Feat(system/boot): Enable lanzaboote (and with it secure boot)

author: Soispha <soispha@vhack.eu> 2023-07-15 20:09:17 +0200
committer: Soispha <soispha@vhack.eu> 2023-07-15 20:09:55 +0200
commit: 59bc28565f102c0ce17d3cf513cdab058608b0dc (patch)
tree: 66623f11d41a435790612a4880d5ab05dc2e9716 /system/boot
parent: Fix(system/disks/hibernate): Try to activate it (diff)
download: nixos-config-59bc28565f102c0ce17d3cf513cdab058608b0dc.zip
1 files changed, 19 insertions, 2 deletions
diff --git a/system/boot/default.nix b/system/boot/default.nix
index 410bf143..9606c7b3 100644
--- a/system/boot/default.nix
+++ b/system/boot/default.nix
@@ -1,4 +1,8 @@
-{pkgs, ...}: {
+{
+  pkgs,
+  lib,
+  ...
+}: {
   boot = {
     initrd = {
       #compressor = "lz4";
@@ -7,14 +11,27 @@
     };
 
     kernelPackages = pkgs.linuxPackages_latest;
+
+    lanzaboote = {
+      enable = true;
+      pkiBundle = "/etc/secureboot";
+    };
+
     loader = {
+      # Lanzaboote currently replaces the systemd-boot module.
+      # This setting is usually set to true in configuration.nix
+      # generated at installation time. So we force it to false
+      # for now.
+      systemd-boot.enable = lib.mkForce false;
+
       grub = {
-        enable = true;
+        enable = false;
         # theme = pkgs.nixos-grub2-theme;
         splashImage = ./boot_pictures/gnu.png;
         efiSupport = true;
         device = "nodev"; # only for efi
       };
+
       efi = {
         canTouchEfiVariables = true;
         efiSysMountPoint = "/boot";
author	Soispha <soispha@vhack.eu>	2023-07-15 20:09:17 +0200
committer	Soispha <soispha@vhack.eu>	2023-07-15 20:09:55 +0200
commit	59bc28565f102c0ce17d3cf513cdab058608b0dc (patch)
tree	66623f11d41a435790612a4880d5ab05dc2e9716 /system/boot
parent	Fix(system/disks/hibernate): Try to activate it (diff)
download	nixos-config-59bc28565f102c0ce17d3cf513cdab058608b0dc.zip