Update secrets config

Secureboot stuff
Add secureboot stuff
2025-06-10 22:34:22 -04:00 · 2025-06-10 15:24:04 -04:00 · 2025-06-10 15:10:43 -04:00
7 changed files with 228 additions and 35 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -3,9 +3,11 @@ keys:
      - &chase age19uwxm2gynhjl9m90gckrkh76m9hjut44ak6d8969y4swhz8ypyeqvfcaas
    - &hosts:
      - &anzu age1wdjujpvc2zd0g592a9gqa7qzz4pcans8m0tyq3m6eq9np9a3lg2s8kxf3h
+      - &ichigo age1hpcyetyl0yrwxy0geem6z2u2kwl4hmckur7pnaaxwaylf8ata9vsv8j3wh
 creation_rules:
    - path_regex: secrets.yaml$
      key_groups:
        - age:
          - *chase
          - *anzu
+          - *ichigo
--- a/flake.lock
+++ b/flake.lock
@@ -51,6 +51,21 @@
        "type": "github"
      }
    },
+    "crane": {
+      "locked": {
+        "lastModified": 1731098351,
+        "narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=",
+        "owner": "ipetkov",
+        "repo": "crane",
+        "rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ipetkov",
+        "repo": "crane",
+        "type": "github"
+      }
+    },
    "flake-compat": {
      "flake": false,
      "locked": {
@@ -67,7 +82,44 @@
        "type": "github"
      }
    },
+    "flake-compat_2": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1730504689,
+        "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "506278e768c2a08bec68eb62932193e341f55c90",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-parts_2": {
      "inputs": {
        "nixpkgs-lib": [
          "nur",
@@ -110,6 +162,28 @@
        "type": "github"
      }
    },
+    "gitignore_2": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "pre-commit-hooks-nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@@ -117,11 +191,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1749400020,
-        "narHash": "sha256-0nTmHO8AYgRYk5v6zw5oZ3x9nh+feb+Isn7WNe318M0=",
+        "lastModified": 1749526396,
+        "narHash": "sha256-UL9F76abAk87llXOrcQRjhd5OaOclUd6MIltsqcUZmo=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "2835e8ba0ad99ba86d4a5e497a962ec9fa35e48f",
+        "rev": "427c96044f11a5da50faf6adaf38c9fa47e6d044",
        "type": "github"
      },
      "original": {
@@ -226,11 +300,11 @@
        "xdph": "xdph"
      },
      "locked": {
-        "lastModified": 1749410258,
-        "narHash": "sha256-C7X/mLccrPd87iJTRlamCsFXfWr1uFrZ3uIHFpqzw+o=",
+        "lastModified": 1749540031,
+        "narHash": "sha256-11k6hq/4Tao2PNBFQpSNTlFFKmKGswL17caKuZIE0sM=",
        "owner": "hyprwm",
        "repo": "Hyprland",
-        "rev": "231e01e39b187d9a84b4a27871eb2bc4fb5c7d84",
+        "rev": "6bdb1f413e4c592f73d91bef33dfb202503ef7ab",
        "type": "github"
      },
      "original": {
@@ -411,6 +485,32 @@
        "type": "github"
      }
    },
+    "lanzaboote": {
+      "inputs": {
+        "crane": "crane",
+        "flake-compat": "flake-compat_2",
+        "flake-parts": "flake-parts",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "pre-commit-hooks-nix": "pre-commit-hooks-nix",
+        "rust-overlay": "rust-overlay"
+      },
+      "locked": {
+        "lastModified": 1737639419,
+        "narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=",
+        "owner": "nix-community",
+        "repo": "lanzaboote",
+        "rev": "a65905a09e2c43ff63be8c0e86a93712361f871e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "v0.4.2",
+        "repo": "lanzaboote",
+        "type": "github"
+      }
+    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1744463964,
@@ -429,11 +529,27 @@
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1749237914,
-        "narHash": "sha256-N5waoqWt8aMr/MykZjSErOokYH6rOsMMXu3UOVH5kiw=",
+        "lastModified": 1730741070,
+        "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "70c74b02eac46f4e4aa071e45a6189ce0f6d9265",
+        "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-24.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable_2": {
+      "locked": {
+        "lastModified": 1749494155,
+        "narHash": "sha256-FG4DEYBpROupu758beabUk9lhrblSf5hnv84v1TLqMc=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "88331c17ba434359491e8d5889cce872464052c2",
        "type": "github"
      },
      "original": {
@@ -477,18 +593,18 @@
    },
    "nur": {
      "inputs": {
-        "flake-parts": "flake-parts",
+        "flake-parts": "flake-parts_2",
        "nixpkgs": [
          "nixpkgs"
        ],
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
-        "lastModified": 1749442228,
-        "narHash": "sha256-7G5q8gvYXZG5xeVg/R3VRCOMHGdpPZbpjV5VXF9Ihxw=",
+        "lastModified": 1749581904,
+        "narHash": "sha256-QAzSbQuxaqM33WoOGCvwKlpuGPoN1RLAJOllz/Kli0I=",
        "owner": "nix-community",
        "repo": "NUR",
-        "rev": "8d54c4ce87a10f83c9ca0d9c76f7847b5e0e000a",
+        "rev": "7f891b80637b9dc6b4254714e9cb6b435be31f86",
        "type": "github"
      },
      "original": {
@@ -543,19 +659,68 @@
        "type": "github"
      }
    },
+    "pre-commit-hooks-nix": {
+      "inputs": {
+        "flake-compat": [
+          "lanzaboote",
+          "flake-compat"
+        ],
+        "gitignore": "gitignore_2",
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1731363552,
+        "narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=",
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "type": "github"
+      }
+    },
    "root": {
      "inputs": {
        "catppuccin": "catppuccin",
        "home-manager": "home-manager",
        "home-manager-stable": "home-manager-stable",
        "hyprland": "hyprland",
+        "lanzaboote": "lanzaboote",
        "nixpkgs": "nixpkgs_3",
-        "nixpkgs-stable": "nixpkgs-stable",
+        "nixpkgs-stable": "nixpkgs-stable_2",
        "nur": "nur",
        "plasma-manager": "plasma-manager",
        "sops-nix": "sops-nix"
      }
    },
+    "rust-overlay": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1731897198,
+        "narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "0be641045af6d8666c11c2c40e45ffc9667839b5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
    "sops-nix": {
      "inputs": {
        "nixpkgs": [
--- a/flake.nix
+++ b/flake.nix
@@ -1,15 +1,26 @@
 {
-  description = "A simple NixOS flake";
+  description = "SecureBoot-enabled NixOS config";

