add secure boot support

modules/system/secure_boot/default.nix

@@ -23,6 +23,8 @@ in {
     # force disable systemd-boot so lanzaboote can be used
     boot.loader.systemd-boot.enable = lib.mkForce false;
 
+    # make sure the keys are generated and in the pkiBundle path
+    # with `nix-shell -p --run "sbctl create-keys"`
     boot.lanzaboote = {
       enable = true;
       pkiBundle = "/var/lib/sbctl";