config/hosts/jericho/extras/lanzaboote.nix

19 lines
526 B
Nix
Raw Permalink Normal View History

{ config, inputs, ... }:
{
imports = [
inputs.lanzaboote.nixosModules.lanzaboote
];
age.secrets.secureBootKey.file = ../../../secrets/secure-boot-private-key-jericho.age;
boot.lanzaboote = {
enable = true;
configurationLimit = 50;
publicKeyFile = ./secure-boot/db.pem;
# BUG: the bootloader installation runs before/without the activation script,
# so this key may not exist unless the system has been activated beforehand.
privateKeyFile = config.age.secrets.secureBootKey.path;
};
}