From 3c9a0d97f6e1403132722b2519731837f0e1060a Mon Sep 17 00:00:00 2001
From: Charlotte Van Petegem <charlotte.vanpetegem@ugent.be>
Date: Tue, 20 Jun 2023 10:39:29 +0200
Subject: [PATCH] Enable secure boot on kharbranth

---
 machines/kharbranth/hardware.nix | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/machines/kharbranth/hardware.nix b/machines/kharbranth/hardware.nix
index 3cbabd33..ccbeb92e 100644
--- a/machines/kharbranth/hardware.nix
+++ b/machines/kharbranth/hardware.nix
@@ -4,10 +4,11 @@
   imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
 
   boot = {
-    loader = {
-      systemd-boot.enable = true;
-      efi.canTouchEfiVariables = true;
+    lanzaboote = {
+      enable = true;
+      pkiBundle = "/etc/secureboot";
     };
+    loader.efi.canTouchEfiVariables = true;
     initrd = {
       availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
       kernelModules = [ "i915" ];
@@ -19,6 +20,11 @@
     };
   };
 
+  chvp.base.zfs.systemLinks = [{ path = "/etc/secureboot"; type = "cache"; }];
+
+  # For Secure Boot management
+  environment.systemPackages = [ pkgs.sbctl ];
+
   fileSystems."/" = {
     device = "rpool/local/root";
     fsType = "zfs";