From 33707eb9d2423115f9ae5c4633c774363396abde Mon Sep 17 00:00:00 2001
From: Alejandro Soto <alejandro@34project.org>
Date: Sat, 26 Jul 2025 18:13:31 -0600
Subject: sys/boot/secure-boot: support new path for secure boot keys at
 /var/lib/sbctl

---
 sys/boot/secure-boot.nix | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

(limited to 'sys/boot/secure-boot.nix')

diff --git a/sys/boot/secure-boot.nix b/sys/boot/secure-boot.nix
index bdf7f0f..3e874c3 100644
--- a/sys/boot/secure-boot.nix
+++ b/sys/boot/secure-boot.nix
@@ -1,10 +1,20 @@
 { config, lib, pkgs, ... }:
 with lib; let
   cfg = config.local.boot.secureBoot;
+
+  pkiBundle =
+    if cfg.legacyPath
+    then "/etc/secureboot"
+    else "/var/lib/sbctl";
 in
 {
   options.local.boot.secureBoot = {
     enable = mkEnableOption "secure boot";
+
+    legacyPath = mkOption {
+      type = types.bool;
+      default = false;
+    };
   };
 
   config = mkIf cfg.enable {
@@ -24,7 +34,7 @@ in
 
       lanzaboote = {
         enable = true;
-        pkiBundle = "/etc/secureboot";
+        inherit pkiBundle;
       };
     };
 
@@ -32,6 +42,6 @@ in
       pkgs.sbctl
     ];
 
-    local.boot.impermanence.directories = [ "/etc/secureboot" ];
+    local.boot.impermanence.directories = [ pkiBundle ];
   };
 }
-- 
cgit v1.2.3