diff options
author | Soispha <soispha@vhack.eu> | 2023-07-15 20:09:17 +0200 |
---|---|---|
committer | Soispha <soispha@vhack.eu> | 2023-07-15 20:09:55 +0200 |
commit | 59bc28565f102c0ce17d3cf513cdab058608b0dc (patch) | |
tree | 66623f11d41a435790612a4880d5ab05dc2e9716 /system | |
parent | Fix(system/disks/hibernate): Try to activate it (diff) | |
download | nixos-config-59bc28565f102c0ce17d3cf513cdab058608b0dc.tar.gz nixos-config-59bc28565f102c0ce17d3cf513cdab058608b0dc.zip |
Feat(system/boot): Enable lanzaboote (and with it secure boot)
Diffstat (limited to '')
-rw-r--r-- | system/boot/default.nix | 21 | ||||
-rw-r--r-- | system/impermanence/default.nix | 9 |
2 files changed, 27 insertions, 3 deletions
diff --git a/system/boot/default.nix b/system/boot/default.nix index 410bf143..9606c7b3 100644 --- a/system/boot/default.nix +++ b/system/boot/default.nix @@ -1,4 +1,8 @@ -{pkgs, ...}: { +{ + pkgs, + lib, + ... +}: { boot = { initrd = { #compressor = "lz4"; @@ -7,14 +11,27 @@ }; kernelPackages = pkgs.linuxPackages_latest; + + lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + }; + loader = { + # Lanzaboote currently replaces the systemd-boot module. + # This setting is usually set to true in configuration.nix + # generated at installation time. So we force it to false + # for now. + systemd-boot.enable = lib.mkForce false; + grub = { - enable = true; + enable = false; # theme = pkgs.nixos-grub2-theme; splashImage = ./boot_pictures/gnu.png; efiSupport = true; device = "nodev"; # only for efi }; + efi = { canTouchEfiVariables = true; efiSysMountPoint = "/boot"; diff --git a/system/impermanence/default.nix b/system/impermanence/default.nix index 126e9e10..8e6d81fb 100644 --- a/system/impermanence/default.nix +++ b/system/impermanence/default.nix @@ -5,6 +5,12 @@ "/etc/NetworkManager" # store the networkmanager configs ] else []; + secureboot = + if config.boot.lanzaboote.enable + then [ + "/etc/secureboot" + ] + else []; directories = [ "/etc/nixos" @@ -14,7 +20,8 @@ #"/var/lib/nixos" #"/var/lib/systemd/coredump" ] - ++ networkmanager; + ++ networkmanager + ++ secureboot; in { # needed for the hm impermanence config programs.fuse.userAllowOther = true; |