nix/modules/secure-boot.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

{ pkgs, lib, config, inputs, ... }:
{
  imports = [
    inputs.lanzaboote.nixosModules.lanzaboote
  ];

  options = {
    secure-boot.enable = lib.mkEnableOption "Enables secure boot on system";
  };

  config = lib.mkIf config.secure-boot.enable {
    boot = {
      loader.systemd-boot.enable = lib.mkForce false;
      lanzaboote = {
        enable = true;
        pkiBundle = "/etc/secureboot";
      };
    };
  };
}