about summary refs log tree commit diff stats
path: root/system
diff options
context:
space:
mode:
authorSoispha <soispha@vhack.eu>2023-07-15 20:09:17 +0200
committerSoispha <soispha@vhack.eu>2023-07-15 20:09:55 +0200
commit59bc28565f102c0ce17d3cf513cdab058608b0dc (patch)
tree66623f11d41a435790612a4880d5ab05dc2e9716 /system
parentFix(system/disks/hibernate): Try to activate it (diff)
downloadnixos-config-59bc28565f102c0ce17d3cf513cdab058608b0dc.tar.gz
nixos-config-59bc28565f102c0ce17d3cf513cdab058608b0dc.zip
Feat(system/boot): Enable lanzaboote (and with it secure boot)
Diffstat (limited to '')
-rw-r--r--system/boot/default.nix21
-rw-r--r--system/impermanence/default.nix9
2 files changed, 27 insertions, 3 deletions
diff --git a/system/boot/default.nix b/system/boot/default.nix
index 410bf143..9606c7b3 100644
--- a/system/boot/default.nix
+++ b/system/boot/default.nix
@@ -1,4 +1,8 @@
-{pkgs, ...}: {
+{
+  pkgs,
+  lib,
+  ...
+}: {
   boot = {
     initrd = {
       #compressor = "lz4";
@@ -7,14 +11,27 @@
     };
 
     kernelPackages = pkgs.linuxPackages_latest;
+
+    lanzaboote = {
+      enable = true;
+      pkiBundle = "/etc/secureboot";
+    };
+
     loader = {
+      # Lanzaboote currently replaces the systemd-boot module.
+      # This setting is usually set to true in configuration.nix
+      # generated at installation time. So we force it to false
+      # for now.
+      systemd-boot.enable = lib.mkForce false;
+
       grub = {
-        enable = true;
+        enable = false;
         # theme = pkgs.nixos-grub2-theme;
         splashImage = ./boot_pictures/gnu.png;
         efiSupport = true;
         device = "nodev"; # only for efi
       };
+
       efi = {
         canTouchEfiVariables = true;
         efiSysMountPoint = "/boot";
diff --git a/system/impermanence/default.nix b/system/impermanence/default.nix
index 126e9e10..8e6d81fb 100644
--- a/system/impermanence/default.nix
+++ b/system/impermanence/default.nix
@@ -5,6 +5,12 @@
       "/etc/NetworkManager" # store the networkmanager configs
     ]
     else [];
+  secureboot =
+    if config.boot.lanzaboote.enable
+    then [
+      "/etc/secureboot"
+    ]
+    else [];
   directories =
     [
       "/etc/nixos"
@@ -14,7 +20,8 @@
       #"/var/lib/nixos"
       #"/var/lib/systemd/coredump"
     ]
-    ++ networkmanager;
+    ++ networkmanager
+    ++ secureboot;
 in {
   # needed for the hm impermanence config
   programs.fuse.userAllowOther = true;