[Feature Request] Secure Boot

Secure boot is common in modern hardware and is supported in NixOS via Lanzaboote

I have been successfully running this on my own laptop for weeks without issue. It would be awesome to have this enabled in the options.nix file or something similar, it only requires a few changes.

Make sure the keys have been generated and enrolled via the BIOS (this guide goes into detail how, you can just use nix shell to get sbctl for generating the keys, niv is not needed at all)

Flake.nix changes:

Insert the following as an input below nixpkgs.url

    lanzaboote = {
      url = "github:nix-community/lanzaboote/v0.3.0";

      # Optional but recommended to limit the size of your system closure.
      inputs.nixpkgs.follows = "nixpkgs";
    };

Add lanzaboote as an entry in the Outputs line

outputs = inputs@{ nixpkgs, home-manager, impermanence, lanzaboote, ... }:

And then finally as a module

        modules = [
          ./system.nix
          lanzaboote.nixosModules.lanzaboote
          impermanence.nixosModules.impermanence

Boot.nix changes needed:

Comment out systemd, and add the lanzaboote bootloader instead

# Bootloader
#  boot.loader.systemd-boot.enable = true;
  boot.lanzaboote = {
    enable = true;
    pkiBundle = "/etc/secureboot";
  };

Voila! Rebuild and make sure secure boot is enabled in your BIOS. Would love to hear any feedback or suggestions anyone has