From 9ac0d8cacdc5be26c56860527eb43b11e5f96b09 Mon Sep 17 00:00:00 2001 From: sefidel Date: Sun, 4 Aug 2024 21:49:55 +0900 Subject: feat(modules/secure-boot): init --- modules/secure-boot.nix | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 modules/secure-boot.nix diff --git a/modules/secure-boot.nix b/modules/secure-boot.nix new file mode 100644 index 0000000..72f2d83 --- /dev/null +++ b/modules/secure-boot.nix @@ -0,0 +1,24 @@ +{ config, pkgs, lib, ... }: + +let + cfg = config.modules.secure-boot; +in +{ + options.modules.secure-boot = { + enable = lib.mkEnableOption "Secure boot with lanzaboote"; + }; + + config = lib.mkIf cfg.enable { + boot.lanzaboote.enable = true; + boot.lanzaboote.pkiBundle = "/etc/secureboot"; + + # Managed by lanzaboote + boot.loader.systemd-boot.enable = lib.mkForce false; + + modules.persistence.directories = [ + "/etc/secureboot" + ]; + + environment.systemPackages = [ pkgs.sbctl ]; + }; +} -- cgit 1.4.1