feat: add lanzaboote

- Added lanzaboote - Disabled systemd-boot in favor of lanzaboote - Added sbctl
2025-10-04 07:25:40 +00:00 · 2025-08-28 22:37:42 +09:00 · 2025-08-28 22:37:42 +09:00 · b738736f94
commit b738736f94
parent dfc4f9ba9d
5 changed files with 182 additions and 6 deletions
--- a/hosts/nixos/configuration.nix
+++ b/hosts/nixos/configuration.nix
@ -5,6 +5,7 @@
    [ 
      inputs.nix-flatpak.nixosModules.nix-flatpak
      inputs.sops-nix.nixosModules.sops
+      inputs.lanzaboote.nixosModules.lanzaboote
      ./hardware-configuration.nix
    ] ++ (
      let
--- a/hosts/nixos/modules/boot.nix
+++ b/hosts/nixos/modules/boot.nix
@ -1,7 +1,12 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:

 {
-  boot.loader.systemd-boot.enable = true;
+  boot.loader.systemd-boot.enable = lib.mkForce false;
  boot.loader.efi.canTouchEfiVariables = true;
  boot.supportedFilesystems = [ "ntfs" ];
+
+  boot.lanzaboote = {
+    enable = true;
+    pkiBundle = "/var/lib/sbctl";
+  };
 }
--- a/hosts/nixos/modules/packages.nix
+++ b/hosts/nixos/modules/packages.nix
@ -4,6 +4,7 @@
  environment.systemPackages = with pkgs; [
    vim
    wget
+    sbctl
  ];
  nixpkgs.config.allowUnfree = true;
 }