Allow enabling Secure Boot

2024-09-20 00:56:56 +02:00 · 2024-09-20 00:56:56 +02:00 · a2c95202b6
parent 3a5a0a5e19
commit a2c95202b6
5 changed files with 56 additions and 2 deletions
--- a/lib/modules/os.nix
+++ b/lib/modules/os.nix
@ -25,7 +25,20 @@
                ];
              };

-              linuxVariant = osVariant.extendModules { };
+              linuxVariant = osVariant.extendModules {
+                modules = [
+                  ({ ... }: {
+                    options = {
+                      secureBoot = mkOption {
+                        type = types.bool;
+                        description = "A value indicating whether the system supports Secure Boot.";
+                        default = false;
+                      };
+                    };
+                  })
+                ];
+              };
+
              windowsVariant = osVariant.extendModules { };
            in {
              options = {
--- a/profiles/machines/manuel/DerGeret/config.nix
+++ b/profiles/machines/manuel/DerGeret/config.nix
@ -6,6 +6,7 @@
  config = {
    valhalla = {
      hostname = lib.mkDefault "der-geret";
+      linux.secureBoot = true;

      windows = {
        dualboot = {
--- a/profiles/machines/manuel/ManuSurface/config.nix
+++ b/profiles/machines/manuel/ManuSurface/config.nix
@ -6,6 +6,7 @@
  config = {
    valhalla = {
      hostname = "manu-surface";
+      linux.secureBoot = true;
      partition.os.deviceName = "nvme0n1";
    };
  };
--- a/scripts/Arch/Config/SecureBoot/main.fish
+++ b/scripts/Arch/Config/SecureBoot/main.fish
@ -0,0 +1,35 @@
+#!/bin/env fish
+begin
+    set -l dir (status dirname)
+    source "$dir/../../Scripts/software.fish"
+
+    function installSW -V dir
+        yayinst secureboot-grub
+    end
+
+    function configureSW -V dir
+        source "$dir/../../../Common/Scripts/config.fish"
+        set -l label (getConfig valhalla.boot.label)
+        set -l efiDir (getConfig valhalla.boot.efiMountPoint)
+        set -l bootNums (efibootmgr | sed "/$label/{ s/^.*Boot\([[:digit:]]\+\)\*.*\$/\1/; p; }; d")
+
+        for bootNum in $bootNums
+            sudo efibootmgr --delete-bootnum --bootnum $bootNum
+        end
+
+        sudo sed -i \
+            -e "/esp=/{" \
+                -e "a esp=\"$efiDir\"" \
+                -e "d" \
+            -e "}" \
+            -e "/bootloader_id=/{" \
+                -e "a bootloader_id=\"$label\"" \
+                -e "d" \
+            -e "}" \
+            /etc/secureboot.conf
+
+        sudo secure-grub-install
+    end
+
+    runInstaller $argv
+end
--- a/scripts/Arch/Scripts/deploy.fish
+++ b/scripts/Arch/Scripts/deploy.fish
@ -14,7 +14,11 @@ function deploySoftware -d "Deploys a the specified software action" -a action
        end
    )

-    if collectionActive essential
+    if getConfig valhalla.linux.secureBoot --json | jq --exit-status > /dev/null
+        source "$dir/../Config/SecureBoot/main.fish" $argv
+    end
+
+    and if collectionActive essential
        if $isInstall
            yayinst \
                mkinitcpio-firmware \