From 445856d98aae956533ac64ed7c82dcf69316c662 Mon Sep 17 00:00:00 2001
From: Alexandre <mateialex@outlook.fr>
Date: Sun, 1 Mar 2026 12:08:27 +0100
Subject: [PATCH] Added secure boot

---
 flake.nix                      |  5 +++++
 hosts/framework/modules.nix    |  1 +
 modules/common/environment.nix |  1 +
 modules/default.nix            |  1 +
 modules/nixos/secureboot.nix   | 11 +++++++++++
 5 files changed, 19 insertions(+)
 create mode 100644 modules/nixos/secureboot.nix

diff --git a/flake.nix b/flake.nix
index 6494fd4..50b0724 100644
--- a/flake.nix
+++ b/flake.nix
@@ -6,6 +6,11 @@
     nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
     
     nixos-hardware.url = "github:NixOS/nixos-hardware/master";
+
+    lanzaboote = {
+      url = "github:nix-community/lanzaboote/master";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     
     # Hyprland
     hyprland = {
diff --git a/hosts/framework/modules.nix b/hosts/framework/modules.nix
index fa9a02e..abe1f63 100644
--- a/hosts/framework/modules.nix
+++ b/hosts/framework/modules.nix
@@ -6,6 +6,7 @@ in
   imports = [
     ./hardware-configuration.nix
     inputs.sops-nix.nixosModules.sops
+    modules.nixos.secureboot
     modules.common.module
     modules.nixos.secrets
     modules.nixos.gaming.amd
diff --git a/modules/common/environment.nix b/modules/common/environment.nix
index 3a79d92..50d0616 100644
--- a/modules/common/environment.nix
+++ b/modules/common/environment.nix
@@ -21,6 +21,7 @@
           gnupg
           cmatrix
           gh
+          sbctl
 	  # Browser
 	  inputs.zen-browser.packages.${pkgs.stdenv.hostPlatform.system}.default
     ];
diff --git a/modules/default.nix b/modules/default.nix
index b2f72b8..e2f6b12 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -37,6 +37,7 @@
     };
 
     bootloader = ./nixos/bootloader.nix;
+    secureboot = ./nixos/secureboot.nix;
     locale = ./nixos/locale.nix;
     secrets = ./nixos/secrets.nix;
     swap = ./nixos/swap.nix;
diff --git a/modules/nixos/secureboot.nix b/modules/nixos/secureboot.nix
new file mode 100644
index 0000000..20e8409
--- /dev/null
+++ b/modules/nixos/secureboot.nix
@@ -0,0 +1,11 @@
+{ pkgs, lib, ...}:
+
+{
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+
+  boot.lanzaboote = {
+    enable = true;
+    pkiBundle = "/var/lib/sbctl";
+  };
+
+}