diff options
| author | sefidel <contact@sefidel.net> | 2024-08-04 21:49:55 +0900 |
|---|---|---|
| committer | sefidel <contact@sefidel.net> | 2024-08-06 16:01:38 +0900 |
| commit | 9ac0d8cacdc5be26c56860527eb43b11e5f96b09 (patch) | |
| tree | 7ea2faa0e690689e60728a31069ade3f8e641ca5 | |
| parent | ef10438e3d76d9822dea18ff6380a43074588398 (diff) | |
| download | nixrc-9ac0d8cacdc5be26c56860527eb43b11e5f96b09.zip | |
feat(modules/secure-boot): init
| -rw-r--r-- | modules/secure-boot.nix | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/modules/secure-boot.nix b/modules/secure-boot.nix new file mode 100644 index 0000000..72f2d83 --- /dev/null +++ b/modules/secure-boot.nix @@ -0,0 +1,24 @@ +{ config, pkgs, lib, ... }: + +let + cfg = config.modules.secure-boot; +in +{ + options.modules.secure-boot = { + enable = lib.mkEnableOption "Secure boot with lanzaboote"; + }; + + config = lib.mkIf cfg.enable { + boot.lanzaboote.enable = true; + boot.lanzaboote.pkiBundle = "/etc/secureboot"; + + # Managed by lanzaboote + boot.loader.systemd-boot.enable = lib.mkForce false; + + modules.persistence.directories = [ + "/etc/secureboot" + ]; + + environment.systemPackages = [ pkgs.sbctl ]; + }; +} |