diff options
| -rw-r--r-- | modules/nixos/mixins/default.nix | 1 | ||||
| -rw-r--r-- | modules/nixos/mixins/lanzaboote.nix | 43 | ||||
| -rw-r--r-- | systems/glados/boot.nix | 23 |
3 files changed, 45 insertions, 22 deletions
diff --git a/modules/nixos/mixins/default.nix b/modules/nixos/mixins/default.nix index f586904..5f99079 100644 --- a/modules/nixos/mixins/default.nix +++ b/modules/nixos/mixins/default.nix @@ -4,6 +4,7 @@ ./forgejo.nix ./hercules.nix ./kanidm.nix + ./lanzaboote.nix ./nginx.nix ./nvidia.nix ./promtail.nix diff --git a/modules/nixos/mixins/lanzaboote.nix b/modules/nixos/mixins/lanzaboote.nix new file mode 100644 index 0000000..c55fa19 --- /dev/null +++ b/modules/nixos/mixins/lanzaboote.nix @@ -0,0 +1,43 @@ +{ + config, + lib, + pkgs, + inputs, + ... +}: + +let + cfg = config.boot.lanzaboote; +in + +{ + imports = [ inputs.lanzaboote.nixosModules.lanzaboote ]; + + config = lib.mkMerge [ + { + boot.lanzaboote = { + pkiBundle = "/etc/secureboot"; + + settings = { + console-mode = "auto"; + editor = false; + timeout = 0; + }; + }; + } + + (lib.mkIf cfg.enable { + boot = { + initrd.systemd.enable = true; # For unlocking LUKS root with TPM2 + loader.systemd-boot.enable = lib.mkForce false; # Lanzaboote replaces this + }; + + environment.systemPackages = [ + # manual Lanzaboote maintenance (NOTE: I have not actually used this since ~2022) + pkgs.sbctl + # TODO: Is this actually required for using `tpm2-device=auto` to unlock LUKS volumes in initrd? Probably + pkgs.tpm2-tss + ]; + }) + ]; +} diff --git a/systems/glados/boot.nix b/systems/glados/boot.nix index d68b32c..c9224c8 100644 --- a/systems/glados/boot.nix +++ b/systems/glados/boot.nix @@ -2,22 +2,11 @@ config, lib, pkgs, - inputs, ... }: -{ - imports = [ inputs.lanzaboote.nixosModules.lanzaboote ]; - - environment.systemPackages = [ - # manual lanzaboote maintenance (NOTE: i have not actually used this since ~2022) - pkgs.sbctl - # TODO: is this actually required for using `tpm2-device=auto` to unlock LUKS volumes in initrd? probably - pkgs.tpm2-tss - ]; +{ boot = { - initrd.systemd.enable = true; # for unlocking luks root with tpm2 - kernelPackages = pkgs.linuxKernel.packages.linux_6_11; kernelParams = @@ -28,18 +17,8 @@ # https://github.com/NVIDIA/open-gpu-kernel-modules/issues/693 ++ lib.optional (!config.hardware.nvidia.open) "nvidia.NVreg_EnableGpuFirmware=0"; - loader.systemd-boot.enable = lib.mkForce false; # lanzaboote replaces this - lanzaboote = { enable = true; - - pkiBundle = "/etc/secureboot"; - - settings = { - console-mode = "auto"; - editor = false; - timeout = 0; - }; }; supportedFilesystems = [ "ntfs" ]; # for game drive |