7 files changed, 202 insertions, 36 deletions

diff --git a/flake.lock b/flake.lock
index bffca00a..877387c9 100644
--- a/flake.lock
+++ b/flake.lock
@@ -11,11 +11,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1684153753,
-        "narHash": "sha256-PVbWt3qrjYAK+T5KplFcO+h7aZWfEj1UtyoKlvcDxh0=",
+        "lastModified": 1689334118,
+        "narHash": "sha256-djk5AZv1yU84xlKFaVHqFWvH73U7kIRstXwUAnDJPsk=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "db5637d10f797bb251b94ef9040b237f4702cde3",
+        "rev": "0d8c5325fc81daf00532e3e26c6752f7bcde1143",
         "type": "github"
       },
       "original": {
@@ -82,11 +82,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1688544596,
-        "narHash": "sha256-/rbDM71Qpj4gMp54r9mQ2AdD10jEMtnrQ3b2Xf+HYTU=",
+        "lastModified": 1689324677,
+        "narHash": "sha256-83DCDJwBkulQFQESe37+tG0qUb8JkQLJHJ3Qn7iGx7Q=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "fc3c3817c9f1fcd405463c6a7f0f98baab97c692",
+        "rev": "7eb09408393faa5b8f3b3524c39cb93d938e8d04",
         "type": "github"
       },
       "original": {
@@ -111,6 +111,27 @@
         "type": "github"
       }
     },
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1683560683,
+        "narHash": "sha256-XAygPMN5Xnk/W2c1aW0jyEa6lfMDZWlQgiNtmHXytPc=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "006c75898cf814ef9497252b022e91c946ba8e17",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
     "flake-utils": {
       "inputs": {
         "systems": [
@@ -118,11 +139,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1687709756,
-        "narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=",
+        "lastModified": 1689068808,
+        "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7",
+        "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4",
         "type": "github"
       },
       "original": {
@@ -218,6 +239,28 @@
         "url": "https://codeberg.org/soispha/generate_firefox_extension.git"
       }
     },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "pre-commit-hooks-nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1660459072,
+        "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
     "grades": {
       "inputs": {
         "crane": [
@@ -254,11 +297,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1688999869,
-        "narHash": "sha256-gLD2UI6+Nb9JV5Wh4FnLHAZwLMiY11RHYBKmBZCxLXc=",
+        "lastModified": 1689432596,
+        "narHash": "sha256-Vixn4nhjeHjGG3o6hDAnSZbXsYMYA5b39+NwAbUPpi0=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "a6d1d954b81caf4c9291b8ac35452fef842f289b",
+        "rev": "346032240c15d8b6034847dc7a5f53312a5a57fc",
         "type": "github"
       },
       "original": {
@@ -283,6 +326,34 @@
         "type": "github"
       }
     },
+    "lanzaboote": {
+      "inputs": {
+        "flake-compat": [
+          "flake-compat"
+        ],
+        "flake-parts": "flake-parts",
+        "flake-utils": [
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "pre-commit-hooks-nix": "pre-commit-hooks-nix"
+      },
+      "locked": {
+        "lastModified": 1687124707,
+        "narHash": "sha256-BEC2y7zwDI/Saeupr9rijLvwb0OoqTD9vntlcyciyrM=",
+        "owner": "nix-community",
+        "repo": "lanzaboote",
+        "rev": "c758cdad465e0c8174db57dc493f51a89f0e3372",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "lanzaboote",
+        "type": "github"
+      }
+    },
     "neovim_config": {
       "flake": false,
       "locked": {
@@ -337,11 +408,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1688918189,
-        "narHash": "sha256-f8ZlJ67LgEUDnN7ZsAyd1/Fyby1VdOXWg4XY/irSGrQ=",
+        "lastModified": 1689282004,
+        "narHash": "sha256-VNhuyb10c9SV+3hZOlxwJwzEGytZ31gN9w4nPCnNvdI=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "408c0e8c15a1c9cf5c3226931b6f283c9867c484",
+        "rev": "e74e68449c385db82de3170288a28cd0f608544f",
         "type": "github"
       },
       "original": {
@@ -351,6 +422,53 @@
         "type": "github"
       }
     },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1678872516,
+        "narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-22.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "pre-commit-hooks-nix": {
+      "inputs": {
+        "flake-compat": [
+          "lanzaboote",
+          "flake-compat"
+        ],
+        "flake-utils": [
+          "lanzaboote",
+          "flake-utils"
+        ],
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1684842236,
+        "narHash": "sha256-rYWsIXHvNhVQ15RQlBUv67W3YnM+Pd+DuXGMvCBq2IE=",
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "rev": "61e567d6497bc9556f391faebe5e410e6623217f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "type": "github"
+      }
+    },
     "ragenix": {
       "inputs": {
         "agenix": [
@@ -428,6 +546,7 @@
         "grades": "grades",
         "home-manager": "home-manager",
         "impermanence": "impermanence",
+        "lanzaboote": "lanzaboote",
         "neovim_config": "neovim_config",
         "nixos-generators": "nixos-generators",
         "nixpkgs": "nixpkgs",
@@ -456,11 +575,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1688956505,
-        "narHash": "sha256-6sa19mHTkdOi867lIolhpiS20trMdo0unk5/37859X4=",
+        "lastModified": 1689388484,
+        "narHash": "sha256-cR8W4LZTk1SFGhDUGG4RF7qPZP7d9qFmltk7nFi7WMo=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "4acc04c26df84e0a718c3efe4e13021222d23b28",
+        "rev": "15027511818ee595ca2ae6ec4b5f8f0e96c0fe47",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index d68a4c94..6c6a1c3c 100644
--- a/flake.nix
+++ b/flake.nix
@@ -86,6 +86,15 @@
         crane.follows = "crane";
       };
     };
+    lanzaboote = {
+      url = "github:nix-community/lanzaboote";
+
+      inputs = {
+        flake-compat.follows = "flake-compat";
+        flake-utils.follows = "flake-utils";
+        nixpkgs.follows = "nixpkgs";
+      };
+    };
 
