slab: enable lanzaboote with workaround

2024-08-25 15:15:29 +02:00 · 2024-08-25 15:15:29 +02:00 · 2edf8ff101
commit 2edf8ff101
parent bbec705d40
1 changed files with 12 additions and 1 deletions
--- a/hosts/slab/configuration.nix
+++ b/hosts/slab/configuration.nix
@ -19,6 +19,12 @@
      };
    }

+    # Lanzaboote workaround (nix-community/lanzaboote#173)
+    (lib.mkIf config.boot.lanzaboote.enable {
+      "/efi/EFI/Linux" = { device = "/boot/EFI/Linux"; options = [ "bind" ]; };
+      "/efi/EFI/nixos" = { device = "/boot/EFI/nixos"; options = [ "bind" ]; };
+    })
+
    (lib.genAttrs [ "/.btrfsroot" "/" "/home" "/nix" ] ( fs: {
      options = [ "compress=zstd" ];
    }))
@ -102,13 +108,18 @@
    #   device = "nodev";
    # };
    systemd-boot = {
-      enable = true;
+      enable = lib.mkForce (!config.boot.lanzaboote.enable);
      xbootldrMountPoint = "/boot";
      netbootxyz.enable = true;
      memtest86.enable = true;
    };
  };

+  boot.lanzaboote = {
+    enable = true;
+    pkiBundle = "/etc/secureboot";
+  };
+
  # systemd power/suspend configuration
  systemd.targets = lib.genAttrs ["suspend" "hybrid-sleep" "suspend-then-hibernate"] (_: {
    enable = false;