shahab/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: NixOS | add secure boot and nixos-hardware flake

Browse Source
This commit is contained in:
Shahab Dogar
2025-02-02 16:11:14 +05:00
parent 296fb3cd99
commit ac6ac36aa4
3 changed files with 235 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

203
flake.lock generated
View File

@@ -33,6 +33,41 @@
"type": "github" "type": "github"
} }
}, },
"crane": {
"locked": {
"lastModified": 1731098351,
"narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=",
"owner": "ipetkov",
"repo": "crane",
"rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1738148035,
"narHash": "sha256-KYOATYEwaKysL3HdHdS5kbQMXvzS4iPJzJrML+3TKAo=",
"owner": "nix-community",
"repo": "disko",
"rev": "18d0a984cc2bc82cf61df19523a34ad463aa7f54",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
@@ -49,6 +84,43 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1730504689,
"narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "506278e768c2a08bec68eb62932193e341f55c90",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"gitignore": { "gitignore": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@@ -71,6 +143,28 @@
"type": "github" "type": "github"
} }
}, },
"gitignore_2": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"pre-commit-hooks-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@@ -282,6 +376,48 @@
"type": "github" "type": "github"
} }
}, },
"lanzaboote": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat_2",
"flake-parts": "flake-parts",
"nixpkgs": [
"nixpkgs"
],
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1737639419,
"narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "a65905a09e2c43ff63be8c0e86a93712361f871e",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "v0.4.2",
"repo": "lanzaboote",
"type": "github"
}
},
"nixos-hardware": {
"locked": {
"lastModified": 1738471961,
"narHash": "sha256-cgXDFrplNGs7bCVzXhRofjD8oJYqqXGcmUzXjHmip6Y=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "537286c3c59b40311e5418a180b38034661d2536",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "master",
"repo": "nixos-hardware",
"type": "github"
}
},
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1732758367, "lastModified": 1732758367,
@@ -314,6 +450,22 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-stable_2": {
"locked": {
"lastModified": 1730741070,
"narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1733261153, "lastModified": 1733261153,
@@ -354,13 +506,64 @@
"type": "github" "type": "github"
} }
}, },
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"gitignore": "gitignore_2",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable_2"
},
"locked": {
"lastModified": 1731363552,
"narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"disko": "disko",
"home-manager": "home-manager", "home-manager": "home-manager",
"hyprland": "hyprland", "hyprland": "hyprland",
"lanzaboote": "lanzaboote",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_2" "nixpkgs": "nixpkgs_2"
} }
}, },
"rust-overlay": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1731897198,
"narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "0be641045af6d8666c11c2c40e45ffc9667839b5",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"systems": { "systems": {
"locked": { "locked": {
"lastModified": 1689347949, "lastModified": 1689347949,

14
flake.nix
View File

@@ -9,8 +9,18 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
# Hyprland cachix flake
hyprland.url = "github:hyprwm/Hyprland"; hyprland.url = "github:hyprwm/Hyprland";
# NixOS community managed hardware specific features/fixes
nixos-hardware.url = "github:NixOS/nixos-hardware/master";
# Secure boot
lanzaboote = {
url = "github:nix-community/lanzaboote/v0.4.2";
inputs.nixpkgs.follows = "nixpkgs";
};
# Disko # Disko
disko = { disko = {
url = "github:nix-community/disko"; url = "github:nix-community/disko";
@@ -23,6 +33,8 @@
nixpkgs, nixpkgs,
home-manager, home-manager,
disko, disko,
lanzaboote,
nixos-hardware,
... ...
} @ inputs: } @ inputs:
let let
@@ -35,7 +47,9 @@
"${host}" = nixpkgs.lib.nixosSystem { "${host}" = nixpkgs.lib.nixosSystem {
inherit system; inherit system;
modules = [ modules = [
lanzaboote.nixosModules.lanzaboote
disko.nixosModules.disko disko.nixosModules.disko
nixos-hardware.nixosModules.framework-13-7040-amd
./nixos/configuration.nix ./nixos/configuration.nix
./nixos/disko-config.nix ./nixos/disko-config.nix
./nixos/hardware-configuration.nix ./nixos/hardware-configuration.nix

20
nixos/configuration.nix
View File

@@ -2,12 +2,22 @@
# your system. Help is available in the configuration.nix(5) man page # your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help). # and in the NixOS manual (accessible by running nixos-help).
{ inputs, pkgs, hostname, ... }: { lib, inputs, pkgs, hostname, ... }:
{ {
# Bootloader. # Bootloader.
boot.loader.systemd-boot.enable = true; boot = {
boot.loader.efi.canTouchEfiVariables = true; loader = {
# Set this to true on first install. This must be false for secure boot.
systemd-boot.enable = lib.mkForce false;
efi.canTouchEfiVariables = true;
};
lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
};
# Bluetooth. # Bluetooth.
hardware.bluetooth.enable = true; hardware.bluetooth.enable = true;
@@ -79,6 +89,9 @@
# Enable smart card services # Enable smart card services
services.pcscd.enable = true; services.pcscd.enable = true;
# Framework firmware updating
services.fwupd.enable = true;
# Enable touchpad support (enabled default in most desktopManager). # Enable touchpad support (enabled default in most desktopManager).
# services.xserver.libinput.enable = true; # services.xserver.libinput.enable = true;
@@ -148,6 +161,7 @@
spice-protocol spice-protocol
win-virtio win-virtio
win-spice win-spice
sbctl # Secure boot
]; ];
programs._1password.enable = true; programs._1password.enable = true;