From 3b5c369c7642fa7a65fe60f18cea3f5b893500b2 Mon Sep 17 00:00:00 2001 From: Crony Akatsuki Date: Sun, 18 Jan 2026 11:32:53 +0100 Subject: [PATCH] feat: setup secure boot with lazanboote. --- flake.nix | 9 +++++++++ hosts/skadi/configuration.nix | 16 ++++++++++++++-- 2 files changed, 23 insertions(+), 2 deletions(-) diff --git a/flake.nix b/flake.nix index b45458e..b987beb 100644 --- a/flake.nix +++ b/flake.nix @@ -140,6 +140,12 @@ # Some gaming related stuff ( actual osu! ) nix-gaming.url = "github:cronyakatsuki/nix-gaming"; + + # Secure boot with nixos + lanzaboote = { + url = "github:nix-community/lanzaboote/v1.0.0"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = { @@ -154,6 +160,7 @@ agenix, nix-flatpak, chaotic, + lanzaboote, ... } @ inputs: let hostsData = import ./hosts.nix; @@ -363,6 +370,8 @@ nix-flatpak.nixosModules.nix-flatpak # Use chaotic for some packages chaotic.nixosModules.default + # Setup secure boot + lanzaboote.nixosModules.lanzaboote # Setup home manager for my user home-manager.nixosModules.home-manager { diff --git a/hosts/skadi/configuration.nix b/hosts/skadi/configuration.nix index 47384ec..f74e70d 100644 --- a/hosts/skadi/configuration.nix +++ b/hosts/skadi/configuration.nix @@ -2,6 +2,7 @@ inputs, config, pkgs, + lib, ... }: { imports = [ @@ -11,9 +12,20 @@ inputs.home-manager.nixosModules.home-manager ]; + # For tpm unlock + boot.initrd.systemd.enable = true; + + # To explicitly disable systemd-boot, lanzaboote takes care of that. + boot.loader.systemd-boot.enable = lib.mkForce false; + # Bootloader. - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; + boot.lanzaboote = { + enable = true; + pkiBundle = "/var/lib/sbctl"; + autoEnrollKeys = { + enable = true; + }; + }; # Enable aarch64 emulation boot.binfmt.emulatedSystems = ["aarch64-linux"];