hosts/dunamis/boot.nix: add lanzaboote

hosts/dunamis/services.nix: disable scx because module.sig_enforce and/or lockdown=confidentiality break it

Signed-off-by: unexplrd <unexplrd@linerds.us>

hosts/dunamis/boot.nix

@@ -1,10 +1,12 @@
 {
   pkgs,
+  config,
   inputs,
   ...
 }: {
   imports = with inputs; [
     chaotic.nixosModules.default
+    lanzaboote.nixosModules.lanzaboote
   ];
   boot = {
     # kernelPackages = pkgs.linuxPackages_latest;
@@ -42,9 +44,13 @@
     };
     loader.efi.canTouchEfiVariables = true;
     loader.systemd-boot = {
-      enable = true;
+      enable = !config.boot.lanzaboote.enable;
       consoleMode = "auto";
     };
+    lanzaboote = {
+      enable = true;
+      pkiBundle = "/var/lib/sbctl";
+    };
     plymouth.enable = true;
   };
   console = {

hosts/dunamis/services.nix

@@ -24,7 +24,7 @@
       };
     };
     scx = {
-      enable = true;
+      enable = false;
       scheduler = "scx_flash";
     };
     logind = {