about summary refs log tree commit diff
diff options
context:
space:
mode:
authorsefidel <contact@sefidel.net>2024-08-04 21:50:58 +0900
committersefidel <contact@sefidel.net>2024-08-06 16:01:38 +0900
commitb3689633c473544e1e6aee70111759bdee8d07e8 (patch)
treebb828a7421d8792fcbe7a3f741793c14c3675687
parent9ac0d8cacdc5be26c56860527eb43b11e5f96b09 (diff)
downloadnixrc-b3689633c473544e1e6aee70111759bdee8d07e8.tar.gz
nixrc-b3689633c473544e1e6aee70111759bdee8d07e8.zip
feat(nixos/haruka): enable secure boot
-rw-r--r--nixos/default.nix1
-rw-r--r--nixos/haruka/configuration.nix30
2 files changed, 10 insertions, 21 deletions
diff --git a/nixos/default.nix b/nixos/default.nix
index 599ba75..16e3cbf 100644
--- a/nixos/default.nix
+++ b/nixos/default.nix
@@ -15,6 +15,7 @@
     name = "haruka";
     nixpkgs = unstable;
     extraModules = [
+      inputs.lanzaboote.nixosModules.lanzaboote
       inputs.sops-nix.nixosModules.sops
       inputs.impermanence.nixosModules.impermanence
       inputs.attic.nixosModules.atticd
diff --git a/nixos/haruka/configuration.nix b/nixos/haruka/configuration.nix
index 534b781..7d1579b 100644
--- a/nixos/haruka/configuration.nix
+++ b/nixos/haruka/configuration.nix
@@ -36,27 +36,13 @@
   boot.zfs.forceImportAll = false;
   boot.zfs.allowHibernation = true; # NOTE: disable if using swap on ZFS
 
-  # GRUB bootloader
-  boot.loader.efi.canTouchEfiVariables = true;
-  boot.loader.grub = {
-    enable = true;
-
-    efiSupport = true;
-    configurationLimit = 10;
-    device = "nodev";
-    useOSProber = true;
-    copyKernels = true;
-    gfxmodeEfi = "1920x1200";
-    fontSize = 32;
-
-    extraEntries = ''
-      menuentry "Reboot" {
-        reboot
-      }
-      menuentry "Shutdown" {
-        halt
-      }
-    '';
+  boot.loader.systemd-boot = {
+    # Managed by lanzaboote
+    enable = false;
+    editor = false;
+    configurationLimit = 16;
+    bootCounting.enable = true;
+    bootCounting.tries = 3;
   };
 
   # Erase your darlings.
@@ -128,6 +114,8 @@
   services.openssh.settings.PasswordAuthentication = false;
 
   modules = {
+    secure-boot.enable = true;
+
     persistence = {
       enable = true;
       storagePath = "/persist";