1 files changed, 66 insertions, 0 deletions

diff --git a/modules/secureboot.nix b/modules/secureboot.nix
new file mode 100644
index 0000000..29bff21
--- /dev/null
+++ b/modules/secureboot.nix
@@ -0,0 +1,66 @@
+{
+  inputs,
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+let
+  sb-do-enroll-keys = pkgs.writeShellApplication {
+    name = "sb-do-enroll-keys";
+    text = ''
+      set -ex;
+      ${pkgs.sbctl}/bin/sbctl enroll-keys
+    '';
+  };
+  sb-do-enroll-tpm = pkgs.writeShellApplication {
+    name = "sb-do-enroll-tpm";
+    runtimeInputs = [ pkgs.tpm2-tss ];
+    text = ''
+      set -ex;
+      LUKS_DEVICE="${config.disko.devices.disk.nvme0n1.content.partitions.luks.device}"
+      ${pkgs.systemd}/bin/systemd-cryptenroll --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=0+7 "''${LUKS_DEVICE}"
+    '';
+  };
+in
+{
+  imports = [
+    inputs.lanzaboote.nixosModules.lanzaboote
+  ];
+
+  environment.systemPackages = [
+    pkgs.sbctl
+    sb-do-enroll-keys
+    sb-do-enroll-tpm
+  ];
+
+  # Lanzaboote currently replaces the systemd-boot module.
+  # This setting is usually set to true in configuration.nix
+  # generated at installation time. So we force it to false
+  # for now.
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+  boot.initrd.systemd.enable = true;
+  boot.initrd.systemd.tpm2.enable = true;
+
+  boot.lanzaboote = {
+    enable = true;
+    pkiBundle = "/var/lib/sbctl";
+  };
+
+  # Create and enroll Secure Boot keys on first boot
+  systemd.services.sbctl-setup = {
+    description = "Create and enroll Secure Boot keys";
+    wantedBy = [ "multi-user.target" ];
+    unitConfig.ConditionPathExists = "!/var/lib/sbctl/GUID";
+
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+
+    script = ''
+      echo "Creating Secure Boot keys..."
+      ${pkgs.sbctl}/bin/sbctl create-keys
+    '';
+  };
+}