2025-01-03 21:46:08 +03:00
|
|
|
{ pkgs, lib, ... }:
|
2024-01-08 07:49:51 +03:00
|
|
|
|
|
|
|
|
{
|
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
|
|
|
sbctl
|
|
|
|
|
cryptsetup
|
|
|
|
|
sbsigntool
|
|
|
|
|
];
|
|
|
|
|
security.tpm2 = {
|
|
|
|
|
enable = true;
|
|
|
|
|
pkcs11.enable = true;
|
|
|
|
|
};
|
|
|
|
|
|
2025-01-03 21:46:08 +03:00
|
|
|
boot.loader.systemd-boot.enable = lib.mkForce false;
|
2024-01-08 07:49:51 +03:00
|
|
|
|
|
|
|
|
boot.initrd.systemd.enable = true;
|
|
|
|
|
boot.initrd.luks.devices.root.crypttabExtraOpts = [ "tpm2-device=auto" ];
|
2025-01-03 21:46:08 +03:00
|
|
|
|
|
|
|
|
boot.lanzaboote = {
|
|
|
|
|
enable = true;
|
|
|
|
|
pkiBundle = "/var/lib/sbctl";
|
|
|
|
|
};
|
2024-01-08 07:49:51 +03:00
|
|
|
}
|
