feat: setup secure boot with lazanboote.

flake.nix

@@ -140,6 +140,12 @@
 
     # Some gaming related stuff ( actual osu! )
     nix-gaming.url = "github:cronyakatsuki/nix-gaming";
+
+    # Secure boot with nixos
+    lanzaboote = {
+      url = "github:nix-community/lanzaboote/v1.0.0";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
   outputs = {
@@ -154,6 +160,7 @@
     agenix,
     nix-flatpak,
     chaotic,
+    lanzaboote,
     ...
   } @ inputs: let
     hostsData = import ./hosts.nix;
@@ -363,6 +370,8 @@
           nix-flatpak.nixosModules.nix-flatpak
           # Use chaotic for some packages
           chaotic.nixosModules.default
+          # Setup secure boot
+          lanzaboote.nixosModules.lanzaboote
           # Setup home manager for my user
           home-manager.nixosModules.home-manager
           {

hosts/skadi/configuration.nix

@@ -2,6 +2,7 @@
   inputs,
   config,
   pkgs,
+  lib,
   ...
 }: {
   imports = [
@@ -11,9 +12,20 @@
     inputs.home-manager.nixosModules.home-manager
   ];
 
+  # For tpm unlock
+  boot.initrd.systemd.enable = true;
+
+  # To explicitly disable systemd-boot, lanzaboote takes care of that.
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+
   # Bootloader.
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
+  boot.lanzaboote = {
+    enable = true;
+    pkiBundle = "/var/lib/sbctl";
+    autoEnrollKeys = {
+      enable = true;
+    };
+  };
 
   # Enable aarch64 emulation
   boot.binfmt.emulatedSystems = ["aarch64-linux"];