AFAIK, no, the bootspec thing that lanzaboote uses to figure out how to build your UKIs is in stable now.
Hm, fair, npins is generally recommended as an alternative these days. If nothing else, it’s a tad more actively maintained.
Well, that’d work, and is almost the same as what these tools do, but you’ve already fallen for the first footgun involved in doing this. Since you’re using one of the fetchers with optional hashes, and not specifying a hash, nix will download a new version of that tarball every two hours or so.
Usually at least this won’t cause a rebuild since you’re specifying a specific ref, but even then github archives created without the appropriate fetchers are not stable, so this will cause random rebuilds occasionally. Your system is no longer reproducible. It’ll also annoy you by doing a big ol’ download first practically every time you evaluate your config.
Use npins or niv, they do it correctly for you, and give you a convenient command for updating so anything you depend on isn’t locked at whatever version it was at when you first wrote your config. Plus you don’t need to go around manually computing nix-style hashes or evaluating your config twice.
Also, if you’re far enough along on your journey to understand nix this well, switch from channels to one of these while you’re at it, and stop using the nix-channel command (+ delete your channels, and use nix.channel.enable = false, setting your nixPath up like this instead - don’t forget to set nixos-config while you’re at it). You’ll stop running into so many weird edge cases, especially as a newbie, and be back to one command to update them all.
You do, NixOS doesn’t currently build UKIs. NixOS doesn’t use dracut for various reasons, providing UKIs is nontrivial (though I forget why), and even if they were provided, signing the resulting UKI still needs to be done downstream, so can’t be part of a nix build.
Lanzaboote does this final step of converting your kernel + initrd into a UKI and signing it outside of the nix build context, which allows it to actually sign stuff without leaking the key to the whole internet or forcing you to build kernels.
It’s not bit-for-bit reproducible, but that’s kind of the point of asymmetric key encryption, and it certainly introduces the least reproducibility holes possible.
Caveat emptor: I have not tried this, @RaitoBezarius will likely swoop in and tell me how far off I am
AIUI the other keys are not wiped, so if nothing else, you can always still boot those with the UEFI boot selection (which is separate from the UEFI settings interface).
There seems to be an option to include windows in the UI, but not through systemd-boot, and I guess this doesn’t apply to other distros: Windows dual boot documentation? · Issue #427 · nix-community/lanzaboote · GitHub
So… I think so, but the UI for it isn’t clean yet? Worst case, trying it out shouldn’t be too bad, as long as you have an easy way to reinstall your gentoo keys, UEFI menus have an option to reinstall the windows keys, and you can always turn off secure boot to recover.