WIP: add secure boot

.idea/copilot.data.migration.agent.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="AgentMigrationStateService">
+    <option name="migrationStatus" value="COMPLETED" />
+  </component>
+</project>

.idea/copilot.data.migration.edit.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="EditMigrationStateService">
+    <option name="migrationStatus" value="COMPLETED" />
+  </component>
+</project>

flake.nix

@@ -22,9 +22,13 @@
       url = "github:Platonic-Systems/secrix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    lanzaboote = {
+      url = "github:nix-community/lanzaboote/v0.4.3";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
-  outputs = { self, nixpkgs, home-manager, plasma-manager, nixos-generators, secrix }:
+  outputs = { self, nixpkgs, home-manager, plasma-manager, nixos-generators, secrix, lanzaboote }:
   let
     hmModule = file: {
       imports = [ home-manager.nixosModules.home-manager ];
@@ -70,6 +74,7 @@
       Yura-TPX13 = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
         modules = [
+          lanzaboote.nixosModules.lanzaboote
           ./modules
           ./hosts/common.nix
           ./hosts/common-desktop.nix

hosts/common-desktop.nix

@@ -11,10 +11,11 @@
   boot.loader = {
     efi.canTouchEfiVariables = true;
     timeout = 3;
-    systemd-boot = {
+    systemd-boot.enable = false;
-      enable = true;
+  };
-      configurationLimit = 5;
+  boot.lanzaboote = {
-    };
+    enable = true;
+    pkiBundle = "/var/lib/sbctl";
   };
 
   # https://nixos.wiki/wiki/Accelerated_Video_Playback