From 7aa3e3b387c6f29c8dbc3cf7d9f3520a8141c93c Mon Sep 17 00:00:00 2001
From: Skyler Grey <minion@freshlybakedca.ke>
Date: Wed, 8 Oct 2025 17:08:33 +0000
Subject: [PATCH] feat(pm/redhead): enable secure boot
Change-Id: mupytyywstsmqxxrksylskklsmzqlyxo

I want to make booting not need a PIN/security key press, and therefore
I want to make sure that I'm booting only what is explicitly permitted.

Therefore, let's use lanzaboote! I've set it up before, so it's
relatively simple
---
 packetmix/npins/sources.json             | 16 ++++++++++++++
 packetmix/systems/redhead/lanzaboote.nix | 28 ++++++++++++++++++++++++
 packetmix/workspace.josh.license         |  3 +++
 3 files changed, 47 insertions(+)
 create mode 100644 packetmix/systems/redhead/lanzaboote.nix
 create mode 100644 packetmix/workspace.josh.license

diff --git a/packetmix/npins/sources.json b/packetmix/npins/sources.json
index aaa602b0..0cd40a5b 100644
--- a/packetmix/npins/sources.json
+++ b/packetmix/npins/sources.json
@@ -159,6 +159,22 @@
       "url": "https://github.com/nix-community/impermanence/archive/4b3e914cdf97a5b536a889e939fb2fd2b043a170.tar.gz",
       "hash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI="
     },
+    "lanzaboote": {
+      "type": "GitRelease",
+      "repository": {
+        "type": "GitHub",
+        "owner": "nix-community",
+        "repo": "lanzaboote"
+      },
+      "pre_releases": false,
+      "version_upper_bound": null,
+      "release_prefix": null,
+      "submodules": false,
+      "version": "v0.4.2",
+      "revision": "f0212638a2ec787a7841882f4477d40ae24f0a5d",
+      "url": "https://api.github.com/repos/nix-community/lanzaboote/tarball/refs/tags/v0.4.2",
+      "hash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU="
+    },
     "lix": {
       "type": "Git",
       "repository": {
diff --git a/packetmix/systems/redhead/lanzaboote.nix b/packetmix/systems/redhead/lanzaboote.nix
new file mode 100644
index 00000000..e09b06ec
--- /dev/null
+++ b/packetmix/systems/redhead/lanzaboote.nix
@@ -0,0 +1,28 @@
+# SPDX-FileCopyrightText: 2025 FreshlyBakedCake
+#
+# SPDX-License-Identifier: MIT
+
+{ project, pkgs, lib, ... }:
+{
+  imports = [ project.inputs.lanzaboote.result.nixosModules.lanzaboote ];
+
+  environment.systemPackages = [
+    pkgs.sbctl
+  ];
+
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+  boot.lanzaboote = {
+    enable = true;
+    pkiBundle = "/var/lib/sbctl";
+    publicKeyFile = "/secrets/lanzaboote/db/db.pem";
+    privateKeyFile = "/secrets/lanzaboote/db/db.key";
+  };
+
+  environment.etc."sbctl/sbctl.conf".text = builtins.toJSON {
+    keydir = "/secrets/lanzaboote";
+  };
+
+  clicks.storage.impermanence.persist.directories = [
+    "/var/lib/sbctl"
+  ];
+}
diff --git a/packetmix/workspace.josh.license b/packetmix/workspace.josh.license
new file mode 100644
index 00000000..d698a125
--- /dev/null
+++ b/packetmix/workspace.josh.license
@@ -0,0 +1,3 @@
+SPDX-FileCopyrightText: 2025 FreshlyBakedCake
+
+SPDX-License-Identifier: CC0-1.0
-- 
2.43.0