  inputs = {
-    # NixOS official package source, using unstable here
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-25.05";
+
+    home-manager = {
+      url = "github:nix-community/home-manager/master";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    home-manager-stable = {
+      url = "github:nix-community/home-manager/release-25.05";
+      inputs.nixpkgs.follows = "nixpkgs-stable";
+    };
+
    nur = {
      url = "github:nix-community/NUR";
      inputs.nixpkgs.follows = "nixpkgs";
    };
-    home-manager = {
-      url = "github:nix-community/home-manager/master";
+
+    lanzaboote = {
+      url = "github:nix-community/lanzaboote/v0.4.2";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    sops-nix = {
@@ -17,12 +28,6 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };

-    nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-25.05";
-    home-manager-stable = {
-      url = "github:nix-community/home-manager/release-25.05";
-      inputs.nixpkgs.follows = "nixpkgs-stable";
-    };
-
    catppuccin.url = "github:catppuccin/nix";
    hyprland.url = "github:hyprwm/Hyprland";
    plasma-manager = {
@@ -35,6 +40,7 @@
  outputs = {
    self,
    catppuccin,
+    lanzaboote,
    nur,
    plasma-manager,
    sops-nix,
@@ -107,7 +113,7 @@
        host = hosts.anzu;
        nixpkgs = inputs.nixpkgs;
        home-manager = inputs.home-manager;
-        modules = [];
+        modules = [lanzaboote.nixosModules.lanzaboote];
      };
      ichigo = mkNixOSConfigurations {
        host = hosts.ichigo;
--- a/home/hypr.nix
+++ b/home/hypr.nix
@@ -51,6 +51,7 @@
    brightnessctl
    helvum
  ];
+
  services.hyprpolkitagent.enable = true;

  services.hyprsunset.enable = true;
@@ -63,6 +64,8 @@
    };
  };

+  services.network-manager-applet.enable = true;
+
  wayland.windowManager.hyprland = {
    enable = false;
    package = null;
--- a/hosts/anzu/configuration.nix
+++ b/hosts/anzu/configuration.nix
@@ -1,5 +1,6 @@
 {
  config,
+  lib,
  pkgs,
  ...
 }: {
@@ -29,5 +30,11 @@
    #in ["${automount_opts},credentials=/etc/nixos/smb-secrets,uid=1000,gid=100"];
  };

