about summary refs log tree commit diff stats
path: root/system/boot/default.nix
diff options
context:
space:
mode:
authorSoispha <soispha@vhack.eu>2023-07-15 20:09:17 +0200
committerSoispha <soispha@vhack.eu>2023-07-15 20:09:55 +0200
commit59bc28565f102c0ce17d3cf513cdab058608b0dc (patch)
tree66623f11d41a435790612a4880d5ab05dc2e9716 /system/boot/default.nix
parentFix(system/disks/hibernate): Try to activate it (diff)
downloadnixos-config-59bc28565f102c0ce17d3cf513cdab058608b0dc.tar.gz
nixos-config-59bc28565f102c0ce17d3cf513cdab058608b0dc.zip
Feat(system/boot): Enable lanzaboote (and with it secure boot)
Diffstat (limited to 'system/boot/default.nix')
-rw-r--r--system/boot/default.nix21
1 files changed, 19 insertions, 2 deletions
diff --git a/system/boot/default.nix b/system/boot/default.nix
index 410bf143..9606c7b3 100644
--- a/system/boot/default.nix
+++ b/system/boot/default.nix
@@ -1,4 +1,8 @@
-{pkgs, ...}: {
+{
+  pkgs,
+  lib,
+  ...
+}: {
   boot = {
     initrd = {
       #compressor = "lz4";
@@ -7,14 +11,27 @@
     };
 
     kernelPackages = pkgs.linuxPackages_latest;
+
+    lanzaboote = {
+      enable = true;
+      pkiBundle = "/etc/secureboot";
+    };
+
     loader = {
+      # Lanzaboote currently replaces the systemd-boot module.
+      # This setting is usually set to true in configuration.nix
+      # generated at installation time. So we force it to false
+      # for now.
+      systemd-boot.enable = lib.mkForce false;
+
       grub = {
-        enable = true;
+        enable = false;
         # theme = pkgs.nixos-grub2-theme;
         splashImage = ./boot_pictures/gnu.png;
         efiSupport = true;
         device = "nodev"; # only for efi
       };
+
       efi = {
         canTouchEfiVariables = true;
         efiSysMountPoint = "/boot";