nixdots/system/shared/boot/secure-boot.nix

{
  config,
  pkgs,
  lib,
  ...
}: let
  inherit (lib) mkIf;

  cfg = config.myOptions.system.boot.secure-boot;
in {
  config = mkIf cfg.enable {
    # Secure Boot Key Manager
    environment.systemPackages = [pkgs.sbctl];

    # Persist the secure boot keys (for impermanence)
    myOptions.system.impermanence.root.extraDirectories = [
      "/etc/secureboot"
    ];

    # Lanzaboote replaces systemd-boot
    boot.loader.systemd-boot.enable = lib.mkForce false;

    boot.lanzaboote = {
      enable = true;
      pkiBundle = "/etc/secureboot";
    };
  };
}
Run alejandra 2024-07-26 23:07:07 +00:00			`{`
			`config,`
			`pkgs,`
			`lib,`
			`...`
			`}: let`
Add secure-boot 2024-04-12 16:25:26 +00:00			`inherit (lib) mkIf;`

Update boot options 2024-04-12 18:57:52 +00:00			`cfg = config.myOptions.system.boot.secure-boot;`
Add secure-boot 2024-04-12 16:25:26 +00:00			`in {`
Update boot options 2024-04-12 18:57:52 +00:00			`config = mkIf cfg.enable {`
Add secure-boot 2024-04-12 16:25:26 +00:00			`# Secure Boot Key Manager`
Run alejandra 2024-07-26 23:07:07 +00:00			`environment.systemPackages = [pkgs.sbctl];`
Add secure-boot 2024-04-12 16:25:26 +00:00
			`# Persist the secure boot keys (for impermanence)`
			`myOptions.system.impermanence.root.extraDirectories = [`
			`"/etc/secureboot"`
			`];`

			`# Lanzaboote replaces systemd-boot`
			`boot.loader.systemd-boot.enable = lib.mkForce false;`

			`boot.lanzaboote = {`
			`enable = true;`
			`pkiBundle = "/etc/secureboot";`
			`};`
			`};`
			`}`