70 lines
1.3 KiB
Nix
70 lines
1.3 KiB
Nix
{
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
...
|
|
}:
|
|
|
|
{
|
|
imports = [ ];
|
|
|
|
boot = {
|
|
consoleLogLevel = 0;
|
|
kernelParams = [
|
|
"quiet"
|
|
"splash"
|
|
];
|
|
|
|
initrd = {
|
|
verbose = false;
|
|
systemd.enable = true;
|
|
};
|
|
|
|
plymouth = {
|
|
enable = true;
|
|
theme = "bgrt";
|
|
logo = "${pkgs.nixos-icons}/share/icons/hicolor/128x128/apps/nix-snowflake.png";
|
|
font = "${pkgs.dejavu_fonts}/share/fonts/truetype/DejaVuSansMono.ttf";
|
|
};
|
|
};
|
|
|
|
fonts.packages = with pkgs; [
|
|
dejavu_fonts
|
|
];
|
|
|
|
# Integrate with Lanzaboote
|
|
boot.loader.systemd-boot.enable = lib.mkForce false;
|
|
boot.loader.grub.enable = lib.mkForce false;
|
|
boot.lanzaboote = {
|
|
enable = true;
|
|
pkiBundle = "/var/lib/sbctl";
|
|
autoGenerateKeys.enable = true;
|
|
autoEnrollKeys = {
|
|
enable = true;
|
|
includeMicrosoftKeys = true;
|
|
};
|
|
};
|
|
|
|
# TPM-based LUKS unlock put in hardware configuration.nix.
|
|
# boot.initrd.luks.devices = {
|
|
# cryptroot = {
|
|
# device = "/dev/sda2";
|
|
# crypttabExtraOpts = [
|
|
# "tpm2-device=auto"
|
|
# "tpm2-measure-pcr=yes"
|
|
# ];
|
|
# };
|
|
# };
|
|
|
|
security.tpm2 = {
|
|
enable = true;
|
|
pkcs11.enable = true;
|
|
tctiEnvironment.enable = true;
|
|
};
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
sbctl
|
|
tpm2-tools
|
|
];
|
|
}
|