feat(lanzaboote): allow secureboot

johnae · johnae · commit e5c2b9cd217f · 2025-01-15T22:49:45.000+01:00
diff --git a/flake.nix b/flake.nix
@@ -72,6 +72,8 @@
     juicefs-csi-driver.url = "https://raw.githubusercontent.com/juicedata/juicefs-csi-driver/v0.25.2/deploy/k8s.yaml"; # gh-release-update
     kured.flake = false;
     kured.url = "github:kubereboot/kured";
+    # lanzaboote.url = "github:nix-community/lanzaboote/v0.4.1";
+    # lanzaboote.inputs.nixpkgs.follows = "nixpkgs";
     mac-app-util.url = "github:hraban/mac-app-util";
     microvm.url = "github:astro/microvm.nix";
     microvm.inputs.flake-utils.follows = "flake-utils";
diff --git a/flake/hosts.nix b/flake/hosts.nix
@@ -81,6 +81,7 @@
     inputs.home-manager.nixosModules.home-manager
     inputs.impermanence.nixosModules.impermanence
     inputs.microvm.nixosModules.host
+    inputs.lanzaboote.nixosModules.lanzaboote
     inputs.nixpkgs.nixosModules.notDetected
     ../modules/default.nix
   ];
diff --git a/profiles/secureboot.nix b/profiles/secureboot.nix
@@ -0,0 +1,25 @@
+{
+  lib,
+  pkgs,
+  ...
+}: {
+  environment.persistence."/keep".directories = [
+    "/var/lib/sbctl"
+  ];
+
+  environment.systemPackages = [
+    # For debugging and troubleshooting Secure Boot.
+    pkgs.sbctl
+  ];
+
+  # Lanzaboote currently replaces the systemd-boot module.
+  # This setting is usually set to true in configuration.nix
+  # generated at installation time. So we force it to false
+  # for now.
+  # boot.loader.systemd-boot.enable = lib.mkForce false;
+
+  # boot.lanzaboote = {
+  #   enable = true;
+  #   pkiBundle = "/var/lib/sbctl";
+  # };
+}
