schmittlauch/nixconfigs
2
0
Fork 0
Code Issues 2 Pull requests Releases Wiki Activity

secureboot: generalise, enable for framenix

Browse source
This commit is contained in:
Trolli Schmittlauch 2026-04-19 20:46:29 +02:00
parent 2c74301ec4
commit fbc3b8f952
5 changed files with 34 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

1
common/default.nix
View file

@ -19,6 +19,7 @@ in
./audio-sharing.nix ./audio-sharing.nix
./angrr.nix ./angrr.nix
./sops.nix ./sops.nix
./secureboot.nix
]; ];
services.davfs2.enable = true; services.davfs2.enable = true;

25
common/secureboot.nix Normal file
View file

@ -0,0 +1,25 @@
{
config,
lib,
pkgs,
...
}:
{
options.schmittlauch.secureboot.enable = lib.mkEnableOption "Enable lanzaboote secure boot, make sure keys and firmware are setup correctly.";
config = lib.mkIf config.schmittlauch.secureboot.enable {
boot.loader.efi.canTouchEfiVariables = true;
# UEFI secure boot
environment.systemPackages = [ pkgs.sbctl ];
# Lanzaboote currently replaces the systemd-boot module.
# This setting is usually set to true in configuration.nix
# generated at installation time. So we force it to false
# for now.
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.lanzaboote = {
enable = true;
pkiBundle = "/var/lib/sbctl";
};
};
}

5
hosts/framenix/default.nix
View file

@ -84,5 +84,8 @@ in
unstable.amd-debug-tools unstable.amd-debug-tools
]; ];
schmittlauch.audio-sharing.enable = true; schmittlauch = {
audio-sharing.enable = true;
secureboot.enable = true;
};
} }

7
hosts/thinknix/default.nix
View file

@ -12,8 +12,6 @@
./hardware-configuration.nix ./hardware-configuration.nix
./storage.nix ./storage.nix
./swap.nix ./swap.nix
# FIXME: move this to common, conditional enabling
./secureboot.nix
]; ];
hardware.trackpoint = { hardware.trackpoint = {
@ -24,7 +22,10 @@
boot.extraModprobeConfig = "options thinkpad_acpi fan_control=1"; # enable fan control via echo to /proc/acpi/ibm/fan boot.extraModprobeConfig = "options thinkpad_acpi fan_control=1"; # enable fan control via echo to /proc/acpi/ibm/fan
schmittlauch.guestUser.enable = true; schmittlauch = {
guestUser.enable = true;
secureboot.enable = true;
};
networking.hostName = "thinknix"; networking.hostName = "thinknix";

22
hosts/thinknix/secureboot.nix
View file

@ -1,22 +0,0 @@
{
config,
lib,
pkgs,
...
}:
{
boot.loader.efi.canTouchEfiVariables = true;
# UEFI secure boot
environment.systemPackages = [ pkgs.sbctl ];
# Lanzaboote currently replaces the systemd-boot module.
# This setting is usually set to true in configuration.nix
# generated at installation time. So we force it to false
# for now.
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
}