add secure boot support

2025-11-11 15:51:22 -06:00
parent b84a2d7628
commit f7ece5059d
5 changed files with 192 additions and 7 deletions
--- a/modules/system/default.nix
+++ b/modules/system/default.nix
@@ -16,6 +16,7 @@
    ./syncthing
    ./graphics
    ./flatpak
+    ./secure_boot
  ];

  system.ssh.enable = lib.mkDefault true;
--- a/modules/system/secure_boot/default.nix
+++ b/modules/system/secure_boot/default.nix
@@ -0,0 +1,31 @@
+{
+  pkgs,
+  inputs,
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.system.secure_boot;
+in {
+  options.system.secure_boot = {
+    enable = lib.mkEnableOption "enables secureboot with lanzaboote";
+  };
+
+  imports = [inputs.lanzaboote.nixosModules.lanzaboote];
+
+  config = lib.mkIf cfg.enable {
+
+    # install userspace secureboot tools
+    environment.systemPackages = with pkgs; [
+      sbctl
+    ];
+
+    # force disable systemd-boot so lanzaboote can be used
+    boot.loader.systemd-boot.enable = lib.mkForce false;
+
+    boot.lanzaboote = {
+      enable = true;
+      pkiBundle = "/var/lib/sbctl";
+    };
+  };
+}