feat: deploy secure boot on bootstrap

2025-12-06 09:07:21 +01:00 · 2024-12-28 03:06:45 +01:00 · 2024-12-28 03:06:45 +01:00 · 06b5b95a8a
commit 06b5b95a8a
parent 9271805c26
8 changed files with 87 additions and 26 deletions
--- a/hosts/nixos/nbl-imba-2/default.nix
+++ b/hosts/nixos/nbl-imba-2/default.nix
@ -45,7 +45,8 @@ in
    loader.efi.canTouchEfiVariables = true;
    lanzaboote = {
      enable = true;
-      pkiBundle = "/etc/secureboot";
+      # pkiBundle = "/etc/secureboot";
+      pkiBundle = "/var/lib/sbctl";
    };
    supportedFilesystems = [ "btrfs" ];
    kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
--- a/hosts/nixos/toto/default.nix
+++ b/hosts/nixos/toto/default.nix
@ -14,6 +14,7 @@ in

    inputs.sops-nix.nixosModules.sops
    inputs.impermanence.nixosModules.impermanence
+    inputs.lanzaboote.nixosModules.lanzaboote

    "${profilesPath}/optional/nixos/autologin.nix"
    "${profilesPath}/common/nixos/settings.nix"
@ -53,15 +54,21 @@ in
    sops
    vim
    just
+    sbctl
  ];

  system.stateVersion = lib.mkForce "23.05";

  boot = {
-    loader.systemd-boot.enable = lib.mkForce true;
    loader.efi.canTouchEfiVariables = true;
    supportedFilesystems = [ "btrfs" ];
    kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
+    loader.systemd-boot.enable = lib.swarselsystems.mkIfElse (config.swarselsystems.initialSetup || !config.swarselsystems.isSecureBoot) (lib.mkForce true) (lib.mkForce false);
+    lanzaboote = lib.mkIf (!config.swarselsystems.initialSetup && config.swarselsystems.isSecureBoot) {
+      enable = true;
+      pkiBundle = "/var/lib/sbctl";
+      # enrollKeys = true;
+    };
  };


@ -75,10 +82,10 @@ in
      wallpaper = self + /wallpaper/lenovowp.png;
      isImpermanence = true;
      isCrypted = true;
-      initialSetup = true;
+      isSecureBoot = true;
      isSwap = true;
      swapSize = "8G";
-      rootDisk = "/dev/vda";
+      rootDisk = "/dev/nvme0n1";
    }
    sharedOptions;