Set up Secure Boot

2024-01-08 03:06:19 +01:00
parent 82571a725e
commit 93f2da8b1f
4 changed files with 241 additions and 13 deletions
--- a/configuration.nix
+++ b/configuration.nix
@@ -19,16 +19,20 @@ with pkgs;
  # Device firmware updates
  services.fwupd.enable = true;

-  # Bootloader configuration
+  # Secure boot using lanzaboote
  boot.loader = {
    efi.canTouchEfiVariables = true;
    systemd-boot = {
-      enable = true;
+      enable = false;
      configurationLimit = 50;
      editor = false;
    };
    timeout = 3;
  };
+  boot.lanzaboote = {
+    enable = true;
+    pkiBundle = "/etc/secureboot";
+  };

  # Run Nix garbage collector and enable flakes
  nix = {
@@ -102,13 +106,7 @@ with pkgs;
    enable = true;
    dates = "22:30";
    flake = "/home/coolneng/Projects/panacea";
-    flags = [
-      "--update-input"
-      "agenix"
-      "--update-input"
-      "nixpkgs"
-      "--commit-lock-file"
-    ];
+    flags = [ "update" "--commit-lock-file" ];
  };

  # Add required dependencies to the auto-upgrade service