wpsl1UCuV6ui8qr4DJ1LfWZ8=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "e8c096ade12ec9130ff931b0f0e25d2f1bc63607", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "v1.0.0", + "repo": "lanzaboote", + "type": "github" + } + }, "lnxlink": { "inputs": { "flake-utils": "flake-utils_3", @@ -1872,6 +1949,29 @@ "type": "github" } }, + "pre-commit": { + "inputs": { + "flake-compat": "flake-compat_7", + "gitignore": "gitignore_5", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1765016596, + "narHash": "sha256-rhSqPNxDVow7OQKi4qS5H8Au0P4S3AYbawBSmJNUtBQ=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "548fc44fca28a5e81c5d6b846e555e6b9c2a5a3c", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "pre-commit-hooks": { "inputs": { "flake-compat": "flake-compat_3", @@ -1937,8 +2037,8 @@ }, "pre-commit-hooks_4": { "inputs": { - "flake-compat": "flake-compat_7", - "gitignore": "gitignore_5", + "flake-compat": "flake-compat_8", + "gitignore": "gitignore_6", "nixpkgs": "nixpkgs_5" }, "locked": { @@ -1970,6 +2070,7 @@ "home-manager": "home-manager_3", "hyprland": "hyprland", "hyprlock": "hyprlock", + "lanzaboote": "lanzaboote", "lnxlink": "lnxlink", "nbfc-linux": "nbfc-linux", "neovim-nightly-overlay": "neovim-nightly-overlay", @@ -2023,6 +2124,27 @@ "type": "github" } }, + "rust-overlay_3": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1765075567, + "narHash": "sha256-KFDCdQcHJ0hE3Nt5Gm5enRIhmtEifAjpxgUQ3mzSJpA=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "769156779b41e8787a46ca3d7d76443aaf68be6f", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "scss-reset": { "flake": false, "locked": {