diff --git a/flake.lock b/flake.lock index 6037f2b..7f22d0a 100644 --- a/flake.lock +++ b/flake.lock @@ -21,6 +21,27 @@ "type": "github" } }, + "crane": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1721842668, + "narHash": "sha256-k3oiD2z2AAwBFLa4+xfU+7G5fisRXfkvrMTCJrjZzXo=", + "owner": "ipetkov", + "repo": "crane", + "rev": "529c1a0b1f29f0d78fa3086b8f6a134c71ef3aaf", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "darwin": { "inputs": { "nixpkgs": [ @@ -50,11 +71,11 @@ ] }, "locked": { - "lastModified": 1725377834, - "narHash": "sha256-tqoAO8oT6zEUDXte98cvA1saU9+1dLJQe3pMKLXv8ps=", + "lastModified": 1726842196, + "narHash": "sha256-u9h03JQUuQJ607xmti9F9Eh6E96kKUAGP+aXWgwm70o=", "owner": "nix-community", "repo": "disko", - "rev": "e55f9a8678adc02024a4877c2a403e3f6daf24fe", + "rev": "51994df8ba24d5db5459ccf17b6494643301ad28", "type": "github" }, "original": { @@ -70,11 +91,11 @@ "pyproject-nix": "pyproject-nix" }, "locked": { - "lastModified": 1722526955, - "narHash": "sha256-fFS8aDnfK9Qfm2FLnQ8pqWk8FzvFEv5LvTuZTZLREnc=", + "lastModified": 1726523340, + "narHash": "sha256-Av5mdR2lAGUVdA6DJ8Anon3/FZg3DX4gl1Ff72rCpKU=", "owner": "nix-community", "repo": "dream2nix", - "rev": "3fd4c14d3683baac8d1f94286ae14fe160888b51", + "rev": "b76c529f377100516c40c5b6e239a4525fdcabe0", "type": "github" }, "original": { @@ -115,7 +136,44 @@ "type": "github" } }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719994518, + "narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { "inputs": { "nixpkgs-lib": "nixpkgs-lib_2" }, @@ -133,7 +191,7 @@ "type": "github" } }, - "flake-parts_2": { + "flake-parts_3": { "inputs": { "nixpkgs-lib": [ "nixThePlanet", @@ -154,7 +212,7 @@ "type": "indirect" } }, - "flake-parts_3": { + "flake-parts_4": { "inputs": { "nixpkgs-lib": "nixpkgs-lib_3" }, @@ -177,11 +235,11 @@ "systems": "systems_2" }, "locked": { - "lastModified": 1710146030, - "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "lastModified": 1726560853, + "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", "owner": "numtide", "repo": "flake-utils", - "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", "type": "github" }, "original": { @@ -213,11 +271,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1725234343, - "narHash": "sha256-+ebgonl3NbiKD2UD0x4BszCZQ6sTfL4xioaM49o5B3Y=", + "lastModified": 1726153070, + "narHash": "sha256-HO4zgY0ekfwO5bX0QH/3kJ/h4KvUDFZg8YpkNwIbg1U=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "567b938d64d4b4112ee253b9274472dc3a346eb6", + "rev": "bcef6817a8b2aa20a5a6dbb19b43e63c5bf8619a", "type": "github" }, "original": { @@ -285,9 +343,31 @@ "type": "github" } }, + "gitignore_2": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "hercules-ci-effects": { "inputs": { - "flake-parts": "flake-parts_2", + "flake-parts": "flake-parts_3", "nixpkgs": "nixpkgs_4" }, "locked": { @@ -353,11 +433,11 @@ ] }, "locked": { - "lastModified": 1725863684, - "narHash": "sha256-HmdTBpuCsw35Ii35JUKO6AE6nae+kJliQb0XGd4hoLE=", + "lastModified": 1726985855, + "narHash": "sha256-NJPGK030Y3qETpWBhj9oobDQRbXdXOPxtu+YgGvZ84o=", "owner": "nix-community", "repo": "home-manager", - "rev": "be47a2bdf278c57c2d05e747a13ed31cef54a037", + "rev": "04213d1ce4221f5d9b40bcee30706ce9a91d148d", "type": "github" }, "original": { @@ -419,14 +499,39 @@ "type": "github" } }, + "lanzaboote": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat_2", + "flake-parts": "flake-parts", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1725379389, + "narHash": "sha256-qS1H/5/20ewJIXmf8FN2A5KTOKKU9elWvCPwdBi1P/U=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "e7bd94e0b5ff3c1e686f2101004ebf4fcea9d871", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "lanzaboote", + "type": "github" + } + }, "lix": { "flake": false, "locked": { - "lastModified": 1725846500, - "narHash": "sha256-8tzJO3PllVPc0RYE0OfXVWlgTiJxKH1nzXsQLGyFRJ4=", + "lastModified": 1726905313, + "narHash": "sha256-jsOyXonevsNaKxM9burYc2S4JVle+VMCJ8+AAp0MDCc=", "ref": "refs/heads/main", - "rev": "c14486ae8d3bbc862c625d948a6b2f4dc0927d5b", - "revCount": 16226, + "rev": "5f298f74c92402a8390b01c736463b17b36277e3", + "revCount": 16254, "type": "git", "url": "https://git@git.lix.systems/lix-project/lix" }, @@ -447,11 +552,11 @@ ] }, "locked": { - "lastModified": 1725836728, - "narHash": "sha256-dCbHCwqrzcHlEsRilMX+KM3IfRV46ieGqDyAD3GgCSs=", + "lastModified": 1726631249, + "narHash": "sha256-b2rMO8+jKjY55d8uynX7FjV4NIPu/WzPux0kWOAzwoo=", "ref": "refs/heads/main", - "rev": "353b25f0b6da5ede15206d416345a2ec4195b5c8", - "revCount": 107, + "rev": "b0e6f359500d66670cc16f521e4f62d6a0a4864e", + "revCount": 110, "type": "git", "url": "https://git.lix.systems/lix-project/nixos-module" }, @@ -463,11 +568,11 @@ "mobile-nixos": { "flake": false, "locked": { - "lastModified": 1725601293, - "narHash": "sha256-PLk1m0ZukClV+qrszd6WaNclpge8zGsSBTOAwYB9es4=", + "lastModified": 1726960027, + "narHash": "sha256-BJe+6Gpqu98Mhi1oAfrJK25SZvvQgfYqpmLaXvXgQ9g=", "owner": "NixOS", "repo": "mobile-nixos", - "rev": "672f8299e484301994858d9220921309f631d616", + "rev": "a386813d9ec46fa32e51488f7d48c0e1bde77f8e", "type": "github" }, "original": { @@ -532,11 +637,11 @@ ] }, "locked": { - "lastModified": 1725628909, - "narHash": "sha256-xI0OSqPHcs/c/utJsU0Zvcp1VhejMI9mgwr68uHHlPs=", + "lastModified": 1727003835, + "narHash": "sha256-Cfllbt/ADfO8oxbT984MhPHR6FJBaglsr1SxtDGbpec=", "owner": "LnL7", "repo": "nix-darwin", - "rev": "76559183801030451e200c90a1627c1d82bb4910", + "rev": "bd7d1e3912d40f799c5c0f7e5820ec950f1e0b3d", "type": "github" }, "original": { @@ -547,7 +652,7 @@ }, "nixThePlanet": { "inputs": { - "flake-parts": "flake-parts", + "flake-parts": "flake-parts_2", "hercules-ci-effects": "hercules-ci-effects", "nixpkgs": [ "nixpkgs" @@ -571,11 +676,11 @@ }, "nixosHardware": { "locked": { - "lastModified": 1725885300, - "narHash": "sha256-5RLEnou1/GJQl+Wd+Bxaj7QY7FFQ9wjnFq1VNEaxTmc=", + "lastModified": 1726905744, + "narHash": "sha256-xyNtG5C+xvfsnOVEamFe9zCCnuNwk93K/TlFC/4DmCI=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "166dee4f88a7e3ba1b7a243edb1aca822f00680e", + "rev": "b493dfd4a8cf9552932179e56ff3b5819a9b8381", "type": "github" }, "original": { @@ -712,6 +817,22 @@ "type": "github" } }, + "nixpkgs-stable_2": { + "locked": { + "lastModified": 1720386169, + "narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "194846768975b7ad2c4988bdb82572c00222c0d7", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_2": { "locked": { "lastModified": 1720181791, @@ -761,11 +882,11 @@ }, "nixpkgs_5": { "locked": { - "lastModified": 1726745986, - "narHash": "sha256-xB35C2fpz7iyNcj9sn0a+wM2C4CQ6DGTn5VUHogstYs=", + "lastModified": 1727007089, + "narHash": "sha256-vsyRYF7MSJE5FHrQdcY3g+CORy6K/6NW+Cw00+VvNy0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "268bb5090a3c6ac5e1615b38542a868b52ef8088", + "rev": "9c711566cde5929768e311413eaa2399631624ce", "type": "github" }, "original": { @@ -874,6 +995,33 @@ "type": "gitlab" } }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "gitignore": "gitignore_2", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable_2" + }, + "locked": { + "lastModified": 1721042469, + "narHash": "sha256-6FPUl7HVtvRHCCBQne7Ylp4p+dpP3P/OYuzjztZ4s70=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "f451c19376071a90d8c58ab1a953c6e9840527fd", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "purescript-overlay": { "inputs": { "nixpkgs": [ @@ -916,7 +1064,7 @@ "rock5b": { "inputs": { "fan-control": "fan-control", - "flake-parts": "flake-parts_3", + "flake-parts": "flake-parts_4", "kernel-src": "kernel-src", "nixpkgs": "nixpkgs_6", "nixpkgs-kernel": "nixpkgs-kernel", @@ -948,6 +1096,7 @@ "homeManager": "homeManager", "homeManagerGitWorkspace": "homeManagerGitWorkspace", "impermanence": "impermanence", + "lanzaboote": "lanzaboote", "lix": "lix", "lix-module": "lix-module", "mobile-nixos": "mobile-nixos", @@ -961,6 +1110,27 @@ "vscode-server": "vscode-server" } }, + "rust-overlay": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1722219664, + "narHash": "sha256-xMOJ+HW4yj6e69PvieohUJ3dBSdgCfvI0nnCEe6/yVc=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "a6fbda5d9a14fb5f7c69b8489d24afeb349c7bb4", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "scss-reset": { "flake": false, "locked": { @@ -1089,11 +1259,11 @@ ] }, "locked": { - "lastModified": 1725271838, - "narHash": "sha256-VcqxWT0O/gMaeWTTjf1r4MOyG49NaNxW4GHTO3xuThE=", + "lastModified": 1726734507, + "narHash": "sha256-VUH5O5AcOSxb0uL/m34dDkxFKP6WLQ6y4I1B4+N3L2w=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "9fb342d14b69aefdf46187f6bb80a4a0d97007cd", + "rev": "ee41a466c2255a3abe6bc50fc6be927cdee57a9f", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index d4bf146..65cf299 100644 --- a/flake.nix +++ b/flake.nix @@ -55,6 +55,10 @@ }; impermanence.url = "github:nix-community/impermanence"; vscode-server.url = "github:nix-community/nixos-vscode-server"; + lanzaboote = { + url = "github:nix-community/lanzaboote"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = diff --git a/hosts/default.nix b/hosts/default.nix index 748d6a4..18e0bc7 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -11,66 +11,6 @@ nixOnDroidHosts.janeway = { }; hosts = { - # thinkpad = { - # extraModules = with inputs; [ - # nixosHardware.nixosModules.lenovo-thinkpad-x1-7th-gen - # buildbot-nix.nixosModules.buildbot-master - # buildbot-nix.nixosModules.buildbot-worker - # ]; - # extraHmModules = with inputs; [ - # ccrEmacs.hmModules.default - # { - # # TODO: remove after https://github.com/nix-community/home-manager/pull/3811 - # imports = let - # hmModules = "${inputs.homeManagerGitWorkspace}/modules"; - # in [ - # "${hmModules}/services/git-workspace.nix" - # ]; - # } - # ]; - # overlays = [inputs.nil.overlays.default]; - # secrets = { - # "thinkpad-wireguard-private-key" = {}; - # "cachix-personal-token".owner = "ccr"; - # "autistici-password".owner = "ccr"; - # "git-workspace-tokens".owner = "ccr"; - # "chatgpt-token".owner = "ccr"; - # }; - # }; - # rock5b = { - # system = "aarch64-linux"; - # extraModules = with inputs; [ - # disko.nixosModules.disko - # rock5b.nixosModules.default - # ]; - # secrets = { - # "rock5b-wireguard-private-key" = {}; - # "hercules-ci-join-token".owner = "hercules-ci-agent"; - # "hercules-ci-binary-caches".owner = "hercules-ci-agent"; - # "cachix-personal-token".owner = "ccr"; - # "home-planimetry".owner = "hass"; - # "cloudflare-dyndns-api-token" = {}; - # # "nextcloud-admin-pass".owner = "nextcloud"; - # # "aws-credentials" = {}; - # }; - # colmena.deployment.buildOnTarget = true; - # }; - # pbp = { - # system = "aarch64-linux"; - # extraModules = with inputs; [ - # nixosHardware.nixosModules.pine64-pinebook-pro - # disko.nixosModules.disko - # ]; - # extraHmModules = [ - # inputs.ccrEmacs.hmModules.default - # ]; - # secrets = { - # "pbp-wireguard-private-key" = {}; - # "cachix-personal-token".owner = "ccr"; - # "chatgpt-token".owner = "ccr"; - # }; - # }; - deltaflyer = { nixpkgs = let @@ -106,7 +46,6 @@ inputs.lix-module.nixosModules.default ]; extraHmModules = [ - # inputs.ccrEmacs.hmModules.default "${inputs.homeManagerGitWorkspace}/modules/services/git-workspace.nix" ]; secrets = { @@ -128,7 +67,7 @@ inputs.disko.nixosModules.disko inputs.nixThePlanet.nixosModules.macos-ventura inputs.lix-module.nixosModules.default - # inputs.hercules-ci-agent.nixosModules.agent-service + inputs.lanzaboote.nixosModules.lanzaboote ]; extraHmModules = [ # inputs.ccrEmacs.hmModules.default @@ -139,13 +78,9 @@ "picard-wireguard-private-key" = { }; "chatgpt-token".owner = "ccr"; "cachix-personal-token".owner = "ccr"; - "hercules-ci-join-token".owner = "hercules-ci-agent"; - "hercules-ci-binary-caches".owner = "hercules-ci-agent"; - "hercules-ci-secrets-json".owner = "hercules-ci-agent"; "git-workspace-tokens".owner = "ccr"; "autistici-password".owner = "ccr"; "restic-hetzner-password" = { }; - "aws-credentials".owner = "hercules-ci-agent"; "forgejo-runners-token".owner = "nixuser"; "forgejo-nix-access-tokens".owner = "nixuser"; }; @@ -160,26 +95,16 @@ extraModules = with inputs; [ disko.nixosModules.disko impermanence.nixosModules.impermanence - # lix-module.nixosModules.default - # inputs.hercules-ci-agent.nixosModules.agent-service; - # rock5b.nixosModules.default ]; secrets = { "sisko-wireguard-private-key" = { }; - "hercules-ci-join-token".owner = "hercules-ci-agent"; - "hercules-ci-binary-caches".owner = "hercules-ci-agent"; - "hercules-ci-secrets-json".owner = "hercules-ci-agent"; "cachix-personal-token".owner = "ccr"; "home-planimetry".owner = "hass"; "home-assistant-token".owner = "prometheus"; "grafana-password".owner = "grafana"; "cloudflare-dyndns-api-token" = { }; "restic-hetzner-password" = { }; - # "minio-credentials".owner = "minio"; - # "aws-credentials".owner = "hercules-ci-agent"; "hass-ssh-key".owner = "hass"; - # "matrix-registration-shared-secret".owner = "matrix-synapse"; - # "matrix-sliding-sync-secret".owner = "matrix-synapse"; "autistici-password" = { # FIXME terrible, should create a third ad-hoc group owner = "grafana"; diff --git a/hosts/picard/default.nix b/hosts/picard/default.nix index 8f4be62..509a13a 100644 --- a/hosts/picard/default.nix +++ b/hosts/picard/default.nix @@ -26,7 +26,6 @@ "waydroid" "virt-manager" "ssh-initrd" - "hercules-ci" "printing" "pam" "wireguard-client" @@ -129,12 +128,15 @@ boot.loader.efi.canTouchEfiVariables = true; boot.loader.systemd-boot = { + enable = lib.mkForce false; # needed by lanzaboote + }; + boot.lanzaboote = { enable = true; + pkiBundle = "/etc/secureboot"; configurationLimit = 20; }; - # boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_8; - boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; + boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_10; networking.hostId = "5b02e763";