enabled secure boot

flake.nix

@@ -21,6 +21,11 @@
       url = "github:nix-community/home-manager/release-25.05";
       inputs.nixpkgs.follows = "nixpkgs-stable";
     };
+    lanzaboote = {
+      url = "github:nix-community/lanzaboote/v1.0.0";
+      # Optional but recommended to limit the size of your system closure.
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
+    };
     asus-numberpad-driver = {
       url = "github:asus-linux-drivers/asus-numberpad-driver";
       inputs.nixpkgs.follows = "nixpkgs-unstable";
@@ -33,7 +38,7 @@
 #    chaotic.url = "github:chaotic-cx/nyx/nyxpkgs-unstable";
   };
 
-  outputs = { self, nixpkgs-unstable, impermanence, home-manager, nixpkgs-stable, hm-stable, millennium, lix-module, asus-numberpad-driver, zapret-discord-youtube, ...}@inputs: {
+  outputs = { self, nixpkgs-unstable, impermanence, home-manager, nixpkgs-stable, hm-stable, lanzaboote, millennium, lix-module, asus-numberpad-driver, zapret-discord-youtube, ...}@inputs: {
     nixosConfigurations = {
       Ratchet = nixpkgs-unstable.lib.nixosSystem {
         system = "x86_64-linux";
@@ -87,6 +92,18 @@
 #          ./hosts/generic/zapret.nix
           ./hosts/Aphelion/dlna.nix
           ./hosts/Aphelion/Aphelion_misc.nix
+          lanzaboote.nixosModules.lanzaboote
+          ({ pkgs, lib, ... }: {
+            # Lanzaboote currently replaces the systemd-boot module.
+            # This setting is usually set to true in configuration.nix
+            # generated at installation time. So we force it to false
+            # for now.
+            boot.loader.systemd-boot.enable = lib.mkForce false;
+            boot.lanzaboote = {
+              enable = true;
+              pkiBundle = "/var/lib/sbctl";
+            };
+          })
           home-manager.nixosModules.home-manager
           {
             home-manager.useUserPackages = true;