From 2777680940425a9a741a8ba1befef2fcf1cc139b Mon Sep 17 00:00:00 2001
From: Franck Cuny <franck@fcuny.net>
Date: Sun, 25 Jan 2026 08:20:25 -0800
Subject: enable lanzaboote

---
 profiles/secureboot.nix | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 profiles/secureboot.nix

(limited to 'profiles')

diff --git a/profiles/secureboot.nix b/profiles/secureboot.nix
new file mode 100644
index 0000000..53df8e3
--- /dev/null
+++ b/profiles/secureboot.nix
@@ -0,0 +1,17 @@
+{ pkgs, lib, ... }:
+{
+  environment.persistence."/persist/save".directories = [
+    "/var/lib/sbctl"
+  ];
+
+  environment.systemPackages = [
+    pkgs.sbctl
+  ];
+
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+
+  boot.lanzaboote = {
+    enable = true;
+    pkiBundle = "/var/lib/sbctl";
+  };
+}
-- 
cgit v1.2.3