rexxar: encrypt zu2

This commit is contained in:
Luke Granger-Brown 2024-03-25 20:17:52 +00:00
parent e7a1cf462c
commit b9959b267c

View file

@ -22,12 +22,27 @@
"sd_mod" "sd_mod"
"sr_mod" "sr_mod"
]; ];
systemd.enable = true;
systemd.services."zfs-import-zu2" = {
after = [ "zfs-import-zboot.service" ];
requires = [ "zfs-import-zboot.service" ];
script = lib.mkBefore ''
test -d /sysroot/persist || mount -t zfs zboot/local/root /sysroot
test -f /sysroot/persist/zu2-key || mount -t zfs zboot/safe/persist /sysroot/persist
ln -s /sysroot/persist /persist
'';
}; };
};
security.tpm2.enable = true;
boot.kernelModules = [ "kvm-amd" ]; boot.kernelModules = [ "kvm-amd" ];
hardware.cpu.amd.updateMicrocode = true; hardware.cpu.amd.updateMicrocode = true;
boot.kernelParams = [ boot.kernelParams = [
"nomodeset" "nomodeset"
]; ];
environment.systemPackages = with pkgs; [
clevis
];
# Use the systemd-boot EFI boot loader. # Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;