done

etcnixos/system-mreow.nix

@@ -6,6 +6,10 @@
   inputs,
   ...
 }:
+
+let
+  untar = pkgs.callPackage ./util/untar.nix;
+in
 {
   imports = [
     ./common.nix
@@ -58,10 +62,11 @@
   };
 
   boot = {
-    # lanzaboote = {
-    # enable = true;
-    # pkiBundle = "/etc/secureboot";
-    # };
+    lanzaboote = {
+      enable = true;
+      # TODO: proper secrets management so this is not stored in nix store
+      pkiBundle = "${(untar { src = "${./secrets/secureboot.tar}"; })}";
+    };
 
     # Bootloader.
     loader = {
@@ -71,7 +76,7 @@
         generated at installation time. So we force it to false
         for now.
       */
-      # systemd-boot.enable = lib.mkForce false;
+      systemd-boot.enable = lib.mkForce false;
     };
 
     kernelParams = [
@@ -106,20 +111,18 @@
     TTYVTDisallocate = true;
   };
 
+  system.activationScripts = {
+    # FIX: https://github.com/NixOS/nix/issues/2982
+    "profile-channel-dummy".text = ''
+      #!/bin/sh
+      mkdir -p /nix/var/nix/profiles/per-user/root/channels
+    '';
+  };
+
   # weird hack to get swaylock working? idk, if you don't put this here, password entry doesnt work
   # if I move to another lock screen program, i will have to replace `swaylock`
   security.pam.services.swaylock = { };
 
-  # system.activationScripts = {
-  #   # extract all my secureboot keys
-  #   "secureboot-keys".text = ''
-  #     #!/bin/sh
-  #     rm -fr ${config.boot.lanzaboote.pkiBundle} || true
-  #     mkdir -p ${config.boot.lanzaboote.pkiBundle}
-  #     ${pkgs.gnutar}/bin/tar xf ${./secrets/secureboot.tar} -C ${config.boot.lanzaboote.pkiBundle}
-  #   '';
-  # };
-
   # disable framework kernel module
   # https://github.com/NixOS/nixos-hardware/issues/1330
   hardware.framework.enableKmod = false;