2 files changed, 44 insertions, 0 deletions

diff --git a/modules/nixos/mixins/default.nix b/modules/nixos/mixins/default.nix
index f586904..5f99079 100644
--- a/modules/nixos/mixins/default.nix
+++ b/modules/nixos/mixins/default.nix
@@ -4,6 +4,7 @@
     ./forgejo.nix
     ./hercules.nix
     ./kanidm.nix
+    ./lanzaboote.nix
     ./nginx.nix
     ./nvidia.nix
     ./promtail.nix
diff --git a/modules/nixos/mixins/lanzaboote.nix b/modules/nixos/mixins/lanzaboote.nix
new file mode 100644
index 0000000..c55fa19
--- /dev/null
+++ b/modules/nixos/mixins/lanzaboote.nix
@@ -0,0 +1,43 @@
+{
+  config,
+  lib,
+  pkgs,
+  inputs,
+  ...
+}:
+
+let
+  cfg = config.boot.lanzaboote;
+in
+
+{
+  imports = [ inputs.lanzaboote.nixosModules.lanzaboote ];
+
+  config = lib.mkMerge [
+    {
+      boot.lanzaboote = {
+        pkiBundle = "/etc/secureboot";
+
+        settings = {
+          console-mode = "auto";
+          editor = false;
+          timeout = 0;
+        };
+      };
+    }
+
+    (lib.mkIf cfg.enable {
+      boot = {
+        initrd.systemd.enable = true; # For unlocking LUKS root with TPM2
+        loader.systemd-boot.enable = lib.mkForce false; # Lanzaboote replaces this
+      };
+
+      environment.systemPackages = [
+        # manual Lanzaboote maintenance (NOTE: I have not actually used this since ~2022)
+        pkgs.sbctl
+        # TODO: Is this actually required for using `tpm2-device=auto` to unlock LUKS volumes in initrd? Probably
+        pkgs.tpm2-tss
+      ];
+    })
+  ];
+}