diff options
-rw-r--r-- | modules/secure-boot.nix | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/modules/secure-boot.nix b/modules/secure-boot.nix new file mode 100644 index 0000000..72f2d83 --- /dev/null +++ b/modules/secure-boot.nix @@ -0,0 +1,24 @@ +{ config, pkgs, lib, ... }: + +let + cfg = config.modules.secure-boot; +in +{ + options.modules.secure-boot = { + enable = lib.mkEnableOption "Secure boot with lanzaboote"; + }; + + config = lib.mkIf cfg.enable { + boot.lanzaboote.enable = true; + boot.lanzaboote.pkiBundle = "/etc/secureboot"; + + # Managed by lanzaboote + boot.loader.systemd-boot.enable = lib.mkForce false; + + modules.persistence.directories = [ + "/etc/secureboot" + ]; + + environment.systemPackages = [ pkgs.sbctl ]; + }; +} |