nixos-laptop/nixos/lanzaboote.nix

36 lines
849 B
Nix

{ config, lib, inputs, ... }: {
imports = [
inputs.lanzaboote.nixosModules.lanzaboote
];
options = {
pim.lanzaboote.enable = lib.mkEnableOption {
description = ''
Whether to enable lanzaboote
'';
};
};
config = lib.mkIf config.pim.lanzaboote.enable {
boot = {
# generate keys first with: `sudo nix run nixpkgs#sbctl create-keys`
# switch from lzb to bootspec by adding following line to the system configuration:
# bootspec.enable = true;
loader = {
systemd-boot.enable = lib.mkForce false;
# Use lanzaboote instead see below, default is:
# systemd-boot.enable = true;
efi = {
canTouchEfiVariables = true;
};
};
lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
};
};
}