summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--flake.lock188
-rw-r--r--flake.nix19
-rw-r--r--labsrv01/configuration.nix26
3 files changed, 177 insertions, 56 deletions
diff --git a/flake.lock b/flake.lock
index c4e248d..78e7ff7 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,20 @@
{
"nodes": {
+ "crane": {
+ "locked": {
+ "lastModified": 1765145449,
+ "narHash": "sha256-aBVHGWWRzSpfL++LubA0CwOOQ64WNLegrYHwsVuVN7A=",
+ "owner": "ipetkov",
+ "repo": "crane",
+ "rev": "69f538cdce5955fcd47abfed4395dc6d5194c1c5",
+ "type": "github"
+ },
+ "original": {
+ "owner": "ipetkov",
+ "repo": "crane",
+ "type": "github"
+ }
+ },
"disko": {
"inputs": {
"nixpkgs": [
@@ -7,15 +22,16 @@
]
},
"locked": {
- "lastModified": 1766150702,
- "narHash": "sha256-P0kM+5o+DKnB6raXgFEk3azw8Wqg5FL6wyl9jD+G5a4=",
+ "lastModified": 1746728054,
+ "narHash": "sha256-eDoSOhxGEm2PykZFa/x9QG5eTH0MJdiJ9aR00VAofXE=",
"owner": "nix-community",
"repo": "disko",
- "rev": "916506443ecd0d0b4a0f4cf9d40a3c22ce39b378",
+ "rev": "ff442f5d1425feb86344c028298548024f21256d",
"type": "github"
},
"original": {
"owner": "nix-community",
+ "ref": "v1.12.0",
"repo": "disko",
"type": "github"
}
@@ -42,6 +58,22 @@
"type": "github"
}
},
+ "flake-compat": {
+ "flake": false,
+ "locked": {
+ "lastModified": 1761588595,
+ "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=",
+ "owner": "edolstra",
+ "repo": "flake-compat",
+ "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5",
+ "type": "github"
+ },
+ "original": {
+ "owner": "edolstra",
+ "repo": "flake-compat",
+ "type": "github"
+ }
+ },
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
@@ -63,26 +95,73 @@
"type": "github"
}
},
+ "gitignore": {
+ "inputs": {
+ "nixpkgs": [
+ "lanzaboote",
+ "pre-commit",
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1709087332,
+ "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+ "owner": "hercules-ci",
+ "repo": "gitignore.nix",
+ "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+ "type": "github"
+ },
+ "original": {
+ "owner": "hercules-ci",
+ "repo": "gitignore.nix",
+ "type": "github"
+ }
+ },
"home-manager": {
"inputs": {
"nixpkgs": [
- "nixpkgs-unstable"
+ "nixpkgs-stable"
]
},
"locked": {
- "lastModified": 1767688629,
- "narHash": "sha256-kX1BVq5zoowePHssEjmpc6FNT3vVZNZaCXd7mfvCsxg=",
+ "lastModified": 1767619900,
+ "narHash": "sha256-KpoCBPvwHz3gAQtIUkohE2InRBFK3r0/FM6z5SPWfvM=",
"owner": "nix-community",
"repo": "home-manager",
- "rev": "bfaba198af72338b8dbda59887859d7a30c6643c",
+ "rev": "6bd04da47cfb48dfd15eabf08364b78ad894f5b2",
"type": "github"
},
"original": {
"owner": "nix-community",
+ "ref": "release-25.11",
"repo": "home-manager",
"type": "github"
}
},
+ "lanzaboote": {
+ "inputs": {
+ "crane": "crane",
+ "nixpkgs": [
+ "nixpkgs-stable"
+ ],
+ "pre-commit": "pre-commit",
+ "rust-overlay": "rust-overlay"
+ },
+ "locked": {
+ "lastModified": 1765382359,
+ "narHash": "sha256-RJmgVDzjRI18BWVogG6wpsl1UCuV6ui8qr4DJ1LfWZ8=",
+ "owner": "nix-community",
+ "repo": "lanzaboote",
+ "rev": "e8c096ade12ec9130ff931b0f0e25d2f1bc63607",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nix-community",
+ "ref": "v1.0.0",
+ "repo": "lanzaboote",
+ "type": "github"
+ }
+ },
"nix-vm-test": {
"inputs": {
"nixpkgs": [
@@ -117,34 +196,20 @@
"treefmt-nix": "treefmt-nix"
},
"locked": {
- "lastModified": 1766503044,
