From 2e32697e99e76977a93aa5b665e5316ebb93b0c9 Mon Sep 17 00:00:00 2001
From: Freya Murphy <freya@freyacat.org>
Date: Wed, 22 Jan 2025 10:06:45 -0500
Subject: secure boot

---
 hosts/shinji.nix | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

(limited to 'hosts/shinji.nix')

diff --git a/hosts/shinji.nix b/hosts/shinji.nix
index 220d72a..4ba5418 100644
--- a/hosts/shinji.nix
+++ b/hosts/shinji.nix
@@ -6,6 +6,7 @@ inputs.nixpkgs.lib.nixosSystem {
   modules = [
     options
     inputs.home-manager.nixosModules.home-manager
+    inputs.lanzaboote.nixosModules.lanzaboote
     ../modules
     {
       # options
@@ -19,10 +20,17 @@ inputs.nixpkgs.lib.nixosSystem {
       # hardware
       hardware.graphics.enable = true;
       hardware.bluetooth.enable = true;
+      security.tpm2.enable = false;
 
       # bootloader
-      boot.loader.systemd-boot.enable = true;
-      boot.loader.efi.canTouchEfiVariables = true;
+      boot.loader.efi = {
+        canTouchEfiVariables = true;
+        efiSysMountPoint = "/boot/efi";
+      };
+      boot.lanzaboote = {
+        enable = true;
+        pkiBundle = "/var/lib/sbctl";
+      };
 
       # hostname
       networking.hostName = "shinji";
@@ -53,7 +61,7 @@ inputs.nixpkgs.lib.nixosSystem {
       };
 
       # boot
-      fileSystems."/boot" = {
+      fileSystems."/boot/efi" = {
         device = "/dev/disk/by-uuid/6F93-6A0B";
         fsType = "vfat";
         options = [ "fmask=0022" "dmask=0022" ];
-- 
cgit v1.2.3-freya