secureboot

1 files changed, 51 insertions, 0 deletions

diff --git a/labsrv01/secureboot.nix b/labsrv01/secureboot.nix
new file mode 100644
index 0000000..1e4d171
--- /dev/null
+++ b/labsrv01/secureboot.nix
@@ -0,0 +1,51 @@
+{
+  inputs,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    inputs.lanzaboote.nixosModules.lanzaboote
+  ];
+
+  environment.systemPackages = [
+    pkgs.sbctl
+  ];
+
+  # Lanzaboote currently replaces the systemd-boot module.
+  # This setting is usually set to true in configuration.nix
+  # generated at installation time. So we force it to false
+  # for now.
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+
+  boot.lanzaboote = {
+    enable = true;
+    pkiBundle = "/var/lib/sbctl";
+  };
+
+  # Create and enroll Secure Boot keys on first boot
+  systemd.services.sbctl-setup = {
+    description = "Create and enroll Secure Boot keys";
+    wantedBy = [ "multi-user.target" ];
+    unitConfig.ConditionPathExists = "!/var/lib/sbctl/GUID";
+
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+
+    script = ''
+      echo "Creating Secure Boot keys..."
+      ${pkgs.sbctl}/bin/sbctl create-keys
+
+      # Check if we're in Setup Mode
+      if ${pkgs.sbctl}/bin/sbctl status | grep -q "Setup Mode"; then
+        echo "UEFI is in Setup Mode, enrolling keys..."
+        ${pkgs.sbctl}/bin/sbctl enroll-keys --microsoft
+      else
+        echo "WARNING: UEFI is not in Setup Mode. Please clear Secure Boot keys in UEFI and reboot."
+      fi
+    '';
+  };
+}