From 968b0c90bd84e0b000ee8dec475eb03051eda106 Mon Sep 17 00:00:00 2001
From: Julien Malka <julien@malka.sh>
Date: Thu, 2 Nov 2023 17:23:53 +0100
Subject: [PATCH] Activate secure boot

---
 machines/telecom/default.nix | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/machines/telecom/default.nix b/machines/telecom/default.nix
index 9f55b3c..6ff656b 100644
--- a/machines/telecom/default.nix
+++ b/machines/telecom/default.nix
@@ -11,7 +11,12 @@
 
 
 
-  boot.loader.systemd-boot.enable = true;
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+  boot.lanzaboote = {
+    enable = true;
+    pkiBundle = "/etc/secureboot";
+  };
+
   boot.initrd.systemd.enable = true;
   sound.enable = true;
   #hardware.pulseaudio.enable = true;
@@ -48,6 +53,7 @@
     displayManager.gdm.enable = true;
   };
 
+
   services.tailscale.enable = true;
   networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
 
@@ -104,6 +110,15 @@
   ];
   services.gnome.gnome-keyring.enable = true;
 
+  services.openssh.extraConfig = ''
+    HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
+    HostKey /etc/ssh/ssh_host_ed25519_key
+    TrustedUserCAKeys /etc/ssh/ssh_user_key.pub
+    MaxAuthTries 20
+  '';
+
+
+
   system.stateVersion = "23.05";
 
 }