Feat(system/boot): Enable lanzaboote (and with it secure boot)

2 files changed, 27 insertions, 3 deletions

diff --git a/system/boot/default.nix b/system/boot/default.nix
index 410bf143..9606c7b3 100644
--- a/system/boot/default.nix
+++ b/system/boot/default.nix
@@ -1,4 +1,8 @@
-{pkgs, ...}: {
+{
+  pkgs,
+  lib,
+  ...
+}: {
   boot = {
     initrd = {
       #compressor = "lz4";
@@ -7,14 +11,27 @@
     };
 
     kernelPackages = pkgs.linuxPackages_latest;
+
+    lanzaboote = {
+      enable = true;
+      pkiBundle = "/etc/secureboot";
+    };
+
     loader = {
+      # Lanzaboote currently replaces the systemd-boot module.
+      # This setting is usually set to true in configuration.nix
+      # generated at installation time. So we force it to false
+      # for now.
+      systemd-boot.enable = lib.mkForce false;
+
       grub = {
-        enable = true;
+        enable = false;
         # theme = pkgs.nixos-grub2-theme;
         splashImage = ./boot_pictures/gnu.png;
         efiSupport = true;
         device = "nodev"; # only for efi
       };
+
       efi = {
         canTouchEfiVariables = true;
         efiSysMountPoint = "/boot";
diff --git a/system/impermanence/default.nix b/system/impermanence/default.nix
index 126e9e10..8e6d81fb 100644
--- a/system/impermanence/default.nix
+++ b/system/impermanence/default.nix
@@ -5,6 +5,12 @@
       "/etc/NetworkManager" # store the networkmanager configs
     ]
     else [];
+  secureboot =
+    if config.boot.lanzaboote.enable
+    then [
+      "/etc/secureboot"
+    ]
+    else [];
   directories =
     [
       "/etc/nixos"
@@ -14,7 +20,8 @@
       #"/var/lib/nixos"
       #"/var/lib/systemd/coredump"
     ]
-    ++ networkmanager;
+    ++ networkmanager
+    ++ secureboot;
 in {
   # needed for the hm impermanence config
   programs.fuse.userAllowOther = true;