From c53477fbf5c086af1de72c572960777645b222d0 Mon Sep 17 00:00:00 2001
From: Raito Bezarius <masterancpp@gmail.com>
Date: Wed, 23 Nov 2022 11:59:54 +0100
Subject: [PATCH] nixos: add a lanzaboote module

---
 flake.lock         | 17 +++++++++++++++++
 flake.nix          | 28 +++++++++++++++++++++++++++-
 nix/lanzaboote.nix | 17 +++++++++++++++++
 3 files changed, 61 insertions(+), 1 deletion(-)
 create mode 100644 nix/lanzaboote.nix

diff --git a/flake.lock b/flake.lock
index 665aedc..6734196 100644
--- a/flake.lock
+++ b/flake.lock
@@ -47,6 +47,22 @@
         "type": "indirect"
       }
     },
+    "nixpkgs-test": {
+      "locked": {
+        "lastModified": 1669200924,
+        "narHash": "sha256-NUPT9VMQHnFRqqd/ILcfMSbOvPTLbVBXGO7SWj0N7Dg=",
+        "owner": "RaitoBezarius",
+        "repo": "nixpkgs",
+        "rev": "542f657a93ae903e07d6274de413142c4b99d6ed",
+        "type": "github"
+      },
+      "original": {
+        "owner": "RaitoBezarius",
+        "ref": "experimental-secureboot",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixpkgs_2": {
       "locked": {
         "lastModified": 1669001258,
@@ -83,6 +99,7 @@
       "inputs": {
         "naersk": "naersk",
         "nixpkgs": "nixpkgs_2",
+        "nixpkgs-test": "nixpkgs-test",
         "rust-overlay": "rust-overlay"
       }
     },
diff --git a/flake.nix b/flake.nix
index e2aa5fb..b83f36c 100644
--- a/flake.nix
+++ b/flake.nix
@@ -3,11 +3,12 @@
 
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
+    nixpkgs-test.url = "github:RaitoBezarius/nixpkgs/experimental-secureboot";
     rust-overlay.url = "github:oxalica/rust-overlay";
     naersk.url = "github:nix-community/naersk";
   };
 
-  outputs = { self, nixpkgs, rust-overlay, naersk }:
+  outputs = { self, nixpkgs, nixpkgs-test, rust-overlay, naersk }:
     let
       pkgs = import nixpkgs {
         system = "x86_64-linux";
@@ -127,6 +128,12 @@
         add-sections ${lanzaboote}/bin/lanzaboote.efi ${osrel} ${cmdline} $out/bin/lanzaboote.efi
       '';
     in {
+      overlays.default = final: prev: {
+        inherit lanzaboote lanzatool;
+      };
+
+      nixosModules.lanzaboote = import ./nix/lanzaboote.nix;
+
       packages.x86_64-linux = {
         inherit qemuUefi uefi-run initrd-stub lanzaboote lanzaboote-uki lanzatool wrapInitrd;
         default = lanzaboote-uki;
@@ -146,5 +153,24 @@
           lanzaboote
         ];
       };
+
+      checks.x86_64-linux = {
+        lanzaboote-boot = 
+        let test = import ("${nixpkgs-test}/nixos/lib/testing-python.nix") { system = "x86_64-linux"; };
+        in
+        test.makeTest
+        {
+          name = "stub-boot";
+          nodes.machine = { ... }: {
+            imports = [ self.nixosModules.lanzaboote ];
+            nixpkgs.overlays = [ self.overlays.default ];
+
+            boot.lanzaboote.enable = true;
+          };
+          testScript = ''
+            start_all()
+          '';
+        };
+      };
     };
 }
diff --git a/nix/lanzaboote.nix b/nix/lanzaboote.nix
new file mode 100644
index 0000000..f8bfdb3
--- /dev/null
+++ b/nix/lanzaboote.nix
@@ -0,0 +1,17 @@
+{ lib, config, ... }: 
+with lib;
+let
+  cfg = config.boot.lanzaboote;
+in
+{
+  options.boot.lanzaboote = {
+    enable = mkEnableOption "Enable the LANZABOOTE";
+  };
+
+  config = mkIf cfg.enable {
+    boot.loader.external = {
+      enable = true;
+      installHook = "${pkgs.lanzatool}/bin/lanzatool install";
+    };
+  };
+}