sys/boot/secure-boot: support new path for secure boot keys at /var/lib/sbctl

author: Alejandro Soto <alejandro@34project.org> 2025-07-26 18:13:31 -0600
committer: Alejandro Soto <alejandro@34project.org> 2025-07-26 18:59:49 -0600
commit: 33707eb9d2423115f9ae5c4633c774363396abde (patch)
tree: 3126521a002c34e30f42121c335c771a11ba8a7d /sys/boot/secure-boot.nix
parent: 81322ec6ffe1f971b45561d70faf8749342607a4 (diff)
1 files changed, 12 insertions, 2 deletions
diff --git a/sys/boot/secure-boot.nix b/sys/boot/secure-boot.nix
index bdf7f0f..3e874c3 100644
--- a/sys/boot/secure-boot.nix
+++ b/sys/boot/secure-boot.nix
@@ -1,10 +1,20 @@
 { config, lib, pkgs, ... }:
 with lib; let
   cfg = config.local.boot.secureBoot;
+
+  pkiBundle =
+    if cfg.legacyPath
+    then "/etc/secureboot"
+    else "/var/lib/sbctl";
 in
 {
   options.local.boot.secureBoot = {
     enable = mkEnableOption "secure boot";
+
+    legacyPath = mkOption {
+      type = types.bool;
+      default = false;
+    };
   };
 
   config = mkIf cfg.enable {
@@ -24,7 +34,7 @@ in
 
       lanzaboote = {
         enable = true;
-        pkiBundle = "/etc/secureboot";
+        inherit pkiBundle;
       };
     };
 
@@ -32,6 +42,6 @@ in
       pkgs.sbctl
     ];
 
-    local.boot.impermanence.directories = [ "/etc/secureboot" ];
+    local.boot.impermanence.directories = [ pkiBundle ];
   };
 }
author	Alejandro Soto <alejandro@34project.org>	2025-07-26 18:13:31 -0600
committer	Alejandro Soto <alejandro@34project.org>	2025-07-26 18:59:49 -0600
commit	33707eb9d2423115f9ae5c4633c774363396abde (patch)
tree	3126521a002c34e30f42121c335c771a11ba8a7d /sys/boot/secure-boot.nix
parent	81322ec6ffe1f971b45561d70faf8749342607a4 (diff)