chore: update flake.lock

feat: setup secure boot with lazanboote.
2026-01-18 11:33:01 +01:00 · 2026-01-18 11:32:53 +01:00
3 changed files with 147 additions and 4 deletions
--- a/flake.lock
+++ b/flake.lock
@ -191,6 +191,21 @@
        "type": "github"
      }
    },
+    "crane": {
+      "locked": {
+        "lastModified": 1765145449,
+        "narHash": "sha256-aBVHGWWRzSpfL++LubA0CwOOQ64WNLegrYHwsVuVN7A=",
+        "owner": "ipetkov",
+        "repo": "crane",
+        "rev": "69f538cdce5955fcd47abfed4395dc6d5194c1c5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ipetkov",
+        "repo": "crane",
+        "type": "github"
+      }
+    },
    "darwin": {
      "inputs": {
        "nixpkgs": [
@ -411,6 +426,22 @@
      }
    },
    "flake-compat_7": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1761588595,
+        "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_8": {
      "flake": false,
      "locked": {
        "lastModified": 1747046372,
@ -716,6 +747,28 @@
      }
    },
    "gitignore_5": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "pre-commit",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
+    "gitignore_6": {
      "inputs": {
        "nixpkgs": [
          "lnxlink",
@ -1385,6 +1438,30 @@
        "type": "github"
      }
    },
+    "lanzaboote": {
+      "inputs": {
+        "crane": "crane",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "pre-commit": "pre-commit",
+        "rust-overlay": "rust-overlay_3"
+      },
+      "locked": {
+        "lastModified": 1765382359,
+        "narHash": "sha256-RJmgVDzjRI18BWVogG6wpsl1UCuV6ui8qr4DJ1LfWZ8=",
+        "owner": "nix-community",
+        "repo": "lanzaboote",
+        "rev": "e8c096ade12ec9130ff931b0f0e25d2f1bc63607",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "v1.0.0",
+        "repo": "lanzaboote",
+        "type": "github"
+      }
+    },
    "lnxlink": {
      "inputs": {
        "flake-utils": "flake-utils_3",
@ -1872,6 +1949,29 @@
        "type": "github"
      }
    },
+    "pre-commit": {
+      "inputs": {
+        "flake-compat": "flake-compat_7",
+        "gitignore": "gitignore_5",
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1765016596,
+        "narHash": "sha256-rhSqPNxDVow7OQKi4qS5H8Au0P4S3AYbawBSmJNUtBQ=",
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "rev": "548fc44fca28a5e81c5d6b846e555e6b9c2a5a3c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "type": "github"
+      }
+    },
    "pre-commit-hooks": {
      "inputs": {
        "flake-compat": "flake-compat_3",
@ -1937,8 +2037,8 @@
    },
    "pre-commit-hooks_4": {
      "inputs": {
-        "flake-compat": "flake-compat_7",
-        "gitignore": "gitignore_5",
+        "flake-compat": "flake-compat_8",
+        "gitignore": "gitignore_6",
        "nixpkgs": "nixpkgs_5"
      },
      "locked": {
@ -1970,6 +2070,7 @@
        "home-manager": "home-manager_3",
        "hyprland": "hyprland",
        "hyprlock": "hyprlock",
+        "lanzaboote": "lanzaboote",
        "lnxlink": "lnxlink",
        "nbfc-linux": "nbfc-linux",
        "neovim-nightly-overlay": "neovim-nightly-overlay",
@ -2023,6 +2124,27 @@
        "type": "github"
      }
    },
+    "rust-overlay_3": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1765075567,
+        "narHash": "sha256-KFDCdQcHJ0hE3Nt5Gm5enRIhmtEifAjpxgUQ3mzSJpA=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "769156779b41e8787a46ca3d7d76443aaf68be6f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
    "scss-reset": {
      "flake": false,
      "locked": {
--- a/flake.nix
+++ b/flake.nix
@ -140,6 +140,12 @@

    # Some gaming related stuff ( actual osu! )
    nix-gaming.url = "github:cronyakatsuki/nix-gaming";
+
+    # Secure boot with nixos
+    lanzaboote = {
+      url = "github:nix-community/lanzaboote/v1.0.0";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
  };

  outputs = {
@ -154,6 +160,7 @@
    agenix,
    nix-flatpak,
    chaotic,
+    lanzaboote,
    ...
  } @ inputs: let
    hostsData = import ./hosts.nix;
@ -363,6 +370,8 @@
          nix-flatpak.nixosModules.nix-flatpak
          # Use chaotic for some packages
          chaotic.nixosModules.default
+          # Setup secure boot
+          lanzaboote.nixosModules.lanzaboote
          # Setup home manager for my user
          home-manager.nixosModules.home-manager
          {
--- a/hosts/skadi/configuration.nix
+++ b/hosts/skadi/configuration.nix
@ -2,6 +2,7 @@
  inputs,
  config,
  pkgs,
+  lib,
  ...
 }: {
  imports = [
@ -11,9 +12,20 @@
    inputs.home-manager.nixosModules.home-manager
  ];

+  # For tpm unlock
+  boot.initrd.systemd.enable = true;
+
+  # To explicitly disable systemd-boot, lanzaboote takes care of that.
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+
  # Bootloader.
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
+  boot.lanzaboote = {
+    enable = true;
+    pkiBundle = "/var/lib/sbctl";
+    autoEnrollKeys = {
+      enable = true;
+    };
+  };

  # Enable aarch64 emulation
  boot.binfmt.emulatedSystems = ["aarch64-linux"];
Author	SHA1	Message	Date
Crony Akatsuki	22565726b3	chore: update flake.lock	2026-01-18 11:33:01 +01:00
Crony Akatsuki	3b5c369c76	feat: setup secure boot with lazanboote.	2026-01-18 11:32:53 +01:00