+  boot.loader.systemd-boot.enable = lib.mkForce false;
+
+  boot.lanzaboote = {
+    enable = true;
+    pkiBundle = "/var/lib/sbctl";
+  };
  system.stateVersion = "24.11";
 }
--- a/nixos/base.nix
+++ b/nixos/base.nix
@@ -162,6 +162,7 @@
    python3
    qemu
    rustup
+    sbctl
    usbutils
    wget
    yubikey-manager
--- a/secrets.yaml
+++ b/secrets.yaml
@@ -5,20 +5,29 @@ sops:
        - recipient: age19uwxm2gynhjl9m90gckrkh76m9hjut44ak6d8969y4swhz8ypyeqvfcaas
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiaFZIL1UzQWJlcG5hN29q
-            YTVqeXAyY05nWDJyNHZIdlNrUWFDbmZBakFRCkQwUG40MTJaZE5obldBNG9YVUlq
-            NEVRMTl3RnhkSno3ck5NcjAwVVV2T2sKLS0tIHozVmdCWVcvcm9HZisycHlXejNM
-            aitVV05pZ29Kb2N0OFZxZ0R0Q2RrcWsKuCuZvI6mWOlqnoWvYsGNZ0DyrutWjBiX
-            0r5nrOw0Fp3P5YJyHss0of/aU116gTUYxJn6zqHTqKfDGRAu8kcI7Q==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaKzlYVzI5U04xbU05L28z
+            ZGQvTG15T0t5dmgvbitxS204anBpMVROaGtvCkdJQlVmeGpCcjEyRlJRaWN6WEJv
+            eVJ2N0RmS2ZxMGNLTHd5bUxFY2ZmdEUKLS0tIGEvM2wzZE5yd3dvSk5KRGpQbU5C
+            dmh3d3RPbS9WSmF2bm12VHhwNUZ4SUEK0+efCtnuIIhotR92BNaEPyq5bGwadClp
+            pEf2CRhTaSGiPHK+VRDy1X+pW+q9Jxu5Z7jesjGLdH8ypW5lpYjc3Q==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1wdjujpvc2zd0g592a9gqa7qzz4pcans8m0tyq3m6eq9np9a3lg2s8kxf3h
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0dDBCQmFuTUJ1Ym5OTlRh
-            UDFMd3ZKQjFrUTBZOVB2UmpSbkVRdk82WEVNCmRlVkFJZHpNbzVIbjgrN1BTb0Uv
-            TTlXUEhZUUtWa3hlSVR1endieExOTjQKLS0tIGJTTWlHVnNtZHRZOVkrS0NxL3do
-            aVFNTW8yeEUvb2tLcnRpUFltSVlZVXMKSnKkMhnW7/ZOW/LkBGJZvrfE6lUT1TrB
-            O83/WxPsN5mFz9WxqKevPNlLJaPwqJQjAS2TRYlya3uvGydpJoV7+g==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2NGdjbm43T2NaK3krWmtB
+            eHJMK0xyZVFGWndabmJ5aDJiRm05dlJRUlJBClZJY2Zmc0xHUXFFbHJ0dEhDN1Zh
+            SVppL0pWRm9VbFBtempIRHQzOXR2dzgKLS0tIExxTFJMV2NBajdWNkRKSmR4YUFj
+            MVFubkgwWFJ2cEtWUVJCc2JvWU9NSGcKcsGs3q55cJ4dp1mdo7KOQWqF98uPsZOF
+            zFm7oJh6LwbHJarz2m3mlUGBded4ndYrsyJbh2NjHyfUvz2XZgZRkg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1hpcyetyl0yrwxy0geem6z2u2kwl4hmckur7pnaaxwaylf8ata9vsv8j3wh
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZWGNlNmdhVlRXRlN3OXo4
+            dEVTL01uenhEY1VVMkRveGQrQXQ2TXlvSWpZCnRoVjI2TDRpbE1FVVNMTytMb3A2
+            cjN0T2UyYm9idmg5dkdFUWp1a3ZHQXcKLS0tIFpnYS8veEVGMkFkMzlibHRUUUxF
+            TVpjTzArTkRGVFhHdzVHdWNSYm5EZjAK6iwQI8usDMhdHdphcJeoxeeidcbto1d0
+            NFId4dYlrplJmkI7Og8bIxLqnaEw7enIsTz49LjLdKPRDfQB+PkEJw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-06-08T19:43:47Z"
    mac: ENC[AES256_GCM,data:9YpgBrJwWhz2utNPldpIU/ylaN2QfkSj1LvWa8sISSnuXvsBsZ8a+oNzuGDd5+Q1pSYtoiBt6viqZn65wp8x+kb9ZMJdsWoZZG2U1b3rHUsadOYarvwMVDoQ5TZFFjEOyzyCgT7ln6v1rfAKwL5LJ3Kjv6SRIb9dK51sDsVijhQ=,iv:yTlxgZoOdB7pu5iZKP+q1cXbDsTT5HgsWo4tkix8948=,tag:qJbiq+Fayx5L9V7to1ijvQ==,type:str]
Author	SHA1	Message	Date
chase	3c470b9a1b	Update secrets config	2025-06-10 22:34:22 -04:00
chase	d2608f594e	Secureboot stuff	2025-06-10 15:24:04 -04:00
chase	f2b4c60bad	Add secureboot stuff	2025-06-10 15:10:43 -04:00