fin secureboot support

flake.nix

@@ -83,9 +83,9 @@
         specialArgs = {inherit inputs stable_pkgs unstable_pkgs;};
         modules = [
           ./hosts/nixos/yveltal/configuration.nix
+          ./hosts/nixos/yveltal/disko.nix
           inputs.home-manager-unstable.nixosModules.default
           inputs.disko.nixosModules.disko
-          ./hosts/nixos/yveltal/disko.nix
         ];
       };
       vaniville = nixpkgs.lib.nixosSystem {

modules/system/secure_boot/default.nix

@@ -14,17 +14,27 @@ in {
   imports = [inputs.lanzaboote.nixosModules.lanzaboote];
 
   config = lib.mkIf cfg.enable {
-
     # install userspace secureboot tools
     environment.systemPackages = with pkgs; [
       sbctl
+      e2fsprogs
     ];
 
     # force disable systemd-boot so lanzaboote can be used
     boot.loader.systemd-boot.enable = lib.mkForce false;
 
-    # make sure the keys are generated and in the pkiBundle path
+    /*
-    # with `nix-shell -p --run "sbctl create-keys"`
+    this uses the project lanzaboote for secureboot (fork of systemd)
+    setup guide can be found here: https://github.com/nix-community/lanzaboote/blob/master/docs/QUICK_START.md
+    tldr:
+    while currently using systemd-boot
+    generate keys with `nix-shell -p --run "sudo sbctl create-keys"`
+    rebuild with this module enabled then check `sudo sbctl verify`
+    reboot and enable secureboot setup mode in bios
+    check that setup mode is enabled with `sudo sbctl status`
+    enroll keys with `sudo sbctl enroll-keys` use the `--microsoft` flag to incude their keys for compatibality
+    reboot (disable secureboot setup mode if not done automatically) then check secure boot status with `sudo bootctl status`
+    */
     boot.lanzaboote = {
       enable = true;
       pkiBundle = "/var/lib/sbctl";