testing lanzaboote

hosts/cnix/default.nix

@@ -69,9 +69,13 @@ in {
 
   # Bootloader
   boot.loader = {
-    systemd-boot.enable = true;
+    systemd-boot.enable = lib.mkForce false;
     efi.canTouchEfiVariables = true;
   };
+  boot.lanzaboote = {
+    enable = true;
+    pkiBundle = "/etc/secureboot";
+  };
   # Enable networking
   networking = {
     networkmanager.enable = true;

hosts/core/default.nix

@@ -33,8 +33,10 @@
   environment = {
     localBinInPath = true;
     systemPackages = [
-      # Dev
+      # Core
       pkgs.git
+      pkgs.sbctl
+      pkgs.niv
 
       # Util
       pkgs.stow