diff --git a/flake.lock b/flake.lock index a794154..ca67e80 100644 --- a/flake.lock +++ b/flake.lock @@ -33,6 +33,41 @@ "type": "github" } }, + "crane": { + "locked": { + "lastModified": 1731098351, + "narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=", + "owner": "ipetkov", + "repo": "crane", + "rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1738148035, + "narHash": "sha256-KYOATYEwaKysL3HdHdS5kbQMXvzS4iPJzJrML+3TKAo=", + "owner": "nix-community", + "repo": "disko", + "rev": "18d0a984cc2bc82cf61df19523a34ad463aa7f54", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -49,6 +84,43 @@ "type": "github" } }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1730504689, + "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "506278e768c2a08bec68eb62932193e341f55c90", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "gitignore": { "inputs": { "nixpkgs": [ @@ -71,6 +143,28 @@ "type": "github" } }, + "gitignore_2": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -282,6 +376,48 @@ "type": "github" } }, + "lanzaboote": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat_2", + "flake-parts": "flake-parts", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1737639419, + "narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "a65905a09e2c43ff63be8c0e86a93712361f871e", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "v0.4.2", + "repo": "lanzaboote", + "type": "github" + } + }, + "nixos-hardware": { + "locked": { + "lastModified": 1738471961, + "narHash": "sha256-cgXDFrplNGs7bCVzXhRofjD8oJYqqXGcmUzXjHmip6Y=", + "owner": "NixOS", + "repo": "nixos-hardware", + "rev": "537286c3c59b40311e5418a180b38034661d2536", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "master", + "repo": "nixos-hardware", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1732758367, @@ -314,6 +450,22 @@ "type": "github" } }, + "nixpkgs-stable_2": { + "locked": { + "lastModified": 1730741070, + "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_2": { "locked": { "lastModified": 1733261153, @@ -354,13 +506,64 @@ "type": "github" } }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "gitignore": "gitignore_2", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable_2" + }, + "locked": { + "lastModified": 1731363552, + "narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "root": { "inputs": { + "disko": "disko", "home-manager": "home-manager", "hyprland": "hyprland", + "lanzaboote": "lanzaboote", + "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs_2" } }, + "rust-overlay": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1731897198, + "narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "0be641045af6d8666c11c2c40e45ffc9667839b5", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1689347949, diff --git a/flake.nix b/flake.nix index 862b395..d5231f5 100644 --- a/flake.nix +++ b/flake.nix @@ -9,8 +9,18 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + # Hyprland cachix flake hyprland.url = "github:hyprwm/Hyprland"; + # NixOS community managed hardware specific features/fixes + nixos-hardware.url = "github:NixOS/nixos-hardware/master"; + + # Secure boot + lanzaboote = { + url = "github:nix-community/lanzaboote/v0.4.2"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + # Disko disko = { url = "github:nix-community/disko"; @@ -23,6 +33,8 @@ nixpkgs, home-manager, disko, + lanzaboote, + nixos-hardware, ... } @ inputs: let @@ -35,7 +47,9 @@ "${host}" = nixpkgs.lib.nixosSystem { inherit system; modules = [ - disko.nixosModules.disko + lanzaboote.nixosModules.lanzaboote + disko.nixosModules.disko + nixos-hardware.nixosModules.framework-13-7040-amd ./nixos/configuration.nix ./nixos/disko-config.nix ./nixos/hardware-configuration.nix diff --git a/nixos/configuration.nix b/nixos/configuration.nix index fcac05b..5b07ac0 100644 --- a/nixos/configuration.nix +++ b/nixos/configuration.nix @@ -2,12 +2,22 @@ # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). -{ inputs, pkgs, hostname, ... }: +{ lib, inputs, pkgs, hostname, ... }: { # Bootloader. - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; + boot = { + loader = { + # Set this to true on first install. This must be false for secure boot. + systemd-boot.enable = lib.mkForce false; + efi.canTouchEfiVariables = true; + }; + + lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + }; + }; # Bluetooth. hardware.bluetooth.enable = true; @@ -79,6 +89,9 @@ # Enable smart card services services.pcscd.enable = true; + # Framework firmware updating + services.fwupd.enable = true; + # Enable touchpad support (enabled default in most desktopManager). # services.xserver.libinput.enable = true; @@ -148,6 +161,7 @@ spice-protocol win-virtio win-spice + sbctl # Secure boot ]; programs._1password.enable = true;