feat(nixos/alpha): enable secure boot

2 files changed, 10 insertions, 18 deletions

diff --git a/nixos/alpha/configuration.nix b/nixos/alpha/configuration.nix
index b3ceccc..0bf7683 100644
--- a/nixos/alpha/configuration.nix
+++ b/nixos/alpha/configuration.nix
@@ -33,24 +33,13 @@
   boot.zfs.forceImportAll = false;
   boot.zfs.allowHibernation = true; # NOTE: disable if using swap on ZFS
 
-  # GRUB bootloader
-  boot.loader.efi.canTouchEfiVariables = true;
-  boot.loader.grub = {
-    enable = true;
-
-    efiSupport = true;
-    configurationLimit = 10;
-    device = "nodev";
-    useOSProber = true;
-    copyKernels = true;
-    extraEntries = ''
-      menuentry "Reboot" {
-        reboot
-      }
-      menuentry "Shutdown" {
-        halt
-      }
-    '';
+  boot.loader.systemd-boot = {
+    # Managed by lanzaboote
+    enable = false;
+    editor = false;
+    configurationLimit = 16;
+    bootCounting.enable = true;
+    bootCounting.tries = 3;
   };
 
   boot.initrd.postDeviceCommands = lib.mkAfter ''
@@ -117,6 +106,8 @@
   services.openssh.settings.PasswordAuthentication = false;
 
   modules = {
+    secure-boot.enable = true;
+
     persistence = {
       enable = true;
       storagePath = "/persist";
diff --git a/nixos/alpha/hardware-configuration.nix b/nixos/alpha/hardware-configuration.nix
index 5ec5d86..8c40065 100644
--- a/nixos/alpha/hardware-configuration.nix
+++ b/nixos/alpha/hardware-configuration.nix
@@ -21,6 +21,7 @@
   fileSystems."/boot" =
     { device = "/dev/disk/by-uuid/12CE-A600";
       fsType = "vfat";
+      options = [ "umask=0077" ];
     };
 
   fileSystems."/nix" =