From 8c95bb353556ceb51e5a135da08753e005c8baa7 Mon Sep 17 00:00:00 2001
From: KJ Tsanaktsidis <kj@kjtsanaktsidis.id.au>
Date: Wed, 7 Jan 2026 22:24:21 +1100
Subject: tpm2

---
 labsrv01/secureboot.nix | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

(limited to 'labsrv01/secureboot.nix')

diff --git a/labsrv01/secureboot.nix b/labsrv01/secureboot.nix
index cc8ec2e..29bff21 100644
--- a/labsrv01/secureboot.nix
+++ b/labsrv01/secureboot.nix
@@ -2,8 +2,27 @@
   inputs,
   lib,
   pkgs,
+  config,
   ...
 }:
+let
+  sb-do-enroll-keys = pkgs.writeShellApplication {
+    name = "sb-do-enroll-keys";
+    text = ''
+      set -ex;
+      ${pkgs.sbctl}/bin/sbctl enroll-keys
+    '';
+  };
+  sb-do-enroll-tpm = pkgs.writeShellApplication {
+    name = "sb-do-enroll-tpm";
+    runtimeInputs = [ pkgs.tpm2-tss ];
+    text = ''
+      set -ex;
+      LUKS_DEVICE="${config.disko.devices.disk.nvme0n1.content.partitions.luks.device}"
+      ${pkgs.systemd}/bin/systemd-cryptenroll --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=0+7 "''${LUKS_DEVICE}"
+    '';
+  };
+in
 {
   imports = [
     inputs.lanzaboote.nixosModules.lanzaboote
@@ -11,6 +30,8 @@
 
   environment.systemPackages = [
     pkgs.sbctl
+    sb-do-enroll-keys
+    sb-do-enroll-tpm
   ];
 
   # Lanzaboote currently replaces the systemd-boot module.
@@ -18,6 +39,8 @@
   # generated at installation time. So we force it to false
   # for now.
   boot.loader.systemd-boot.enable = lib.mkForce false;
+  boot.initrd.systemd.enable = true;
+  boot.initrd.systemd.tpm2.enable = true;
 
   boot.lanzaboote = {
     enable = true;
-- 
cgit v1.2.3