feat: enable secure boot

flake.nix

@@ -10,17 +10,42 @@
     hyprland.url = "git+https://github.com/hyprwm/Hyprland?submodules=1";
     catppuccin.url = "github:catppuccin/nix";
     zimfw.url = "github:joedevivo/zimfw.nix";
+    lanzaboote = {
+      url = "github:nix-community/lanzaboote/v0.4.1";
+
+      # Optional but recommended to limit the size of your system closure.
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
-  outputs = { self, nixpkgs, home-manager, catppuccin, zimfw, ... }@inputs: {
+  outputs = { self, nixpkgs, home-manager, catppuccin, zimfw, lanzaboote, ... }@inputs: {
     nixosConfigurations.nixos = nixpkgs.lib.nixosSystem {
       specialArgs = { inherit inputs; };
       system = "x86_64-linux";
       modules = [
         ./configuration.nix
-  
+
         catppuccin.nixosModules.catppuccin
 
+        lanzaboote.nixosModules.lanzaboote
+        ({ pkgs, lib, ... }: {
+          environment.systemPackages = [
+            # For debugging and troubleshooting Secure Boot.
+            pkgs.sbctl
+          ];
+
+          # Lanzaboote currently replaces the systemd-boot module.
+          # This setting is usually set to true in configuration.nix
+          # generated at installation time. So we force it to false
+          # for now.
+          boot.loader.systemd-boot.enable = lib.mkForce false;
+
+          boot.lanzaboote = {
+            enable = true;
+            pkiBundle = "/etc/secureboot";
+          };
+        })
+
         home-manager.nixosModules.home-manager
         {
           home-manager.useGlobalPkgs = true;