default.nix
1 { inputs, config, pkgs, lib, ... }: let 2 3 boot = config.modules.hardware.boot; 4 5 in { 6 options.modules.hardware.boot = { 7 lanzaboote = { 8 enable = lib.mkEnableOption "Enable secureboot with lanzaboote"; 9 }; 10 11 }; 12 13 config = { 14 boot = { 15 loader = { 16 systemd-boot = { 17 editor = false; 18 configurationLimit = 20; 19 enable = lib.mkForce false; # disabled for lanzaboote 20 }; 21 efi.canTouchEfiVariables = true; 22 timeout = 0; # Hide the OS choice for bootloaders. It's still possible to open the bootloader list by pressing any key 23 }; 24 lanzaboote = { # remember to enroll the keys 25 enable = true; 26 pkiBundle = "/var/lib/sbctl"; #"/etc/secureboot"; 27 }; 28 initrd = { 29 verbose = false; 30 systemd = { 31 enable = true; 32 network = { 33 wait-online.enable = false; 34 }; 35 }; 36 # luks.fido2Support = true; # doesn't work in stage 1 37 }; 38 kernelPackages = pkgs.linuxPackages_cachyos; 39 kernelParams = [ 40 "quiet" 41 "rd.systemd.show_status=false" 42 "rd.lvm=0" 43 "rd.md=0" 44 "rd.dm=0" 45 "rd.shell=0" 46 "rd.emergency=reboot" 47 "rd.udev.log_level=3" 48 "fbcon=nodefer" 49 "amd_iommu=on" 50 "intel_iommu=on" 51 "iommu=pt" 52 "efi=disable_early_pci_dma" 53 "udev.log_priority=3" 54 "lsm=landlock,lockdown,yama,integrity,apparmor,bpf" 55 #"lockdown=integrity" 56 ]; 57 kernelModules = [ 58 #"tpm2-totp" 59 ]; 60 extraModulePackages = with config.boot.kernelPackages; [ 61 v4l2loopback 62 ]; 63 consoleLogLevel = 3; 64 plymouth = { 65 enable = true; 66 theme = "breeze"; 67 }; 68 tmp.useTmpfs = false; 69 }; 70 71 system = { 72 activationScripts = { 73 sbctl-genkeys.text = '' 74 /run/current-system/sw/bin/sbctl create-keys ''; 75 }; 76 }; 77 }; 78 }