44 lines
1.3 KiB
Nix
44 lines
1.3 KiB
Nix
{
|
|
pkgs,
|
|
inputs,
|
|
config,
|
|
lib,
|
|
...
|
|
}: let
|
|
cfg = config.system.secure_boot;
|
|
in {
|
|
options.system.secure_boot = {
|
|
enable = lib.mkEnableOption "enables secureboot with lanzaboote";
|
|
};
|
|
|
|
imports = [inputs.lanzaboote.nixosModules.lanzaboote];
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
# install userspace secureboot tools
|
|
environment.systemPackages = with pkgs; [
|
|
sbctl
|
|
e2fsprogs
|
|
];
|
|
|
|
# force disable systemd-boot so lanzaboote can be used
|
|
boot.loader.systemd-boot.enable = lib.mkForce false;
|
|
|
|
/*
|
|
this uses the project lanzaboote for secureboot (extension on systemd)
|
|
setup guide can be found here: https://github.com/nix-community/lanzaboote/blob/master/docs/QUICK_START.md
|
|
tldr:
|
|
while currently using systemd-boot
|
|
generate keys with `nix-shell -p --run "sudo sbctl create-keys"`
|
|
rebuild with this module enabled then check `sudo sbctl verify`
|
|
reboot and enable secureboot setup mode in bios
|
|
check that setup mode is enabled with `sudo sbctl status`
|
|
enroll keys with `sudo sbctl enroll-keys` use the `--microsoft` flag to incude their keys for compatibality
|
|
reboot (disable secureboot setup mode if not done automatically) then check secure boot status with `sudo bootctl status`
|
|
*/
|
|
boot.lanzaboote = {
|
|
enable = true;
|
|
pkiBundle = "/var/lib/sbctl";
|
|
};
|
|
};
|
|
}
|