aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--flake.lock165
-rw-r--r--flake.nix25
2 files changed, 189 insertions, 1 deletions
diff --git a/flake.lock b/flake.lock
index 9492304..b91eca7 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,20 @@
{
"nodes": {
+ "crane": {
+ "locked": {
+ "lastModified": 1731098351,
+ "narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=",
+ "owner": "ipetkov",
+ "repo": "crane",
+ "rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28",
+ "type": "github"
+ },
+ "original": {
+ "owner": "ipetkov",
+ "repo": "crane",
+ "type": "github"
+ }
+ },
"disko": {
"inputs": {
"nixpkgs": [
@@ -20,6 +35,43 @@
"type": "github"
}
},
+ "flake-compat": {
+ "flake": false,
+ "locked": {
+ "lastModified": 1696426674,
+ "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+ "owner": "edolstra",
+ "repo": "flake-compat",
+ "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+ "type": "github"
+ },
+ "original": {
+ "owner": "edolstra",
+ "repo": "flake-compat",
+ "type": "github"
+ }
+ },
+ "flake-parts": {
+ "inputs": {
+ "nixpkgs-lib": [
+ "lanzaboote",
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1730504689,
+ "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
+ "owner": "hercules-ci",
+ "repo": "flake-parts",
+ "rev": "506278e768c2a08bec68eb62932193e341f55c90",
+ "type": "github"
+ },
+ "original": {
+ "owner": "hercules-ci",
+ "repo": "flake-parts",
+ "type": "github"
+ }
+ },
"flake-utils": {
"inputs": {
"systems": "systems"
@@ -38,6 +90,54 @@
"type": "github"
}
},
+ "gitignore": {
+ "inputs": {
+ "nixpkgs": [
+ "lanzaboote",
+ "pre-commit-hooks-nix",
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1709087332,
+ "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+ "owner": "hercules-ci",
+ "repo": "gitignore.nix",
+ "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+ "type": "github"
+ },
+ "original": {
+ "owner": "hercules-ci",
+ "repo": "gitignore.nix",
+ "type": "github"
+ }
+ },
+ "lanzaboote": {
+ "inputs": {
+ "crane": "crane",
+ "flake-compat": "flake-compat",
+ "flake-parts": "flake-parts",
+ "nixpkgs": [
+ "nixpkgs"
+ ],
+ "pre-commit-hooks-nix": "pre-commit-hooks-nix",
+ "rust-overlay": "rust-overlay"
+ },
+ "locked": {
+ "lastModified": 1737639419,
+ "narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=",
+ "owner": "nix-community",
+ "repo": "lanzaboote",
+ "rev": "a65905a09e2c43ff63be8c0e86a93712361f871e",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nix-community",
+ "ref": "v0.4.2",
+ "repo": "lanzaboote",
+ "type": "github"
+ }
+ },
"nixpkgs": {
"locked": {
"lastModified": 1744463964,
@@ -54,13 +154,78 @@
"type": "github"
}
},
+ "nixpkgs-stable": {
+ "locked": {
+ "lastModified": 1730741070,
+ "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
+ "type": "github"
+ },
+ "original": {
+ "owner": "NixOS",
+ "ref": "nixos-24.05",
+ "repo": "nixpkgs",
+ "type": "github"
+ }
+ },
+ "pre-commit-hooks-nix": {
+ "inputs": {
+ "flake-compat": [
+ "lanzaboote",
+ "flake-compat"
+ ],
+ "gitignore": "gitignore",
+ "nixpkgs": [
+ "lanzaboote",
+ "nixpkgs"
+ ],
+ "nixpkgs-stable": "nixpkgs-stable"
+ },
+ "locked": {
+ "lastModified": 1731363552,
+ "narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=",
+ "owner": "cachix",
+ "repo": "pre-commit-hooks.nix",
+ "rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0",
+ "type": "github"
+ },
+ "original": {
+ "owner": "cachix",
+ "repo": "pre-commit-hooks.nix",
+ "type": "github"
+ }
+ },
"root": {
"inputs": {
"disko": "disko",
"flake-utils": "flake-utils",
+ "lanzaboote": "lanzaboote",
"nixpkgs": "nixpkgs"
}
},
+ "rust-overlay": {
+ "inputs": {
+ "nixpkgs": [
+ "lanzaboote",
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1731897198,
+ "narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=",
+ "owner": "oxalica",
+ "repo": "rust-overlay",
+ "rev": "0be641045af6d8666c11c2c40e45ffc9667839b5",
+ "type": "github"
+ },
+ "original": {
+ "owner": "oxalica",
+ "repo": "rust-overlay",
+ "type": "github"
+ }
+ },
"systems": {
"locked": {
"lastModified": 1681028828,
diff --git a/flake.nix b/flake.nix
index cecefc3..99af226 100644
--- a/flake.nix
+++ b/flake.nix
@@ -6,6 +6,12 @@
flake-utils = {
url = "github:numtide/flake-utils";
};
+ lanzaboote = {
+ url = "github:nix-community/lanzaboote/v0.4.2";
+
+ # Optional but recommended to limit the size of your system closure.
+ inputs.nixpkgs.follows = "nixpkgs";
+ };
disko = {
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs";
@@ -15,6 +21,7 @@
inputs@{
self,
nixpkgs,
+ lanzaboote,
flake-utils,
...
}:
@@ -23,7 +30,23 @@
nixosConfigurations = {
hadante = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
- modules = [ ./srv/hadante/configuration.nix ];
+ modules = [
+ ./srv/hadante/configuration.nix
+ lanzaboote.nixosModules.lanzaboote
+ (
+ { pkgs, lib, ... }:
+ {
+ environment.systemPackages = [
+ pkgs.sbctl
+ ];
+ boot.loader.systemd-boot.enable = lib.mkForce false;
+ boot.lanzaboote = {
+ enable = true;
+ pkiBundle = "/var/lib/sbctl";
+ };
+ }
+ )
+ ];
};
alpha-site = nixpkgs.lib.nixosSystem {
system = "aarch64-linux";
generated by cgit (git 2.34.1) at 2026-01-16 13:07:56 +0000