Commit f9ed9313d05f
Changed files (3)
systems
hosts
systems/hosts/kyushu.nix
@@ -1,10 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-{
- imports = [
- ../hardware/thinkpad-x1g12.nix
- ];
-
- # TODO use disko
- # TODO Use better modules
-}
systems/kyushu/boot.nix
@@ -1,16 +1,27 @@
{ pkgs, lib, ... }:
{
+ environment.systemPackages = with pkgs; [
+ sbctl
+ ];
+
boot = {
# Secure boot configuration
- # bootspec.enable = true;
+ bootspec.enable = true;
# First boot systemd-boot has to be enabled, then switch to lanzaboote
- # loader.systemd-boot.enable = lib.mkForce false;
- # lanzaboote = {
- # enable = true;
- # pkiBundle = "/etc/secureboot";
- # };
+ loader.systemd-boot.enable = lib.mkForce false;
+ lanzaboote = {
+ enable = true;
+ pkiBundle = "/var/lib/sbctl";
+ };
- # initrd = { };
+ initrd = {
+ luks.devices."cryptroot" = {
+ crypttabExtraOpts = [ "fido2-device=auto" ];
+ };
+ systemd = {
+ fido2.enable = true;
+ };
+ };
# extraModprobeConfig = ''
# options snd_hda_intel power_save=1
systems/kyushu/disks.nix
@@ -5,21 +5,6 @@
, ...
}:
{
-
- boot.initrd.luks.devices."cryptroot" = {
- # FIXME setup this
- # TODO: Remove this "device" attr if/when machine is reinstalled.
- # This is a workaround for the legacy -> gpt tables disko format.
- # device = lib.mkForce "/dev/disk/by-uuid/c0cac87c-53ec-4262-9ab2-a3ee8331c75a";
- # device = "/dev/disk/by-partlabel/cryptroot";
- preLVM = true;
- allowDiscards = true;
- # keyFile = "/dev/disk/by-id/usb-_USB_DISK_2.0_070D375D84327E87-0:0";
- # keyFileOffset = 30992883712;
- # keyFileSize = 4096;
- # fallbackToPassword = lib.mkForce true;
- };
-
disko.devices = {
disk = {
# 512GB root/boot drive. Configured with: