Secure boot and fan control.

2025-03-19 15:52:18 -04:00 · 2025-03-19 15:52:18 -04:00 · 8a81ab3308
commit 8a81ab3308
parent eec2fcdafd
8 changed files with 28 additions and 11 deletions
--- a/nixos/bootloader.nix
+++ b/nixos/bootloader.nix
@ -1,14 +1,26 @@
-{ ... }:
+{ pkgs, lib, lanzaboote, ... }:

 {
-    boot.loader.grub = {
-        device = "nodev";
-        efiSupport = true;
-        useOSProber = true;
+    imports = [ lanzaboote.nixosModules.lanzaboote ];
+    
+    # boot.loader.grub = {
+    #     device = "nodev";
+    #     efiSupport = true;
+    #     useOSProber = true;
+    # };
+    boot.loader.systemd-boot.enable = lib.mkForce false;
+
+    boot.lanzaboote = {
+        enable = true;
+        pkiBundle = "/var/lib/sbctl";
    };

    boot.loader.efi.canTouchEfiVariables = true;
    boot.loader.timeout = 2;
    boot.initrd.enable = true;
    boot.initrd.systemd.enable = true;
+
+    environment.systemPackages = with pkgs; [
+        sbctl
+    ];
 }
--- a/nixos/flake.nix
+++ b/nixos/flake.nix
@ -12,13 +12,14 @@
 	    nixvim = { url = "github:nix-community/nixvim"; inputs.nixpkgs.follows = "nixpkgs"; };

        mcmojave-hyprcursor.url = "github:libadoxon/mcmojave-hyprcursor";
+        lanzaboote = { url = "github:nix-community/lanzaboote/v0.4.2"; inputs.nixpkgs.follows = "nixpkgs"; };

        home-manager = { url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; };
    };

-    outputs = { nixpkgs, home-manager, nix-colors, nixvim, ... } @ inputs: {
+    outputs = { nixpkgs, home-manager, nix-colors, nixvim, lanzaboote, ... } @ inputs: {
        nixosConfigurations.nixos = nixpkgs.lib.nixosSystem {
-            specialArgs = { inherit inputs nixvim; };
+            specialArgs = { inherit inputs nixvim lanzaboote; };
            modules = [
                ./configuration.nix
                ./hardware-configuration.nix
--- a/nixos/home.nix
+++ b/nixos/home.nix
@ -26,6 +26,8 @@
        };
    };

+    # note: nixvim needs to be enabled in the NixOS
+    # configs *before* it can be enabled here
    programs.nixvim = {
        enable = true;

--- a/nixos/hyprland.conf
+++ b/nixos/hyprland.conf
@ -177,7 +177,7 @@ input {
 $mainMod = SUPER # Sets "Windows" key as main modifier

 # Example binds, see https://wiki.hyprland.org/Configuring/Binds/ for more
-bind = $mainMod, enter, exec, $terminal
+bind = $mainMod, return, exec, $terminal
 bind = $mainMod, Q, killactive,
 bind = $mainMod SHIFT, Q, exit,
 bind = $mainMod, V, togglefloating,
--- a/nixos/kernel.nix
+++ b/nixos/kernel.nix
@ -7,7 +7,7 @@
        "quiet"
        "fbcon=nodefer"
        "vt.global_cursor_default=0"
-        "lsm=landlock,lockdown,yama,integrity,apparmor,bpf,tomoyo,selinux"
+        "lsm=apparmor,tomoyo,selinux"
        "video4linux"
        "acpi_rev_override=5"
        "security=selinux"
--- a/nixos/misc-pkgs.nix
+++ b/nixos/misc-pkgs.nix
@ -1,6 +1,8 @@
 { pkgs, ... }:

 {
+    programs.coolercontrol.enable = true;
+
    environment.systemPackages = with pkgs; [
        cmake
        gcc
--- a/nixos/security.nix
+++ b/nixos/security.nix
@ -6,7 +6,6 @@
    security.pam.services.greetd.enableGnomeKeyring = true;
    security.pam.services.tuigreet.enableGnomeKeyring = true;

-
    users.users.root.hashedPassword = "!";
    
    security.tpm2 = {
--- a/nixos/services.nix
+++ b/nixos/services.nix
@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ pkgs, lib, ... }:

 {
    systemd.packages = with pkgs; [
@ -13,6 +13,7 @@
    };

    services.fwupd.enable = true;
+    services.fwupd.daemonSettings.espLocation = lib.mkForce "/boot";
    services.auto-cpufreq.enable = true;

    environment.systemPackages = with pkgs; [