enable lanzaboote

author: Franck Cuny <franck@fcuny.net> 2026-01-25 08:20:25 -0800
committer: Franck Cuny <franck@fcuny.net> 2026-01-25 08:29:39 -0800
commit: 2777680940425a9a741a8ba1befef2fcf1cc139b (patch)
tree: a86d7ea98aceb31325de04324ba59ebd5b20f96e /profiles
parent: enforce sorting in some places (diff)
download: infra-2777680940425a9a741a8ba1befef2fcf1cc139b.tar.gz
1 files changed, 17 insertions, 0 deletions
diff --git a/profiles/secureboot.nix b/profiles/secureboot.nix
new file mode 100644
index 0000000..53df8e3
--- /dev/null
+++ b/profiles/secureboot.nix
@@ -0,0 +1,17 @@
+{ pkgs, lib, ... }:
+{
+  environment.persistence."/persist/save".directories = [
+    "/var/lib/sbctl"
+  ];
+
+  environment.systemPackages = [
+    pkgs.sbctl
+  ];
+
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+
+  boot.lanzaboote = {
+    enable = true;
+    pkiBundle = "/var/lib/sbctl";
+  };
+}
author	Franck Cuny <franck@fcuny.net>	2026-01-25 08:20:25 -0800
committer	Franck Cuny <franck@fcuny.net>	2026-01-25 08:29:39 -0800
commit	2777680940425a9a741a8ba1befef2fcf1cc139b (patch)
tree	a86d7ea98aceb31325de04324ba59ebd5b20f96e /profiles
parent	enforce sorting in some places (diff)
download	infra-2777680940425a9a741a8ba1befef2fcf1cc139b.tar.gz