diff options
author | Soispha <soispha@vhack.eu> | 2023-07-15 20:09:17 +0200 |
---|---|---|
committer | Soispha <soispha@vhack.eu> | 2023-07-15 20:09:55 +0200 |
commit | 59bc28565f102c0ce17d3cf513cdab058608b0dc (patch) | |
tree | 66623f11d41a435790612a4880d5ab05dc2e9716 /system/boot/default.nix | |
parent | Fix(system/disks/hibernate): Try to activate it (diff) | |
download | nixos-config-59bc28565f102c0ce17d3cf513cdab058608b0dc.tar.gz nixos-config-59bc28565f102c0ce17d3cf513cdab058608b0dc.zip |
Feat(system/boot): Enable lanzaboote (and with it secure boot)
Diffstat (limited to 'system/boot/default.nix')
-rw-r--r-- | system/boot/default.nix | 21 |
1 files changed, 19 insertions, 2 deletions
diff --git a/system/boot/default.nix b/system/boot/default.nix index 410bf143..9606c7b3 100644 --- a/system/boot/default.nix +++ b/system/boot/default.nix @@ -1,4 +1,8 @@ -{pkgs, ...}: { +{ + pkgs, + lib, + ... +}: { boot = { initrd = { #compressor = "lz4"; @@ -7,14 +11,27 @@ }; kernelPackages = pkgs.linuxPackages_latest; + + lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + }; + loader = { + # Lanzaboote currently replaces the systemd-boot module. + # This setting is usually set to true in configuration.nix + # generated at installation time. So we force it to false + # for now. + systemd-boot.enable = lib.mkForce false; + grub = { - enable = true; + enable = false; # theme = pkgs.nixos-grub2-theme; splashImage = ./boot_pictures/gnu.png; efiSupport = true; device = "nodev"; # only for efi }; + efi = { canTouchEfiVariables = true; efiSysMountPoint = "/boot"; |