2 files changed, 10 insertions, 21 deletions

diff --git a/nixos/default.nix b/nixos/default.nix
index 599ba75..16e3cbf 100644
--- a/nixos/default.nix
+++ b/nixos/default.nix
@@ -15,6 +15,7 @@
     name = "haruka";
     nixpkgs = unstable;
     extraModules = [
+      inputs.lanzaboote.nixosModules.lanzaboote
       inputs.sops-nix.nixosModules.sops
       inputs.impermanence.nixosModules.impermanence
       inputs.attic.nixosModules.atticd
diff --git a/nixos/haruka/configuration.nix b/nixos/haruka/configuration.nix
index 534b781..7d1579b 100644
--- a/nixos/haruka/configuration.nix
+++ b/nixos/haruka/configuration.nix
@@ -36,27 +36,13 @@
   boot.zfs.forceImportAll = false;
   boot.zfs.allowHibernation = true; # NOTE: disable if using swap on ZFS
 
-  # GRUB bootloader
-  boot.loader.efi.canTouchEfiVariables = true;
-  boot.loader.grub = {
-    enable = true;
-
-    efiSupport = true;
-    configurationLimit = 10;
-    device = "nodev";
-    useOSProber = true;
-    copyKernels = true;
-    gfxmodeEfi = "1920x1200";
-    fontSize = 32;
-
-    extraEntries = ''
-      menuentry "Reboot" {
-        reboot
-      }
-      menuentry "Shutdown" {
-        halt
-      }
-    '';
+  boot.loader.systemd-boot = {
+    # Managed by lanzaboote
+    enable = false;
+    editor = false;
+    configurationLimit = 16;
+    bootCounting.enable = true;
+    bootCounting.tries = 3;
   };
 
   # Erase your darlings.
@@ -128,6 +114,8 @@
   services.openssh.settings.PasswordAuthentication = false;
 
   modules = {
+    secure-boot.enable = true;
+
     persistence = {
       enable = true;
       storagePath = "/persist";