swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2025-12-06 09:07:21 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: introduce lanzaboote profile

Browse source
This commit is contained in:
Swarsel 2024-12-28 13:13:53 +01:00
parent 71a9020d17
commit c011c9bfdd
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
6 changed files with 65 additions and 58 deletions
Download patch file Download diff file Expand all files Collapse all files

8
hosts/nixos/nbl-imba-2/default.nix
View file

@ -41,13 +41,6 @@ in
networking.networkmanager.wifi.scanRandMacAddress = false;
boot = {
loader.systemd-boot.enable = lib.mkForce false;
loader.efi.canTouchEfiVariables = true;
lanzaboote = {
enable = true;
# pkiBundle = "/etc/secureboot";
pkiBundle = "/var/lib/sbctl";
};
supportedFilesystems = [ "btrfs" ];
kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
kernelParams = [
@ -88,6 +81,7 @@ in
hasBluetooth = true;
hasFingerprint = true;
isImpermanence = false;
isSecureBoot = true;
isCrypted = true;
}
sharedOptions;

8
hosts/nixos/toto/default.nix
View file

@ -22,6 +22,7 @@ in
"${profilesPath}/common/nixos/xserver.nix"
"${profilesPath}/common/nixos/users.nix"
"${profilesPath}/common/nixos/impermanence.nix"
"${profilesPath}/common/nixos/lanzaboote.nix"
"${profilesPath}/common/nixos/sops.nix"
"${profilesPath}/server/nixos/ssh.nix"
@ -60,15 +61,8 @@ in
system.stateVersion = lib.mkForce "23.05";
boot = {
loader.efi.canTouchEfiVariables = true;
supportedFilesystems = [ "btrfs" ];
kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
loader.systemd-boot.enable = lib.swarselsystems.mkIfElse (config.swarselsystems.initialSetup || !config.swarselsystems.isSecureBoot) (lib.mkForce true) (lib.mkForce false);
lanzaboote = lib.mkIf (!config.swarselsystems.initialSetup && config.swarselsystems.isSecureBoot) {
enable = true;
pkiBundle = "/var/lib/sbctl";
# enrollKeys = true;
};
};