hosts/jericho: enable secure boot with lanzaboote
This commit is contained in:
parent
b1d21c2f96
commit
b04d2f7efa
3 changed files with 48 additions and 1 deletions
18
hosts/jericho/extras/lanzaboote.nix
Normal file
18
hosts/jericho/extras/lanzaboote.nix
Normal file
|
@ -0,0 +1,18 @@
|
|||
{ config, inputs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
inputs.lanzaboote.nixosModules.lanzaboote
|
||||
];
|
||||
|
||||
age.secrets.secureBootKey.file = ../../../secrets/secure-boot-private-key-jericho.age;
|
||||
|
||||
boot.lanzaboote = {
|
||||
enable = true;
|
||||
configurationLimit = 50;
|
||||
publicKeyFile = ./secure-boot/db.pem;
|
||||
# BUG: the bootloader installation runs before/without the activation script,
|
||||
# so this key may not exist unless the system has been activated beforehand.
|
||||
privateKeyFile = config.age.secrets.secureBootKey.path;
|
||||
};
|
||||
}
|
29
hosts/jericho/extras/secure-boot/db.pem
Normal file
29
hosts/jericho/extras/secure-boot/db.pem
Normal file
|
@ -0,0 +1,29 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIE+TCCAuGgAwIBAgIRAKeYRMV7Va8InQlau+W84swwDQYJKoZIhvcNAQELBQAw
|
||||
LjEVMBMGA1UEBhMMRGF0YWJhc2UgS2V5MRUwEwYDVQQDEwxEYXRhYmFzZSBLZXkw
|
||||
HhcNMjMwMTExMjE0MDEzWhcNMjgwMTExMjE0MDEzWjAuMRUwEwYDVQQGEwxEYXRh
|
||||
YmFzZSBLZXkxFTATBgNVBAMTDERhdGFiYXNlIEtleTCCAiIwDQYJKoZIhvcNAQEB
|
||||
BQADggIPADCCAgoCggIBALG4gvuyX8lX0HhbLxEkKmEh1ikjR6XxGhWEHePa+xhC
|
||||
aCHpPdG4R4Q3U/PGNteaxhoFCRTo6TkUcU/WtoYb3CNcDZ51mtUHtY9KFY5A5Yki
|
||||
yPnNT0W+LFP+vz9B1U+soHp1EA6HgbB/CGWvhmMHwZSzhMsOTsad7nZaiaBfzUmU
|
||||
p6y616XfI2RzpIlctxQGWNOL0lpdOqCW247ujJdubezvuoXw5gS+6yUi5ssegPdu
|
||||
UuQkZvgO9yNawISSPNNLj7TbmOC19mQ0q3KcangCCt8/93bbjdtlWMwaDoiWCtL5
|
||||
e7+Fo/MlhRovcmcz2wPGUr4tn/64mTuMWHhK9CvyIPS3hf7oNGZEWeSdvp8ppaM5
|
||||
OtocRkDmJjSS+45iEU+d6TTWMrK6s+Mx9UWWJDn/HqRnlmxW4E2eFRhuFRW6/SaB
|
||||
SbY3X36GMzByj84A4qKwkUGBCK9UZnflXiPv/KSumyg5wmQU4ulAirpMsGP6o78F
|
||||
vKE8j8avHfC70LPuv9o+pgecp9F7Kg5f6ywGPfXSxv054znV6ZMxpUa0NjLEMp57
|
||||
2PVfd3EeifgY4M4T5/wQulp8vxN9ipqD/toro16gRB2/Cb1o5FtwV9Fe4/ndVfUA
|
||||
m8bnG2zo0iLU15L1iTW4vdDZp40BZhzptaz2Xuykqum+BK+8idNtZ8xG5Fy+rED3
|
||||
AgMBAAGjEjAQMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAgEAIJSY
|
||||
Lp9/84FJv0/QSBJwI9Ly6p2lobaaZqsUVrOHYqz1Q6VU3zhhTbIYsdfiq/RJY/Dq
|
||||
w7qPPHwDN9+MgeKPN89q/kXZcZGxO+mT+eAjNBzJUJ3dUfuuoDRgQQEzVd9jUmEA
|
||||
F39SPZWoa4lefLNdKk7tGu/8T6wmXk03q/RHsG4xWHn4fLdg9XHI4g5o2W9Vorf/
|
||||
Y2Tz+oQTSipRrqX7lZ0xHGriWp4qTHikBsunzZ/krupSCvAahzG+fDnNYuNHj1FX
|
||||
/bsITw/2NU7xzJXIRI2+VPTRIppSyZ5hvRBrwfA7mVdRq2HjT0wIRfjnppJvNrOQ
|
||||
iBKZb/q7shy7bq35SSLpnAQk4ne0BAqPbJP31UxZZ7lzSvynGCUQDwM7A50OkGLC
|
||||
V9+ov+44+0NN7gCvXhhd8uPuunBTa9zv2gcnoBIy51KvBTxFZ4LOHeU9esPc7W/z
|
||||
qVaU+yOP3lUJI0Ou285zkP1xhkJyLqv2WlfuXbNxBi3ZmAckrQTjh2llOjSBdy8F
|
||||
Ce14ni9ybLiIouiEFtBEvDN4jMudDpL04zCuT9amkfznooQsak3T7QrvHl52qLDp
|
||||
HLOtegwnn8M1ivoqmM6eValayBKN/2gFjHpHmZQmf7J636UNvs6FIvpsPznj+L7a
|
||||
uJmcfil84qaqDLTNQJfIAyPvOqdnwFO8FiNuAQE=
|
||||
-----END CERTIFICATE-----
|
|
@ -7,6 +7,7 @@
|
|||
./extras/fprint.nix
|
||||
./extras/i915-dp-hdmi-always-full-color-patch.nix
|
||||
./extras/kernel-clr.nix
|
||||
./extras/lanzaboote.nix
|
||||
./extras/thermal.nix
|
||||
(import ../../users "desktop").users.max
|
||||
inputs.nixos-hardware.nixosModules.dell-xps-13-7390
|
||||
|
@ -19,7 +20,6 @@
|
|||
ignoreConfigErrors = true;
|
||||
});
|
||||
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
networking.hostName = "jericho";
|
||||
|
|
Loading…
Reference in a new issue