- "narHash": "sha256-DdJ0OIngRjekqXJauSQ8y9vyDO24dX8v7DiaWmxk7PU=",
+ "lastModified": 1763045507,
+ "narHash": "sha256-61zO8zsFE8C104hCTv04z6a4H8U03OEMrRAXtGsszkE=",
"owner": "nix-community",
"repo": "nixos-anywhere",
- "rev": "e86fad431cf9161ca39747972bd255897572dc3b",
+ "rev": "bad98b0685cf47eaeadcaf6787da8b51cf025693",
"type": "github"
},
"original": {
"owner": "nix-community",
+ "ref": "1.13.0",
"repo": "nixos-anywhere",
"type": "github"
}
},
- "nixos-facter-modules": {
- "locked": {
- "lastModified": 1766558141,
- "narHash": "sha256-Ud9v49ZPsoDBFuyJSQ2Mpw1ZgAH/aMwUwwzrVoetNus=",
- "owner": "numtide",
- "repo": "nixos-facter-modules",
- "rev": "e796d536e3d83de74267069e179dc620a608ed7d",
- "type": "github"
- },
- "original": {
- "owner": "numtide",
- "repo": "nixos-facter-modules",
- "type": "github"
- }
- },
"nixos-images": {
"inputs": {
"nixos-stable": [
@@ -186,49 +251,58 @@
"type": "github"
}
},
- "nixpkgs": {
+ "nixpkgs-stable": {
"locked": {
- "lastModified": 1767364772,
- "narHash": "sha256-fFUnEYMla8b7UKjijLnMe+oVFOz6HjijGGNS1l7dYaQ=",
+ "lastModified": 1767634882,
+ "narHash": "sha256-2GffSfQxe3sedHzK+sTKlYo/NTIAGzbFCIsNMUPAAnk=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "16c7794d0a28b5a37904d55bcca36003b9109aaa",
+ "rev": "3c9db02515ef1d9b6b709fc60ba9a540957f661c",
"type": "github"
},
"original": {
- "id": "nixpkgs",
- "type": "indirect"
+ "owner": "NixOS",
+ "ref": "nixos-25.11",
+ "repo": "nixpkgs",
+ "type": "github"
}
},
- "nixpkgs-stable": {
+ "nixpkgs-unstable": {
"locked": {
- "lastModified": 1764521362,
- "narHash": "sha256-M101xMtWdF1eSD0xhiR8nG8CXRlHmv6V+VoY65Smwf4=",
+ "lastModified": 1767640445,
+ "narHash": "sha256-UWYqmD7JFBEDBHWYcqE6s6c77pWdcU/i+bwD6XxMb8A=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "871b9fd269ff6246794583ce4ee1031e1da71895",
+ "rev": "9f0c42f8bc7151b8e7e5840fb3bd454ad850d8c5",
"type": "github"
},
"original": {
"owner": "NixOS",
- "ref": "25.11",
+ "ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
- "nixpkgs-unstable": {
+ "pre-commit": {
+ "inputs": {
+ "flake-compat": "flake-compat",
+ "gitignore": "gitignore",
+ "nixpkgs": [
+ "lanzaboote",
+ "nixpkgs"
+ ]
+ },
"locked": {
- "lastModified": 1767379071,
- "narHash": "sha256-EgE0pxsrW9jp9YFMkHL9JMXxcqi/OoumPJYwf+Okucw=",
- "owner": "NixOS",
- "repo": "nixpkgs",
- "rev": "fb7944c166a3b630f177938e478f0378e64ce108",
+ "lastModified": 1765016596,
+ "narHash": "sha256-rhSqPNxDVow7OQKi4qS5H8Au0P4S3AYbawBSmJNUtBQ=",
+ "owner": "cachix",
+ "repo": "pre-commit-hooks.nix",
+ "rev": "548fc44fca28a5e81c5d6b846e555e6b9c2a5a3c",
"type": "github"
},
"original": {
- "owner": "NixOS",
- "ref": "nixos-unstable",
- "repo": "nixpkgs",
+ "owner": "cachix",
+ "repo": "pre-commit-hooks.nix",
"type": "github"
}
},
@@ -236,14 +310,34 @@
"inputs": {
"disko": "disko",
"home-manager": "home-manager",
+ "lanzaboote": "lanzaboote",
"nixos-anywhere": "nixos-anywhere",
- "nixos-facter-modules": "nixos-facter-modules",
- "nixpkgs": "nixpkgs",
"nixpkgs-stable": "nixpkgs-stable",
"nixpkgs-unstable": "nixpkgs-unstable",
"sops-nix": "sops-nix"
}
},
+ "rust-overlay": {
+ "inputs": {
+ "nixpkgs": [
+ "lanzaboote",
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1765075567,
+ "narHash": "sha256-KFDCdQcHJ0hE3Nt5Gm5enRIhmtEifAjpxgUQ3mzSJpA=",
+ "owner": "oxalica",
+ "repo": "rust-overlay",
+ "rev": "769156779b41e8787a46ca3d7d76443aaf68be6f",
