From 56019d19595201670b3b451093ee8e24df3e7f8f Mon Sep 17 00:00:00 2001
From: Fern Garden <mail@fern.garden>
Date: Sat, 20 Sep 2025 09:18:24 +0800
Subject: [PATCH] Re-enable lanzaboote

---
 hosts/muskduck/default.nix | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/hosts/muskduck/default.nix b/hosts/muskduck/default.nix
index bdaeb3e..9703476 100644
--- a/hosts/muskduck/default.nix
+++ b/hosts/muskduck/default.nix
@@ -1,8 +1,20 @@
-{
+{lib, ...}:
+with lib; {
   # Kernel modules.
   boot.initrd.availableKernelModules = ["xhci_pci" "nvme" "usb_storage" "sd_mod"];
   boot.kernelModules = ["kvm-intel"];
 
+  # Enable lanzaboote & secure boot.
+  boot.initrd.systemd.enable = true;
+  boot.loader.systemd-boot.enable = mkForce false;
+  boot.bootspec.enable = true;
+
+  boot.lanzaboote = {
+    enable = true;
+    pkiBundle = "/var/lib/sbctl";
+    settings.timeout = 0;
+  };
+
   # Full disk encryption.
   boot.initrd.luks.devices."nvme0n1p2_crypt".device = "/dev/disk/by-uuid/7196bd89-099f-4e9e-80e5-3d6d555272b1";