nixos-laptop/modules/nixos/lanzaboote.nix

{ config, lib, inputs, ... }: {
  imports = [
    inputs.lanzaboote.nixosModules.lanzaboote
  ];

  options = {
    pim.lanzaboote.enable = lib.mkEnableOption {
      description = ''
        Whether to enable lanzaboote
      '';
    };
  };

  config = lib.mkIf config.pim.lanzaboote.enable {
    boot = {
      # generate keys first with: `sudo nix run nixpkgs#sbctl create-keys`
      # switch from lzb to bootspec by adding following line to the system configuration:
      # bootspec.enable = true;

      loader = {
        systemd-boot.enable = lib.mkForce false;
        # Use lanzaboote instead see below, default is:
        # systemd-boot.enable = true;

        efi = {
          canTouchEfiVariables = true;
        };
      };

      lanzaboote = {
        enable = true;
        pkiBundle = "/etc/secureboot";
      };
    };
  };
}
Add x201 configuration Create module for lanzaboote 2024-05-26 15:12:52 +00:00			`{ config, lib, inputs, ... }: {`
			`imports = [`
			`inputs.lanzaboote.nixosModules.lanzaboote`
			`];`

			`options = {`
			`pim.lanzaboote.enable = lib.mkEnableOption {`
			`description = ''`
			`Whether to enable lanzaboote`
			`'';`
			`};`
			`};`

			`config = lib.mkIf config.pim.lanzaboote.enable {`
			`boot = {`
			# generate keys first with: `sudo nix run nixpkgs#sbctl create-keys`
			`# switch from lzb to bootspec by adding following line to the system configuration:`
			`# bootspec.enable = true;`

			`loader = {`
			`systemd-boot.enable = lib.mkForce false;`
			`# Use lanzaboote instead see below, default is:`
			`# systemd-boot.enable = true;`

			`efi = {`
			`canTouchEfiVariables = true;`
			`};`
			`};`

			`lanzaboote = {`
			`enable = true;`
			`pkiBundle = "/etc/secureboot";`
			`};`
			`};`
			`};`
			`}`