Add x201 configuration

Create module for lanzaboote
2024-05-26 17:12:52 +02:00 · 2024-05-26 17:12:52 +02:00 · 955f9e3a07
commit 955f9e3a07
parent e069bd25a2
4 changed files with 134 additions and 20 deletions
--- a/modules/nixos/lanzaboote.nix
+++ b/modules/nixos/lanzaboote.nix
@ -0,0 +1,36 @@
+{ config, lib, inputs, ... }: {
+  imports = [
+    inputs.lanzaboote.nixosModules.lanzaboote
+  ];
+
+  options = {
+    pim.lanzaboote.enable = lib.mkEnableOption {
+      description = ''
+        Whether to enable lanzaboote
+      '';
+    };
+  };
+
+  config = lib.mkIf config.pim.lanzaboote.enable {
+    boot = {
+      # generate keys first with: `sudo nix run nixpkgs#sbctl create-keys`
+      # switch from lzb to bootspec by adding following line to the system configuration:
+      # bootspec.enable = true;
+
+      loader = {
+        systemd-boot.enable = lib.mkForce false;
+        # Use lanzaboote instead see below, default is:
+        # systemd-boot.enable = true;
+
+        efi = {
+          canTouchEfiVariables = true;
+        };
+      };
+
+      lanzaboote = {
+        enable = true;
+        pkiBundle = "/etc/secureboot";
+      };
+    };
+  };
+}