25 lines
584 B
Nix
25 lines
584 B
Nix
{ pkgs, ... }:
|
|
|
|
{
|
|
environment.systemPackages = with pkgs; [
|
|
sbctl
|
|
cryptsetup
|
|
sbsigntool
|
|
];
|
|
security.tpm2 = {
|
|
enable = true;
|
|
pkcs11.enable = true;
|
|
};
|
|
|
|
boot.loader.efi.canTouchEfiVariables = true;
|
|
boot.loader.secureboot = {
|
|
enable = true;
|
|
# generated with sbctl
|
|
signingKeyPath = "/etc/secureboot/keys/db/db.key";
|
|
signingCertPath = "/etc/secureboot/keys/db/db.pem";
|
|
};
|
|
boot.loader.systemd-boot.configurationLimit = 15;
|
|
|
|
boot.initrd.systemd.enable = true;
|
|
boot.initrd.luks.devices.root.crypttabExtraOpts = [ "tpm2-device=auto" ];
|
|
}
|