diff --git a/nixos-configurations/ochsenchopf/filesystems.nix b/nixos-configurations/ochsenchopf/filesystems.nix index 7eff1f8..2d1db85 100644 --- a/nixos-configurations/ochsenchopf/filesystems.nix +++ b/nixos-configurations/ochsenchopf/filesystems.nix @@ -35,7 +35,6 @@ boot.loader.systemd-boot.enable = lib.mkForce false; boot.loader.efi.canTouchEfiVariables = true; - boot.initrd.systemd.enable = true; boot.lanzaboote = { enable = true; pkiBundle = "/etc/secureboot"; diff --git a/nixos-configurations/speer/filesystems.nix b/nixos-configurations/speer/filesystems.nix index d6db5af..881d1fd 100644 --- a/nixos-configurations/speer/filesystems.nix +++ b/nixos-configurations/speer/filesystems.nix @@ -17,6 +17,4 @@ services.fwupd.daemonSettings.EspLocation = pkgs.lib.mkForce config.disko.devices.disk.system-1.content.partitions.boot.content.mountpoint; # Use the systemd-boot EFI boot loader. - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; } diff --git a/nixos-modules/base-system/default.nix b/nixos-modules/base-system/default.nix index 93137bb..d0670c2 100644 --- a/nixos-modules/base-system/default.nix +++ b/nixos-modules/base-system/default.nix @@ -1,4 +1,29 @@ -{ inputs, ... }: +{ + inputs, + pkgs, + lib, + ... +}: { imports = [ inputs.lanzaboote.nixosModules.lanzaboote ]; + + environment.systemPackages = [ + # For debugging and troubleshooting Secure Boot. + pkgs.sbctl + ]; + + + boot.loader.efi.canTouchEfiVariables = true; + boot.initrd.systemd.enable = true; + + # Lanzaboote currently replaces the systemd-boot module. + # This setting is usually set to true in configuration.nix + # generated at installation time. So we force it to false + # for now. + boot.loader.systemd-boot.enable = lib.mkForce false; + + boot.lanzaboote = { + enable = true; + pkiBundle = "/var/lib/sbctl"; + }; } diff --git a/nixos-modules/base/applications.nix b/nixos-modules/base/applications.nix index ca2cff7..a179a32 100644 --- a/nixos-modules/base/applications.nix +++ b/nixos-modules/base/applications.nix @@ -26,7 +26,6 @@ pwgen powertop lm_sensors - sbctl ] ++ [ nixfmt-rfc-style diff --git a/setup.md b/setup.md new file mode 100644 index 0000000..2ccb990 --- /dev/null +++ b/setup.md @@ -0,0 +1,4 @@ +# Setup + + +See https://github.com/nix-community/lanzaboote/blob/master/docs/QUICK_START.md for instructions on how to enroll lanzaboote secure boot.