41 lines
857 B
Nix
41 lines
857 B
Nix
{
|
|
config,
|
|
lib,
|
|
inputs,
|
|
...
|
|
}: {
|
|
imports = [
|
|
inputs.lanzaboote.nixosModules.lanzaboote
|
|
];
|
|
|
|
options = {
|
|
pim.lanzaboote.enable = lib.mkEnableOption {
|
|
description = ''
|
|
Whether to enable lanzaboote
|
|
'';
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf config.pim.lanzaboote.enable {
|
|
boot = {
|
|
# generate keys first with: `sudo nix run nixpkgs#sbctl create-keys`
|
|
# switch from lzb to bootspec by adding following line to the system configuration:
|
|
# bootspec.enable = true;
|
|
|
|
loader = {
|
|
systemd-boot.enable = lib.mkForce false;
|
|
# Use lanzaboote instead see below, default is:
|
|
# systemd-boot.enable = true;
|
|
|
|
efi = {
|
|
canTouchEfiVariables = true;
|
|
};
|
|
};
|
|
|
|
lanzaboote = {
|
|
enable = true;
|
|
pkiBundle = "/etc/secureboot";
|
|
};
|
|
};
|
|
};
|
|
}
|