+ "type": "github"
+ },
+ "original": {
+ "owner": "oxalica",
+ "repo": "rust-overlay",
+ "type": "github"
+ }
+ },
"sops-nix": {
"inputs": {
"nixpkgs": [
diff --git a/flake.nix b/flake.nix
index bdf840b..38013fa 100644
--- a/flake.nix
+++ b/flake.nix
@@ -1,20 +1,22 @@
{
description = "NixOS configurations development environment";
- inputs.nixpkgs-stable.url = "github:NixOS/nixpkgs/25.11";
+ inputs.nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-25.11";
inputs.nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
- inputs.disko.url = "github:nix-community/disko";
+ inputs.disko.url = "github:nix-community/disko/v1.12.0";
inputs.disko.inputs.nixpkgs.follows = "nixpkgs-stable";
- inputs.nixos-facter-modules.url = "github:numtide/nixos-facter-modules";
inputs.sops-nix.url = "github:Mic92/sops-nix";
inputs.sops-nix.inputs.nixpkgs.follows = "nixpkgs-stable";
- inputs.nixos-anywhere.url = "github:nix-community/nixos-anywhere";
+ inputs.nixos-anywhere.url = "github:nix-community/nixos-anywhere/1.13.0";
inputs.nixos-anywhere.inputs.nixpkgs.follows = "nixpkgs-stable";
- inputs.home-manager.url = "github:nix-community/home-manager";
- inputs.home-manager.inputs.nixpkgs.follows = "nixpkgs-unstable";
+ inputs.home-manager.url = "github:nix-community/home-manager/release-25.11";
+ inputs.home-manager.inputs.nixpkgs.follows = "nixpkgs-stable";
+ inputs.lanzaboote.url = "github:nix-community/lanzaboote/v1.0.0";
+ inputs.lanzaboote.inputs.nixpkgs.follows = "nixpkgs-stable";
- outputs = { self, nixpkgs, nixpkgs-stable, nixos-anywhere, ... }@inputs:
+ outputs = { self, nixpkgs-stable, nixos-anywhere, ... }@inputs:
let
+ nixpkgs = nixpkgs-stable;
systems = [ "x86_64-linux" "x86_64-darwin" "aarch64-linux" "aarch64-darwin" ];
forAllSystems = nixpkgs.lib.genAttrs systems;
in
@@ -25,7 +27,6 @@
modules = [
inputs.disko.nixosModules.disko
./labsrv01/configuration.nix
- inputs.nixos-facter-modules.nixosModules.facter
inputs.sops-nix.nixosModules.sops
inputs.home-manager.nixosModules.home-manager
{
@@ -41,7 +42,7 @@
packages = forAllSystems (system:
let
- pkgs = nixpkgs-stable.legacyPackages.${system};
+ pkgs = nixpkgs.legacyPackages.${system};
ruby = pkgs.ruby.withPackages (ps: [
pkgs.rubyPackages.tty-command
]);
diff --git a/labsrv01/configuration.nix b/labsrv01/configuration.nix
index 9d37f38..81dae08 100644
--- a/labsrv01/configuration.nix
+++ b/labsrv01/configuration.nix
@@ -10,6 +10,7 @@
imports = [
./disk-config.nix
];
+ hardware.facter.reportPath = ./facter.json;
nix = {
extraOptions = ''
@@ -134,4 +135,29 @@
RemainAfterExit = true;
};
};
+
+ # Create and enroll Secure Boot keys on first boot
+ systemd.services.sbctl-setup = {
+ description = "Create and enroll Secure Boot keys";
+ wantedBy = [ "multi-user.target" ];
+ unitConfig.ConditionPathExists = "!/var/lib/sbctl/GUID";
+
+ serviceConfig = {
+ Type = "oneshot";
+ RemainAfterExit = true;
+ };
+
+ script = ''
+ echo "Creating Secure Boot keys..."
+ ${pkgs.sbctl}/bin/sbctl create-keys
+
+ # Check if we're in Setup Mode
+ if ${pkgs.sbctl}/bin/sbctl status | grep -q "Setup Mode"; then
+ echo "UEFI is in Setup Mode, enrolling keys..."
+ ${pkgs.sbctl}/bin/sbctl enroll-keys --microsoft
+ else
+ echo "WARNING: UEFI is not in Setup Mode. Please clear Secure Boot keys in UEFI and reboot."
+ fi
+ '';
+ };
}
generated by cgit v1.2.3 (git 2.25.1) at 2026-01-11 09:13:51 +0000