From 32f0512ef5f534ed23baae71c1fc881613fbe912 Mon Sep 17 00:00:00 2001 From: Dashie Date: Fri, 2 May 2025 10:16:15 +0200 Subject: [PATCH] Secure boot and wsl (#10) - Add secure boot via lanzaboote - Add wsl flag - Remove flatpak flake --- base/common_hardware.nix | 21 +++++++++++++++---- docs/src/README.md | 1 - flake.nix | 7 ++++--- home/common.nix | 8 ++++---- lib/default.nix | 3 ++- modules/conf.nix | 17 ++++++++++++++++ modules/programs/basePackages.nix | 1 + modules/programs/drives.nix | 4 ++-- modules/programs/flatpak.nix | 28 +++----------------------- modules/programs/hyprland/hyprland.nix | 2 +- 10 files changed, 51 insertions(+), 41 deletions(-) diff --git a/base/common_hardware.nix b/base/common_hardware.nix index ede1c08..0688ded 100644 --- a/base/common_hardware.nix +++ b/base/common_hardware.nix @@ -13,16 +13,30 @@ in { #(modulesPath + "/misc/nixpkgs/read-only.nix") ]; + wsl.enable = config.conf.wsl; + # Bootloader. - boot = { + boot = lib.mkIf (!config.conf.wsl) { consoleLogLevel = 0; + + lanzaboote = lib.mkIf config.conf.secureBoot { + enable = true; + pkiBundle = "/var/lib/sbctl"; + }; + loader = { - systemd-boot = lib.mkIf config.conf.useSystemdBootloader { - enable = true; + systemd-boot = { + enable = + if config.conf.secureBoot + then lib.mkForce false + else if config.conf.useSystemdBootloader + then true + else false; configurationLimit = 5; }; efi.canTouchEfiVariables = true; }; + kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; initrd = { verbose = false; @@ -60,7 +74,6 @@ in { # Enable the X11 windowing system. services = { lorri.enable = true; - flatpak.enable = true; xserver.enable = true; fstrim.enable = lib.mkDefault true; # Enable sound with pipewire. diff --git a/docs/src/README.md b/docs/src/README.md index 43f7ac8..0a9e778 100644 --- a/docs/src/README.md +++ b/docs/src/README.md @@ -237,7 +237,6 @@ For package lists, please check the individual modules, as the lists can be long - drives : A drive configuration module - firefox: Enables and configures firefox (extensions and settings) - fish: Enables and configures fish shell -- flatpak : Installs and enables declarative flatpak - gaming : Configures gaming related features (launchers, gamemode) - git : Git key and config module - gnome_services : Gnome services for minimal enviroments -> Window managers etc diff --git a/flake.nix b/flake.nix index cbc7dae..b1ffa47 100644 --- a/flake.nix +++ b/flake.nix @@ -4,10 +4,11 @@ inputs = { unstable.url = "github:NixOs/nixpkgs/nixos-unstable"; stable.url = "github:NixOs/nixpkgs/nixos-24.11"; + nixos-wsl.url = "github:nix-community/NixOS-WSL/main"; nur.url = "github:nix-community/NUR"; - - nix-flatpak = { - url = "github:gmodena/nix-flatpak"; + lanzaboote = { + url = "github:nix-community/lanzaboote/v0.4.2"; + inputs.nixpkgs.follows = "unstable"; }; home-manager = { diff --git a/home/common.nix b/home/common.nix index c1df32a..8d21635 100644 --- a/home/common.nix +++ b/home/common.nix @@ -26,10 +26,10 @@ in { keyboard = null; - file.".local/share/flatpak/overrides/global".text = '' - [Context] - filesystems=xdg-config/gtk-3.0;xdg-config/gtk-4.0 - ''; + #file.".local/share/flatpak/overrides/global".text = lib.mkForce '' + # [Context] + # filesystems=xdg-config/gtk-3.0;xdg-config/gtk-4.0 + #''; }; programs.nix-index = { diff --git a/lib/default.nix b/lib/default.nix index db9723c..2ad1719 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -43,6 +43,8 @@ }, mods ? { nixos = [ + inputs.lanzaboote.nixosModules.lanzaboote + inputs.nixos-wsl.nixosModules.default inputs.home-manager.nixosModules.home-manager inputs.stylix.nixosModules.stylix