aoife: enable secure boot

nixos/common/desktop/default.nix

@@ -38,7 +38,7 @@
   services.printing.enable = true;
 
   # Global Packages
-  environment.systemPackages = with pkgs; [ wireguard-tools ];
+  environment.systemPackages = with pkgs; [ wireguard-tools sbctl ];
 
   # Enable sound with pipewire.
   sound.enable = true;

nixos/hosts/thalassa/aoife/configuration.nix

@@ -2,7 +2,7 @@
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 
-{ inputs, ... }: {
+{ inputs, lib, ... }: {
   imports = [
     ./hardware-configuration.nix
     inputs.nixos-hardware.nixosModules.lenovo-thinkpad-z
@@ -11,8 +11,16 @@
 
   # Bootloader.
   boot = {
+    bootspec.enable = true;
     initrd.kernelModules = [ "amdgpu" ];
     resumeDevice = "/dev/nvme0n1p2";
+    loader.systemd-boot.enable = lib.mkForce false;
+
+    lanzaboote = {
+      enable = true;
+      configurationLimit = 5;
+      pkiBundle = "/etc/secureboot";
+    };
   };
 
   home-manager = {

nixos/util.nix

@@ -1,4 +1,4 @@
-{ nixpkgs, home-manager, mailserver, ... }:
+{ nixpkgs, home-manager, mailserver, lanzaboote, ... }:
 let
   inherit (builtins) filter attrValues concatMap mapAttrs;
   inherit (nixpkgs.lib.attrsets) mapAttrsToList;
@@ -13,7 +13,10 @@ let
         ./common/generic-lxc.nix
       ];
       "vm" = [ ./common/generic-vm.nix ];
-      "local" = [ ./common/desktop ];
+      "local" = [
+        lanzaboote.nixosModules.lanzaboote
+        ./common/desktop
+      ];
     };
   in type: import_cases.${type} ++ base_imports;
   # Helper function to resolve what should be imported depending on the type of config (lxc, vm, bare metal)