Move some stuff to modules

2024-10-26 20:24:13 +02:00 · 2024-10-26 20:24:13 +02:00 · 08b0fbcd0c
commit 08b0fbcd0c
parent 61640c0580
30 changed files with 427 additions and 406 deletions
--- a/nixos/lanzaboote.nix
+++ b/nixos/lanzaboote.nix
@ -0,0 +1,36 @@
+{ config, lib, inputs, ... }: {
+  imports = [
+    inputs.lanzaboote.nixosModules.lanzaboote
+  ];
+
+  options = {
+    pim.lanzaboote.enable = lib.mkEnableOption {
+      description = ''
+        Whether to enable lanzaboote
+      '';
+    };
+  };
+
+  config = lib.mkIf config.pim.lanzaboote.enable {
+    boot = {
+      # generate keys first with: `sudo nix run nixpkgs#sbctl create-keys`
+      # switch from lzb to bootspec by adding following line to the system configuration:
+      # bootspec.enable = true;
+
+      loader = {
+        systemd-boot.enable = lib.mkForce false;
+        # Use lanzaboote instead see below, default is:
+        # systemd-boot.enable = true;
+
+        efi = {
+          canTouchEfiVariables = true;
+        };
+      };
+
+      lanzaboote = {
+        enable = true;
+        pkiBundle = "/etc/secureboot";
+      };
+    };
+  };
+}