inputs.disko.nixosModules.disko @@ -62,7 +64,6 @@ inputs.hyprdock.homeManagerModules.default inputs.hyprland.homeManagerModules.default inputs.reset.homeManagerModules.default - inputs.nix-flatpak.homeManagerModules.nix-flatpak inputs.sops-nix.homeManagerModules.sops inputs.dashvim.homeManagerModules.dashvim ../modules diff --git a/modules/conf.nix b/modules/conf.nix index 55ec2b9..c7d26b5 100644 --- a/modules/conf.nix +++ b/modules/conf.nix @@ -20,6 +20,23 @@ ''; }; + wsl = lib.mkOption { + default = false; + example = true; + description = '' + Runs Nix in wsl + ''; + }; + + secureBoot = lib.mkOption { + default = false; + example = true; + description = '' + enables secure boot. + Please don't forget to add your keys. + ''; + }; + useSystemdBootloader = lib.mkOption { default = true; example = false; diff --git a/modules/programs/basePackages.nix b/modules/programs/basePackages.nix index 635a2a7..0f2ff25 100644 --- a/modules/programs/basePackages.nix +++ b/modules/programs/basePackages.nix @@ -74,6 +74,7 @@ seahorse upower xorg.xkbutils + sbctl ] ++ config.mods.basePackages.additionalPackages else config.mods.basePackages.additionalPackages; diff --git a/modules/programs/drives.nix b/modules/programs/drives.nix index 0f67be2..647bf80 100644 --- a/modules/programs/drives.nix +++ b/modules/programs/drives.nix @@ -149,7 +149,7 @@ config = ( lib.optionalAttrs (options ? fileSystems) { - fileSystems = lib.mkIf (config.mods.drives.variant == "manual") ( + fileSystems = lib.mkIf (config.mods.drives.variant == "manual" && !config.conf.wsl) ( builtins.listToAttrs ( map ( { @@ -196,7 +196,7 @@ } ); - swapDevices = lib.mkIf (config.mods.drives.useSwap && config.mods.drives.variant == "manual") [ + swapDevices = lib.mkIf (config.mods.drives.useSwap && config.mods.drives.variant == "manual" && !config.conf.wsl) [ {device = "/dev/disk/by-label/SWAP";} ]; diff --git a/modules/programs/flatpak.nix b/modules/programs/flatpak.nix index 7c13e9b..68ec2da 100644 --- a/modules/programs/flatpak.nix +++ b/modules/programs/flatpak.nix @@ -7,37 +7,15 @@ }: { options.mods.flatpak = { enable = lib.mkOption { - default = true; - example = false; + default = false; + example = true; type = lib.types.bool; description = "Enables the flatpak package manager"; }; - additional_packages = lib.mkOption { - default = []; - example = []; - type = with lib.types; listOf str; - description = "Flatpak packages"; - }; }; config = lib.mkIf config.mods.flatpak.enable ( - lib.optionalAttrs (options ? services.flatpak.remote) { + lib.optionalAttrs (options ? environment.systemPackages) { environment.systemPackages = [pkgs.flatpak]; - services.flatpak.remotes = lib.mkOptionDefault [ - { - name = "flathub-stable"; - location = "https://dl.flathub.org/repo/flathub.flatpakrepo"; - } - ]; - services.flatpak.uninstallUnmanaged = true; - } - // lib.optionalAttrs (options ? services.flatpak.packages) { - services.flatpak.packages = - [ - # fallback if necessary, but generally avoided as nix is superior :) - # default flatseal installation since flatpak permissions are totally not a broken idea - "com.github.tchx84.Flatseal" - ] - ++ config.mods.flatpak.additional_packages; } ); } diff --git a/modules/programs/hyprland/hyprland.nix b/modules/programs/hyprland/hyprland.nix index ab8bf53..4fa4c79 100644 --- a/modules/programs/hyprland/hyprland.nix +++ b/modules/programs/hyprland/hyprland.nix @@ -147,7 +147,7 @@ in { "$mod SUPER,E,exec,nautilus -w" "$mod SUPER,N,exec,neovide" "$mod SUPER,M,exec,oxidash" - "$mod SUPER,R,exec,anyrun" + "$mod SUPER,R,exec,oxirun" "$mod SUPER,G,exec,oxicalc" "$mod SUPER,D,exec,oxishut" "$mod SUPER,A,exec,oxipaste-iced"