From ab6611a231d51f3213bf3e19a06f915491c01722 Mon Sep 17 00:00:00 2001
From: unexplrd <unexplrd@linerds.us>
Date: Sat, 29 Mar 2025 14:30:34 +0200
Subject: [PATCH] hosts/dunamis/boot.nix: add lanzaboote
 hosts/dunamis/services.nix: disable scx because module.sig_enforce and/or
 lockdown=confidentiality break it

Signed-off-by: unexplrd <unexplrd@linerds.us>
---
 hosts/dunamis/boot.nix     | 8 +++++++-
 hosts/dunamis/services.nix | 2 +-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/hosts/dunamis/boot.nix b/hosts/dunamis/boot.nix
index 7ab401b..0ad1dea 100644
--- a/hosts/dunamis/boot.nix
+++ b/hosts/dunamis/boot.nix
@@ -1,10 +1,12 @@
 {
   pkgs,
+  config,
   inputs,
   ...
 }: {
   imports = with inputs; [
     chaotic.nixosModules.default
+    lanzaboote.nixosModules.lanzaboote
   ];
   boot = {
     # kernelPackages = pkgs.linuxPackages_latest;
@@ -42,9 +44,13 @@
     };
     loader.efi.canTouchEfiVariables = true;
     loader.systemd-boot = {
-      enable = true;
+      enable = !config.boot.lanzaboote.enable;
       consoleMode = "auto";
     };
+    lanzaboote = {
+      enable = true;
+      pkiBundle = "/var/lib/sbctl";
+    };
     plymouth.enable = true;
   };
   console = {
diff --git a/hosts/dunamis/services.nix b/hosts/dunamis/services.nix
index 5a7e2f8..bb9398b 100644
--- a/hosts/dunamis/services.nix
+++ b/hosts/dunamis/services.nix
@@ -24,7 +24,7 @@
       };
     };
     scx = {
-      enable = true;
+      enable = false;
       scheduler = "scx_flash";
     };
     logind = {