diff --git a/flake.lock b/flake.lock index 572619e..4bab678 100644 --- a/flake.lock +++ b/flake.lock @@ -25,21 +25,6 @@ "type": "github" } }, - "crane": { - "locked": { - "lastModified": 1731098351, - "narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=", - "owner": "ipetkov", - "repo": "crane", - "rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28", - "type": "github" - }, - "original": { - "owner": "ipetkov", - "repo": "crane", - "type": "github" - } - }, "darwin": { "inputs": { "nixpkgs": [ @@ -102,43 +87,6 @@ "type": "github" } }, - "flake-compat": { - "flake": false, - "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-parts": { - "inputs": { - "nixpkgs-lib": [ - "lanzaboote", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1730504689, - "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "506278e768c2a08bec68eb62932193e341f55c90", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, "flake-registry": { "flake": false, "locked": { @@ -175,28 +123,6 @@ "type": "github" } }, - "gitignore": { - "inputs": { - "nixpkgs": [ - "lanzaboote", - "pre-commit-hooks-nix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709087332, - "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", - "owner": "hercules-ci", - "repo": "gitignore.nix", - "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "gitignore.nix", - "type": "github" - } - }, "home-manager": { "inputs": { "nixpkgs": [ @@ -231,32 +157,6 @@ "url": "https://git.dadada.li/dadada/dadada.li/archive/main.tar.gz" } }, - "lanzaboote": { - "inputs": { - "crane": "crane", - "flake-compat": "flake-compat", - "flake-parts": "flake-parts", - "nixpkgs": [ - "nixpkgs" - ], - "pre-commit-hooks-nix": "pre-commit-hooks-nix", - "rust-overlay": "rust-overlay" - }, - "locked": { - "lastModified": 1737639419, - "narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=", - "owner": "nix-community", - "repo": "lanzaboote", - "rev": "a65905a09e2c43ff63be8c0e86a93712361f871e", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "v0.4.2", - "repo": "lanzaboote", - "type": "github" - } - }, "nixlib": { "locked": { "lastModified": 1736643958, @@ -341,49 +241,6 @@ "type": "github" } }, - "nixpkgs-stable": { - "locked": { - "lastModified": 1730741070, - "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "pre-commit-hooks-nix": { - "inputs": { - "flake-compat": [ - "lanzaboote", - "flake-compat" - ], - "gitignore": "gitignore", - "nixpkgs": [ - "lanzaboote", - "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable" - }, - "locked": { - "lastModified": 1731363552, - "narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=", - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "type": "github" - } - }, "root": { "inputs": { "agenix": "agenix", @@ -393,7 +250,6 @@ "flake-utils": "flake-utils", "home-manager": "home-manager", "homepage": "homepage", - "lanzaboote": "lanzaboote", "nixos-generators": "nixos-generators", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", @@ -402,27 +258,6 @@ "treefmt-nix": "treefmt-nix" } }, - "rust-overlay": { - "inputs": { - "nixpkgs": [ - "lanzaboote", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1731897198, - "narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=", - "owner": "oxalica", - "repo": "rust-overlay", - "rev": "0be641045af6d8666c11c2c40e45ffc9667839b5", - "type": "github" - }, - "original": { - "owner": "oxalica", - "repo": "rust-overlay", - "type": "github" - } - }, "systems": { "locked": { "lastModified": 1681028828, diff --git a/flake.nix b/flake.nix index 73686ce..622f9f0 100644 --- a/flake.nix +++ b/flake.nix @@ -16,10 +16,6 @@ url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; }; - lanzaboote = { - url = "github:nix-community/lanzaboote/v0.4.2"; - inputs.nixpkgs.follows = "nixpkgs"; - }; nixos-hardware.url = "github:NixOS/nixos-hardware/master"; homepage = { url = "https://git.dadada.li/dadada/dadada.li/archive/main.tar.gz"; diff --git a/nixos/configurations.nix b/nixos/configurations.nix index 7a4185a..38c38da 100644 --- a/nixos/configurations.nix +++ b/nixos/configurations.nix @@ -4,7 +4,6 @@ disko, home-manager, homepage, - lanzaboote, nixos-hardware, nixos-generators, nixpkgs, @@ -41,7 +40,7 @@ in inherit nixpkgs system; extraModules = [ - lanzaboote.nixosModules.lanzaboote + # TODO lanzaboote.nixosModules.lanzaboote disko.nixosModules.disko { nixpkgs.overlays = nixpkgs.lib.attrValues self.overlays; diff --git a/nixos/stolas/default.nix b/nixos/stolas/default.nix index db1f640..10302eb 100644 --- a/nixos/stolas/default.nix +++ b/nixos/stolas/default.nix @@ -9,21 +9,15 @@ nixpkgs = { hostPlatform = "x86_64-linux"; - config.allowUnfree = true; }; boot = { - lanzaboote = { - enable = true; - pkiBundle = "/var/lib/sbctl"; - }; + # TODO lanzaboote = { + # enable = true; + # pkiBundle = "/var/lib/sbctl"; + #}; kernelModules = [ "kvm-amd" ]; extraModulePackages = [ pkgs.linuxPackages.v4l2loopback ]; - # Lanzaboote currently replaces the systemd-boot module. - # This setting is usually set to true in configuration.nix - # generated at installation time. So we force it to false - # for now. - loader.systemd-boot.enable = lib.mkForce false; initrd = { availableKernelModules = [ "nvme" @@ -32,8 +26,16 @@ "usb_storage" "sd_mod" ]; + # TODO disable for lanzaboote + systemd.enable = true; + # Lanzaboote currently replaces the systemd-boot module. + # This setting is usually set to true in configuration.nix + # generated at installation time. So we force it to false + # for now. + #boot.loader.systemd-boot.enable = lib.mkForce false; luks.devices = { root = { + # TODO device = "/dev/disk/by-uuid/81dfbfa5-d578-479c-b11c-3ee5abd6848a"; allowDiscards = true; # TODO lanzaboote + TPM2 unlock with PIN https://www.freedesktop.org/software/systemd/man/251/systemd-cryptenroll.html#--tpm2-with-pin=BOOL @@ -52,7 +54,6 @@ # NOTE: hardware.framework.enableKmod requires kernel patching, but enables access to some EC features bluetooth.enable = true; cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; - enableAllFirmware = true; framework.laptop13.audioEnhancement.enable = true; graphics = { enable = true;