     # my configs
     neovim_config = {
@@ -213,6 +222,7 @@
     ragenix,
     serverphone,
     disko,
+    lanzaboote,
     # external dependencies
     neovim_config,
     user_js,
@@ -253,6 +263,7 @@
         ragenix
         serverphone
         disko
+        lanzaboote
         # external dependencies
         
         neovim_config
diff --git a/flake/default.nix b/flake/default.nix
index e78b957e..45bec03b 100644
--- a/flake/default.nix
+++ b/flake/default.nix
@@ -13,6 +13,7 @@
   ragenix,
   serverphone,
   disko,
+  lanzaboote,
   # external dependencies
   neovim_config,
   user_js,
@@ -73,8 +74,9 @@
 
     disko.nixosModules.default
 
-    home-manager.nixosModules.home-manager
+    lanzaboote.nixosModules.lanzaboote
 
+    home-manager.nixosModules.home-manager
     homeManagerConfig
 
     impermanence.nixosModules.impermanence
@@ -130,17 +132,32 @@ in {
   devShells."${system}" = {
     default = pkgs.mkShell {
       packages = with pkgs; [
-        alejandra
+        # secure boot
+        sbctl
+        # spells
+        ltex-ls
+
+        # other
         cocogitto
-        generate_firefox_extensions.packages."${system}".default # needed for the firefox extension update script
         git-bug
-        ltex-ls
+
+        # nix
+        alejandra
         nil
+        statix
+
+        # yaml
+        yamllint
+
+        # secrets
         ragenix.packages."${system}".default
+
+        # shell
         shellcheck
         shfmt
-        statix
-        yamllint
+
+        # update
+        generate_firefox_extensions.packages."${system}".default # needed for the firefox extension update script
       ];
     };
   };
diff --git a/home-manager/config/firefox/config/extensions/extensions.json b/home-manager/config/firefox/config/extensions/extensions.json
index 45977803..5c0992c1 100644
--- a/home-manager/config/firefox/config/extensions/extensions.json
+++ b/home-manager/config/firefox/config/extensions/extensions.json
@@ -9,9 +9,9 @@
   "keepassxc-browser": {
     "addonId": "keepassxc-browser@keepassxc.org",
     "pname": "keepassxc-browser",
-    "sha256": "sha256:ce2275eb1f0a4b0ce2342204d00d62033f81f6dcb9e021cff38f51273e614f20",
-    "url": "https://addons.mozilla.org/firefox/downloads/file/4094964/keepassxc_browser-1.8.6.1.xpi",
-    "version": "1.8.6.1"
+    "sha256": "sha256:deb1c3c29fabe90dd811536d434d64c200caab9a9f7febc3428aa170eefec5f2",
+    "url": "https://addons.mozilla.org/firefox/downloads/file/4134768/keepassxc_browser-1.8.7.xpi",
+    "version": "1.8.7"
   },
   "libredirect": {
     "addonId": "7esoorv3@alefvanoon.anonaddy.me",
diff --git a/hosts/apzu/hardware/gpu.nix b/hosts/apzu/hardware/gpu.nix
index 180695e8..4a3805b8 100644
--- a/hosts/apzu/hardware/gpu.nix
+++ b/hosts/apzu/hardware/gpu.nix
@@ -1,9 +1,4 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}: {
+{pkgs, ...}: {
   #   hardware.opengl.extraPackages = with pkgs; [
   #     rocm-opencl-icd # open-cl
   #     amdvlk # or directly through mesa
diff --git a/system/boot/default.nix b/system/boot/default.nix
index 410bf143..9606c7b3 100644
--- a/system/boot/default.nix
+++ b/system/boot/default.nix
@@ -1,4 +1,8 @@
-{pkgs, ...}: {
+{
+  pkgs,
+  lib,
+  ...
+}: {
   boot = {
     initrd = {
       #compressor = "lz4";
@@ -7,14 +11,27 @@
     };
 
     kernelPackages = pkgs.linuxPackages_latest;
+
+    lanzaboote = {
+      enable = true;
+      pkiBundle = "/etc/secureboot";
+    };
+
     loader = {
+      # Lanzaboote currently replaces the systemd-boot module.
+      # This setting is usually set to true in configuration.nix
+      # generated at installation time. So we force it to false
+      # for now.
+      systemd-boot.enable = lib.mkForce false;
+
       grub = {
-        enable = true;
+        enable = false;
         # theme = pkgs.nixos-grub2-theme;
         splashImage = ./boot_pictures/gnu.png;
         efiSupport = true;
         device = "nodev"; # only for efi
       };
+
       efi = {
         canTouchEfiVariables = true;
         efiSysMountPoint = "/boot";
diff --git a/system/impermanence/default.nix b/system/impermanence/default.nix
index 126e9e10..8e6d81fb 100644
--- a/system/impermanence/default.nix
+++ b/system/impermanence/default.nix
@@ -5,6 +5,12 @@
       "/etc/NetworkManager" # store the networkmanager configs
     ]
     else [];
+  secureboot =
+    if config.boot.lanzaboote.enable
+    then [
+      "/etc/secureboot"
+    ]
+    else [];
   directories =
     [
       "/etc/nixos"
@@ -14,7 +20,8 @@
       #"/var/lib/nixos"
       #"/var/lib/systemd/coredump"
     ]
-    ++ networkmanager;
+    ++ networkmanager
+    ++ secureboot;
 in {
   # needed for the hm impermanence config
   programs.fuse.userAllowOther = true;