larssonmartin1998/.dotfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Setup secure boot on x86 linux using lanzaboote

Browse source
This commit is contained in:
Martin Larsson 2026-01-15 00:08:54 +01:00
parent fe2b2532d7
commit ac2d98a55b
3 changed files with 142 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

124
flake.lock generated
View file

@ -55,6 +55,21 @@
"type": "github" "type": "github"
} }
}, },
"crane": {
"locked": {
"lastModified": 1765145449,
"narHash": "sha256-aBVHGWWRzSpfL++LubA0CwOOQ64WNLegrYHwsVuVN7A=",
"owner": "ipetkov",
"repo": "crane",
"rev": "69f538cdce5955fcd47abfed4395dc6d5194c1c5",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"flake-compat": { "flake-compat": {
"locked": { "locked": {
"lastModified": 1746162366, "lastModified": 1746162366,
@ -71,6 +86,22 @@
} }
}, },
"flake-compat_2": { "flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1761588595,
"narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_3": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1765121682, "lastModified": 1765121682,
@ -125,6 +156,28 @@
"type": "github" "type": "github"
} }
}, },
"gitignore": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"pre-commit",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -193,6 +246,30 @@
"type": "github" "type": "github"
} }
}, },
"lanzaboote": {
"inputs": {
"crane": "crane",
"nixpkgs": [
"nixpkgs"
],
"pre-commit": "pre-commit",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1765382359,
"narHash": "sha256-RJmgVDzjRI18BWVogG6wpsl1UCuV6ui8qr4DJ1LfWZ8=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "e8c096ade12ec9130ff931b0f0e25d2f1bc63607",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "v1.0.0",
"repo": "lanzaboote",
"type": "github"
}
},
"nix-darwin": { "nix-darwin": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -234,7 +311,7 @@
}, },
"nixos-wsl": { "nixos-wsl": {
"inputs": { "inputs": {
"flake-compat": "flake-compat_2", "flake-compat": "flake-compat_3",
"nixpkgs": "nixpkgs_4" "nixpkgs": "nixpkgs_4"
}, },
"locked": { "locked": {
@ -352,6 +429,29 @@
"type": "github" "type": "github"
} }
}, },
"pre-commit": {
"inputs": {
"flake-compat": "flake-compat_2",
"gitignore": "gitignore",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1765016596,
"narHash": "sha256-rhSqPNxDVow7OQKi4qS5H8Au0P4S3AYbawBSmJNUtBQ=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "548fc44fca28a5e81c5d6b846e555e6b9c2a5a3c",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"apple-silicon-support": "apple-silicon-support", "apple-silicon-support": "apple-silicon-support",
@ -360,6 +460,7 @@
"homebrew-bundle": "homebrew-bundle", "homebrew-bundle": "homebrew-bundle",
"homebrew-cask": "homebrew-cask", "homebrew-cask": "homebrew-cask",
"homebrew-core": "homebrew-core", "homebrew-core": "homebrew-core",
"lanzaboote": "lanzaboote",
"nix-darwin": "nix-darwin", "nix-darwin": "nix-darwin",
"nix-homebrew": "nix-homebrew", "nix-homebrew": "nix-homebrew",
"nixos-wsl": "nixos-wsl", "nixos-wsl": "nixos-wsl",
@ -367,6 +468,27 @@
"nur": "nur" "nur": "nur"
} }
}, },
"rust-overlay": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1765075567,
"narHash": "sha256-KFDCdQcHJ0hE3Nt5Gm5enRIhmtEifAjpxgUQ3mzSJpA=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "769156779b41e8787a46ca3d7d76443aaf68be6f",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"systems": { "systems": {
"locked": { "locked": {
"lastModified": 1681028828, "lastModified": 1681028828,

7
flake.nix
View file

@ -26,6 +26,11 @@
# neovim.url = "github:LarssonMartin1998/neovim-flake"; # neovim.url = "github:LarssonMartin1998/neovim-flake";
nix-homebrew.url = "github:zhaofengli-wip/nix-homebrew"; nix-homebrew.url = "github:zhaofengli-wip/nix-homebrew";
lanzaboote = {
url = "github:nix-community/lanzaboote/v1.0.0";
inputs.nixpkgs.follows = "nixpkgs";
};
homebrew-core = { homebrew-core = {
url = "github:homebrew/homebrew-core"; url = "github:homebrew/homebrew-core";
flake = false; flake = false;
@ -49,6 +54,7 @@
home-manager, home-manager,
nix-darwin, nix-darwin,
nixos-wsl, nixos-wsl,
lanzaboote,
# neovim, # neovim,
colorsync, colorsync,
nix-homebrew, nix-homebrew,
@ -147,6 +153,7 @@
extraModules = [ extraModules = [
./nix/system/linux.nix ./nix/system/linux.nix
./nix/system/linux_x86.nix ./nix/system/linux_x86.nix
lanzaboote.nixosModules.lanzaboote
]; ];
}; };

14
nix/system/linux_x86.nix
View file

@ -1,4 +1,4 @@
{ ... }: { pkgs, lib, ... }:
{ {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
@ -7,13 +7,23 @@
boot = { boot = {
loader = { loader = {
systemd-boot.enable = true; systemd-boot.enable = lib.mkForce false; # lanzaboote replaces systemd-boot module
efi.canTouchEfiVariables = true; efi.canTouchEfiVariables = true;
}; };
lanzaboote = {
enable = true;
pkiBundle = "/var/lib/sbctl";
};
}; };
networking.hostName = "walnut-nixos"; networking.hostName = "walnut-nixos";
environment = {
systemPackages = with pkgs; [
sbctl
];
};
programs = { programs = {
sway.extraOptions = [ sway.extraOptions = [
"--unsupported-gpu" "--unsupported-gpu"