fern/flock
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Re-enable lanzaboote

Browse source
This commit is contained in:
Fern Garden 2025-09-20 09:18:24 +08:00
parent d7bbfe8133
commit 56019d1959
1 changed files with 13 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

14
hosts/muskduck/default.nix
View file

@ -1,8 +1,20 @@
{ {lib, ...}:
with lib; {
# Kernel modules. # Kernel modules.
boot.initrd.availableKernelModules = ["xhci_pci" "nvme" "usb_storage" "sd_mod"]; boot.initrd.availableKernelModules = ["xhci_pci" "nvme" "usb_storage" "sd_mod"];
boot.kernelModules = ["kvm-intel"]; boot.kernelModules = ["kvm-intel"];
# Enable lanzaboote & secure boot.
boot.initrd.systemd.enable = true;
boot.loader.systemd-boot.enable = mkForce false;
boot.bootspec.enable = true;
boot.lanzaboote = {
enable = true;
pkiBundle = "/var/lib/sbctl";
settings.timeout = 0;
};
# Full disk encryption. # Full disk encryption.
boot.initrd.luks.devices."nvme0n1p2_crypt".device = "/dev/disk/by-uuid/7196bd89-099f-4e9e-80e5-3d6d555272b1"; boot.initrd.luks.devices."nvme0n1p2_crypt".device = "/dev/disk/by-uuid/7196bd89-099f-4e9e-80e5-3d6d555272b1";