From 578f18bc2db663ce19eaa3aadd4cad84abbd1e86 Mon Sep 17 00:00:00 2001
From: Yuri Tatishchev <itatishch@gmail.com>
Date: Sun, 23 Nov 2025 00:23:41 -0800
Subject: [PATCH] WIP: add secure boot

---
 .idea/copilot.data.migration.agent.xml | 6 ++++++
 .idea/copilot.data.migration.edit.xml  | 6 ++++++
 flake.nix                              | 7 ++++++-
 hosts/common-desktop.nix               | 9 +++++----
 4 files changed, 23 insertions(+), 5 deletions(-)
 create mode 100644 .idea/copilot.data.migration.agent.xml
 create mode 100644 .idea/copilot.data.migration.edit.xml

diff --git a/.idea/copilot.data.migration.agent.xml b/.idea/copilot.data.migration.agent.xml
new file mode 100644
index 0000000..4ea72a9
--- /dev/null
+++ b/.idea/copilot.data.migration.agent.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="AgentMigrationStateService">
+    <option name="migrationStatus" value="COMPLETED" />
+  </component>
+</project>
\ No newline at end of file
diff --git a/.idea/copilot.data.migration.edit.xml b/.idea/copilot.data.migration.edit.xml
new file mode 100644
index 0000000..8648f94
--- /dev/null
+++ b/.idea/copilot.data.migration.edit.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="EditMigrationStateService">
+    <option name="migrationStatus" value="COMPLETED" />
+  </component>
+</project>
\ No newline at end of file
diff --git a/flake.nix b/flake.nix
index d251a8f..15e67bb 100644
--- a/flake.nix
+++ b/flake.nix
@@ -22,9 +22,13 @@
       url = "github:Platonic-Systems/secrix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    lanzaboote = {
+      url = "github:nix-community/lanzaboote/v0.4.3";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
-  outputs = { self, nixpkgs, home-manager, plasma-manager, nixos-generators, secrix }:
+  outputs = { self, nixpkgs, home-manager, plasma-manager, nixos-generators, secrix, lanzaboote }:
   let
     hmModule = file: {
       imports = [ home-manager.nixosModules.home-manager ];
@@ -70,6 +74,7 @@
       Yura-TPX13 = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
         modules = [
+          lanzaboote.nixosModules.lanzaboote
           ./modules
           ./hosts/common.nix
           ./hosts/common-desktop.nix
diff --git a/hosts/common-desktop.nix b/hosts/common-desktop.nix
index 275c532..3f06707 100644
--- a/hosts/common-desktop.nix
+++ b/hosts/common-desktop.nix
@@ -11,10 +11,11 @@
   boot.loader = {
     efi.canTouchEfiVariables = true;
     timeout = 3;
-    systemd-boot = {
-      enable = true;
-      configurationLimit = 5;
-    };
+    systemd-boot.enable = false;
+  };
+  boot.lanzaboote = {
+    enable = true;
+    pkiBundle = "/var/lib/sbctl";
   };
 
   # https://nixos.wiki/wiki/Accelerated_Video_Playback