[feat] Add secureboot

config/nix/nixos/configuration.nix

@@ -1,12 +1,17 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
-{ pkgs, ... }: {
+{ pkgs,  ... }: {
   imports = [
     # Include the results of the hardware scan.
     ./hardware-configuration.nix
   ];
 
+  boot.lanzaboote = {
+    enable = true;
+    pkiBundle = "/etc/secureboot";
+  };
+
   environment.etc = {
     "wireplumber/bluetooth.lua.d/51-bluez-config.lua".text = ''
       bluez_monitor.properties = {
@@ -21,7 +26,8 @@
   hardware.bluetooth.enable = true;
   hardware.bluetooth.powerOnBoot = true;
   # Bootloader.
-  boot.loader.systemd-boot.enable = true;
+  boot.loader.systemd-boot.enable = pkgs.lib.mkForce false;
+
   boot.loader.efi.canTouchEfiVariables = true;
   boot.bootspec.enable = true;
 

config/nix/nixos/device.nix

@@ -3,11 +3,15 @@ builtins.listToAttrs (builtins.map (device: {
   name = device.name;
   value = nixpkgs.lib.nixosSystem {
     system = device.system;
-    specialArgs = { inherit device; };
+    specialArgs = {
+      inherit device;
+      lanzaboote = inputs.lanzaboote;
+    };
     modules = [
       { nixpkgs.overlays = overlays; }
       ./configuration.nix
       home-manager.nixosModules.home-manager
+      inputs.lanzaboote.nixosModules.lanzaboote
       {
         nixpkgs.config.allowUnfree = true;
         home-manager = {