Initial commit

flake.nix

@@ -0,0 +1,60 @@
+{
+  description = "A SecureBoot-enabled NixOS configurations";
+
+  inputs = {
+    nixpkgs.url = "https://flakehub.com/f/NixOS/nixpkgs/*";
+
+    lanzaboote = {
+      url = "github:nix-community/lanzaboote/v1.0.0";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    apple-fonts.url= "github:Lyndeno/apple-fonts.nix";
+    apple-fonts.inputs.nixpkgs.follows = "nixpkgs";
+  };
+
+
+  outputs = { self, nixpkgs, lanzaboote, apple-fonts, ...}: {
+    nixosConfigurations = {
+      hermes = nixpkgs.lib.nixosSystem rec {
+        system = "x86_64-linux";
+
+        modules = [
+          # This is not a complete NixOS configuration and you need to reference
+          # your normal configuration here.
+
+          lanzaboote.nixosModules.lanzaboote
+
+          ./configuration.nix
+	  ./hardware-configuration.nix
+
+          ({ pkgs, lib, ... }: {
+	   nixpkgs.config.allowUnfree = true;
+            environment.systemPackages = [
+              # For debugging and troubleshooting Secure Boot.
+              pkgs.sbctl
+            ];
+
+	    fonts.packages = [
+	      apple-fonts.packages."x86_64-linux".sf-pro
+	    ];
+
+	    nix.settings.experimental-features = [ "nix-command" "flakes" ];
+            # Lanzaboote currently replaces the systemd-boot module.
+            # This setting is usually set to true in configuration.nix
+            # generated at installation time. So we force it to false
+            # for now.
+            boot.loader.systemd-boot.enable = lib.mkForce false;
+	    boot.bootspec.enable = true;
+	    boot.initrd.systemd.enable = true;
+            boot.lanzaboote = {
+              enable = true;
+              pkiBundle = "/var/lib/sbctl";
+            };
+          })
+        ];
+      };
+    };
+  };
+}
+