overhaul of qbt + tmpfiles

configuration.nix

@@ -32,6 +32,12 @@
     hybrid-sleep.enable = false;
   };
 
+  powerManagement = {
+    powertop.enable = true;
+    enable = true;
+    cpuFreqGovernor = "powersave";
+  };
+
   nix = {
     # optimize the store
     optimise.automatic = true;
@@ -65,7 +71,6 @@
 
     loader = {
       # Use the systemd-boot EFI boot loader.
-      systemd-boot.enable = true;
       efi.canTouchEfiVariables = true;
 
       # 1s timeout
@@ -76,10 +81,32 @@
       compressor = "zstd";
     };
 
-    # kernelModules = [
-    #   # kernel module for case fan control
-    #   "nct6775"
-    # ];
+    kernelModules = [
+      "msr"
+    ];
+
+    loader.systemd-boot.enable = lib.mkForce false;
+
+    lanzaboote = {
+      enable = true;
+      pkiBundle = "/var/lib/sbctl";
+    };
+  };
+
+  system.activationScripts = {
+    # extract all my secureboot keys
+    "secureboot-keys".text = ''
+      #!/bin/sh
+      rm -fr ${config.boot.lanzaboote.pkiBundle} || true
+      mkdir -p ${config.boot.lanzaboote.pkiBundle}
+      ${pkgs.gnutar}/bin/tar xf /etc/nixos/secrets/secureboot.tar -C ${config.boot.lanzaboote.pkiBundle}
+    '';
+
+    "zfs-encryption-keys".text = ''
+      #!/bin/sh
+      rm -fr /etc/zfs-key
+      cp /etc/nixos/secrets/zfs-key /etc/zfs-key
+    '';
   };
 
   environment.etc = {
@@ -137,6 +164,8 @@
 
     wget
 
+    powertop
+
     (pkgs.writeScriptBin "mc-console" ''
       #!/bin/sh
       ${pkgs.tmux}/bin/tmux -S /run/minecraft/${service_configs.minecraft.server_name}.sock attach
@@ -172,6 +201,8 @@
 
     pfetch-rs
 
+    sbctl
+
   ];
 
   services.zfs = {