Add secure-boot

2025-06-29 18:10:41 +00:00 · 2024-04-12 18:25:26 +02:00 · 2024-04-12 18:25:26 +02:00 · cb968bdc07
commit cb968bdc07
parent fa6f2b49db
12 changed files with 459 additions and 1 deletions
--- a/system/boot/default.nix
+++ b/system/boot/default.nix
@ -1,5 +1,6 @@
 _: {
  imports = [
    ./systemd-boot.nix
+    ./secure-boot.nix
  ];
 }
--- a/system/boot/secure-boot.nix
+++ b/system/boot/secure-boot.nix
@ -0,0 +1,23 @@
+{ config, pkgs, lib, ... }: let
+  inherit (lib) mkIf;
+
+  cfg = config.myOptions.system.secure-boot;
+in {
+  config = mkIf cfg.enabled {
+    # Secure Boot Key Manager
+    environment.systemPackages = [ pkgs.sbctl ];
+
+    # Persist the secure boot keys (for impermanence)
+    myOptions.system.impermanence.root.extraDirectories = [
+      "/etc/secureboot"
+    ];
+
+    # Lanzaboote replaces systemd-boot
+    boot.loader.systemd-boot.enable = lib.mkForce false;
+
+    boot.lanzaboote = {
+      enable = true;
+      pkiBundle = "/etc/secureboot";
+    };
+  };
+}