Feat(hosts/thinklappi): Enable secureboot with lanzaboote

author: sils <sils@sils.li> 2023-06-30 19:35:28 +0200
committer: sils <sils@sils.li> 2023-06-30 19:35:28 +0200
commit: c13a3b624e2653d4d72c278236fd717567dbb59f (patch)
tree: ea0c0b0290c1209d33ec4a90d4a80c13fa25010f /hosts
parent: Feat(sys): Add fwupd (diff)
download: nix-config-c13a3b624e2653d4d72c278236fd717567dbb59f.tar.gz
nix-config-c13a3b624e2653d4d72c278236fd717567dbb59f.zip
1 files changed, 9 insertions, 6 deletions
diff --git a/hosts/thinklappi/basesystem.nix b/hosts/thinklappi/basesystem.nix
index e5bc5ba..35fd908 100644
--- a/hosts/thinklappi/basesystem.nix
+++ b/hosts/thinklappi/basesystem.nix
@@ -18,12 +18,10 @@
     kernelModules = ["kvm-intel"];
     extraModulePackages = [];
     kernelPackages = pkgs.linuxPackages_latest;
-    loader = {
-      systemd-boot = {
-        enable = true;
-        configurationLimit = 3;
-      };
-      efi.canTouchEfiVariables = true;
+    lanzaboote = {
+      enable = true;
+      configurationLimit = 3;
+      pkiBundle = "/etc/secureboot";
     };
   };
 
@@ -43,6 +41,11 @@
       fsType = "btrfs";
       options = ["subvol=networkmanagerconfig" "compress-force=zstd"];
     };
+    "/etc/secureboot" = {
+      device = "/dev/disk/by-label/nixos-root";
+      fsType = "btrfs";
+      options = ["subvol=secureboot" "compress-force=zstd"];
+    };
     "/etc/nixos" = {
       device = "/dev/disk/by-label/nixos-root";
       fsType = "btrfs";
author	sils <sils@sils.li>	2023-06-30 19:35:28 +0200
committer	sils <sils@sils.li>	2023-06-30 19:35:28 +0200
commit	c13a3b624e2653d4d72c278236fd717567dbb59f (patch)
tree	ea0c0b0290c1209d33ec4a90d4a80c13fa25010f /hosts
parent	Feat(sys): Add fwupd (diff)
download	nix-config-c13a3b624e2653d4d72c278236fd717567dbb59f.tar.gz nix-config-c13a3b624e2653d4d72c278236fd717567dbb59f.zip