From 7450e65a84b61601f5ea0963c549fd5d34dae912 Mon Sep 17 00:00:00 2001 From: jwy Date: Wed, 10 Jul 2024 17:16:54 -0400 Subject: [PATCH] Put lanzaboote as an option that will only be enabled if secureboot is true in a options.nix file --- nix-config/hosts/nix-deskstar/options.nix | 3 +++ nix-config/hosts/nix-lappy/options.nix | 3 +++ nix-config/hosts/nix-vm/options.nix | 3 +++ nix-config/system/boot.nix | 26 +++++++++++++++++++---- 4 files changed, 31 insertions(+), 4 deletions(-) diff --git a/nix-config/hosts/nix-deskstar/options.nix b/nix-config/hosts/nix-deskstar/options.nix index c0caf393c..e0ee7f630 100644 --- a/nix-config/hosts/nix-deskstar/options.nix +++ b/nix-config/hosts/nix-deskstar/options.nix @@ -80,4 +80,7 @@ in { # Power profiles daemon powerprofiles = false; + + # Use lanzaboote for secureboot + secureboot = false; } diff --git a/nix-config/hosts/nix-lappy/options.nix b/nix-config/hosts/nix-lappy/options.nix index e1ebeb9f5..68f08f006 100644 --- a/nix-config/hosts/nix-lappy/options.nix +++ b/nix-config/hosts/nix-lappy/options.nix @@ -81,4 +81,7 @@ in { # Power profiles daemon powerprofiles = true; + + # Use lanzaboote for secureboot + secureboot = true; } diff --git a/nix-config/hosts/nix-vm/options.nix b/nix-config/hosts/nix-vm/options.nix index ecd7e36cf..78a0ed687 100644 --- a/nix-config/hosts/nix-vm/options.nix +++ b/nix-config/hosts/nix-vm/options.nix @@ -80,5 +80,8 @@ in { # Power profiles daemon powerprofiles = false; + + # Use lanzaboote for secureboot + secureboot = false; } diff --git a/nix-config/system/boot.nix b/nix-config/system/boot.nix index 0f585b1c9..886713a15 100644 --- a/nix-config/system/boot.nix +++ b/nix-config/system/boot.nix @@ -1,13 +1,31 @@ -{ pkgs, config, lib, ... }: +{ pkgs, config, lib, host, ... }: +let inherit (import ../hosts/${host}/options.nix) secureboot; in { + + # Bootloader - #boot.loader.systemd-boot.enable = true; - boot.loader.systemd-boot.enable = lib.mkForce false; - boot.lanzaboote = { + #boot.loader.systemd-boot.enable = lib.mkForce false; + #boot.loader.systemd-boot.enable = mkMerge + boot.loader.systemd-boot = lib.mkMerge [ + (lib.mkIf (secureboot == true) + { + enable = lib.mkForce false; + } + ) + (lib.mkIf (secureboot == false) + { + enable = true; + } + ) + ]; + + boot.lanzaboote = lib.mkIf (secureboot == true) { enable = true; pkiBundle = "/etc/secureboot"; }; + + boot.loader.efi.canTouchEfiVariables = true; boot.kernel.sysctl = { "vm.max_map_count" = 2147483642; }; boot.tmp.useTmpfs = true;