Add secureBoot

base/common_hardware.nix

@@ -16,13 +16,27 @@ in {
   # Bootloader.
   boot = {
     consoleLogLevel = 0;
-    loader = {
+
-      systemd-boot = lib.mkIf config.conf.useSystemdBootloader {
+    boot.loader.systemd-boot.enable = lib.mkForce false;
+
+    boot.lanzaboote = lib.mkIf config.conf.secureBoot {
       enable = true;
+      pkiBundle = "/var/lib/sbctl";
+    };
+
+    loader = {
+      systemd-boot = {
+        enable =
+          if config.conf.secureBoot
+          then lib.mkForce false
+          else if config.conf.useSystemdBootloadertrue
+          then true
+          else false;
         configurationLimit = 5;
       };
       efi.canTouchEfiVariables = true;
     };
+
     kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
     initrd = {
       verbose = false;

modules/conf.nix

@@ -20,6 +20,15 @@
       '';
     };
 
+    secureBoot = lib.mkOption {
+      default = false;
+      example = true;
+      description = ''
+        enables secure boot.
+        Please don't forget to add your keys.
+      '';
+    };
+
     useSystemdBootloader = lib.mkOption {
       default = true;
       example = false;

modules/programs/basePackages.nix

@@ -74,6 +74,7 @@
             seahorse
             upower
             xorg.xkbutils
+            sbctl
           ]
           ++ config.mods.basePackages.additionalPackages
       else config.mods.basePackages.additionalPackages;