doc: add a more complete flakes fragment for quickstart

This commit is contained in:
Julian Stecklina 2023-02-19 19:34:52 +01:00
parent a75e2b4c95
commit 6e72e2fed2
1 changed files with 47 additions and 28 deletions

View File

@ -125,38 +125,57 @@ Below is a fragment of a NixOS configuration that enables the Secure
Boot stack. Boot stack.
```nix ```nix
nixosConfigurations = { {
yourHost = nixpkgs.lib.nixosSystem { description = "A SecureBoot-enabled NixOS configurations";
system = "x86_64-linux";
modules = [ inputs = {
# ... other modules ... nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
lanzaboote.nixosModules.lanzaboote lanzaboote = {
url = "github:nix-community/lanzaboote";
({ config, pkgs, lib, ... }: { # Optional but recommended to limit the size of your system closure.
# This should already be here from switching to bootspec earlier. inputs.nixpkgs.follows = "nixpkgs";
# It's not required anymore, but also doesn't do any harm. };
boot.bootspec.enable = true;
environment.systemPackages = [
# For debugging and troubleshooting Secure Boot.
pkgs.sbctl
];
# Lanzaboote currently replaces the systemd-boot module.
# This setting is usually set to true in configuration.nix
# generated at installation time. So we force it to false
# for now.
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
})
];
}; };
outputs = { self, nixpkgs, lanzaboote, ...}: {
nixosConfigurations = {
yourHost = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
# This is not a complete NixOS configuration and you need to reference
# your normal configuration here.
lanzaboote.nixosModules.lanzaboote
({ pkgs, lib, ... }: {
# This should already be here from switching to bootspec earlier.
# It's not required anymore, but also doesn't do any harm.
boot.bootspec.enable = true;
environment.systemPackages = [
# For debugging and troubleshooting Secure Boot.
pkgs.sbctl
];
# Lanzaboote currently replaces the systemd-boot module.
# This setting is usually set to true in configuration.nix
# generated at installation time. So we force it to false
# for now.
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
})
];
};
};
};
}
``` ```
After you rebuild your system, check `sbctl verify` output: After you rebuild your system, check `sbctl verify` output: