diff options
Diffstat (limited to 'sys/boot/secure-boot.nix')
| -rw-r--r-- | sys/boot/secure-boot.nix | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/sys/boot/secure-boot.nix b/sys/boot/secure-boot.nix new file mode 100644 index 0000000..b13ab7c --- /dev/null +++ b/sys/boot/secure-boot.nix @@ -0,0 +1,51 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.local.boot.secureBoot; + + pkiBundle = + if cfg.legacyPath + then "/etc/secureboot" + else "/var/lib/sbctl"; +in { + options.local.boot.secureBoot = { + enable = mkEnableOption "secure boot"; + + legacyPath = mkOption { + type = types.bool; + default = false; + }; + }; + + config = mkIf cfg.enable { + assertions = [ + { + assertion = config.local.boot.efi.enable; + message = "secure boot requires EFI"; + } + { + assertion = config.local.boot.loader == "systemd-boot"; + message = "lanzaboote requires systemd-boot"; + } + ]; + + boot = { + loader.systemd-boot.enable = mkForce false; + + lanzaboote = { + enable = true; + inherit pkiBundle; + }; + }; + + environment.systemPackages = [ + pkgs.sbctl + ]; + + local.boot.impermanence.directories = [pkiBundle]; + }; +} |