nixos/fragments/secure-boot.nix at c63b85f01ffacad0c7d423e44d0aff45506607fa · wiro.world/dotfiles

wiro.world / dotfiles

yep, more dotfiles

dotfiles / nixos / fragments / secure-boot.nix

at c63b85f01ffacad0c7d423e44d0aff45506607fa 709 B view raw

 1{ self
 2, config
 3, lib
 4, upkgs
 5, ...
 6}:
 7
 8# https://github.com/nix-community/lanzaboote/blob/master/docs/QUICK_START.md
 9
10let
11  inherit (self.inputs) lanzaboote;
12
13  cfg = config.local.fragment.secure-boot;
14in
15{
16  imports = [
17    lanzaboote.nixosModules.lanzaboote
18  ];
19
20  options.local.fragment.secure-boot.enable = lib.mkEnableOption ''
21    Secure boot related
22  '';
23
24  config = lib.mkIf cfg.enable {
25    boot.loader.systemd-boot.enable = lib.mkForce false;
26
27    boot.lanzaboote = {
28      enable = true;
29      pkiBundle = "/var/lib/sbctl";
30    };
31
32    boot.initrd.systemd.enable = true;
33
34    environment.systemPackages = [
35      # For debugging and troubleshooting Secure Boot
36      upkgs.sbctl
37    ];
38  };
39}
40
41