feat: setup secure-boot

modules/hosts/sirius/config.nix

@@ -10,12 +10,14 @@
     {
 
       imports = with config.flake.modules.nixos; [
+        boot
         networking
         desktop
         virtualisation
       ];
 
       tnix = {
+        boot.secure-boot.enable = true;
         services.openssh.enable = true;
 
         virtualisation = {
@@ -52,7 +54,6 @@
       # --- Boot ---
       boot = {
         loader = {
-          systemd-boot.enable = true;
           efi.canTouchEfiVariables = true;
         };
         kernelPackages = pkgs.linuxKernel.packages.linux_zen;

modules/nixos/boot/secure-boot.nix

@@ -0,0 +1,34 @@
+{ inputs, ... }:
+{
+  flake.modules.nixos.boot =
+    {
+      config,
+      lib,
+      pkgs,
+      ...
+    }:
+    let
+      cfg = config.tnix.boot;
+    in
+    {
+      imports = [ inputs.lanzaboote.nixosModules.lanzaboote ];
+
+      options.tnix.boot.secure-boot = {
+        enable = lib.mkEnableOption "Enable secure-boot";
+      };
+
+      config = lib.mkIf cfg.secure-boot.enable {
+        environment.systemPackages = [
+          pkgs.sbctl
+        ];
+
+        # Lanzaboote currently replaces the systemd-boot module.
+        boot.loader.systemd-boot.enable = lib.mkForce false;
+
+        boot.lanzaboote = {
+          enable = true;
+          pkiBundle = "/var/lib/sbctl";
+        };
+      };
+    };
+}