secure boot

devices/inkvine/options.nix

@@ -4,6 +4,7 @@
   withNiri = true;
 
   withGames = true;
+  withSecureBoot = true;
 
   hwmonPath = "/sys/class/hwmon/hwmon1/temp1_input";
 

modules/default.nix

@@ -6,7 +6,9 @@ in {
     ./containers
     ./games
     ./home
+    ./impermanence
     ./niri
+    ./secureboot
     ./user
     ./utils
     ./vm

modules/secureboot/default.nix

@@ -0,0 +1,12 @@
+{ lib, config, pkgs, ... }: let
+  inherit (lib) mkIf mkForce;
+in mkIf config.withSecureBoot {
+  environment.systemPackages = [ pkgs.sbctl ];
+
+  boot.loader.systemd-boot.enable = mkForce false;
+
+  boot.lanzaboote = {
+    enable = true;
+    pkiBundle = "/etc/secureboot";
+  };
+}