service/lanzaboote: init

flake.nix

@@ -13,6 +13,10 @@
       url = "github:Mic92/sops-nix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    lanzaboote = {
+      url = "github:nix-community/lanzaboote/v0.4.2";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     nvim-lazy = {
       url = "git+https://git.ophanim.de/derped/lazy.nvim.nix.git";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -24,6 +28,7 @@
       nixpkgs,
       flake-utils,
       mailserver,
+      lanzaboote,
       sops-nix,
       ...
     }@attrs:
@@ -75,6 +80,7 @@
                 [
                   (toString ./options/machine.nix)
                   sops-nix.nixosModules.sops
+                  lanzaboote.nixosModules.lanzaboote
                 ]
                 ++ machineFiles
                 ++ configFiles

services/impermanence.nix

@@ -49,7 +49,7 @@ in
       ++ optional config.services.nginx.enable "/var/www"
       ++ optional config.services.forgejo.enable "/var/lib/forgejo"
       ++ optional config.services.radicale.enable config.services.radicale.settings.storage.filesystem_folder
-      ++ optional config.services.fprintd.enable "/var/lib/fprint"
+      ++ optional config.boot.lanzaboote.enable "/var/lib/sbctl"
       ++ optionals config.mailserver.enable [
         "/var/lib/dovecot"
         "/var/vmail"

services/lanzaboote.nix

@@ -0,0 +1,26 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+with lib;
+
+mkIf (elem "lanzaboote" config.machine.services) {
+  environment.systemPackages = [
+    # For debugging and troubleshooting Secure Boot.
+    pkgs.sbctl
+  ];
+
+  # Lanzaboote currently replaces the systemd-boot module.
+  # This setting is usually set to true in configuration.nix
+  # generated at installation time. So we force it to false
+  # for now.
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+
+  boot.lanzaboote = {
+    enable = true;
+    pkiBundle = "/persist/var/lib/sbctl";
+  };
+}