Secure boot, tmp unlock for framework12

nixos/hosts/kylekrein-framework12/secure-boot.nix

@@ -0,0 +1,27 @@
+{
+  pkgs,
+  lib,
+  hwconfig,
+  ...
+}: {
+  boot = {
+    initrd.systemd.enable = true;
+
+    loader.systemd-boot.enable = lib.mkForce false;
+
+    lanzaboote = {
+      enable = true;
+      pkiBundle =
+        #if hwconfig.useImpermanence
+        #then "/persist/system/var/lib/sbctl"
+        #        else
+        "/var/lib/sbctl";
+    };
+  };
+  environment.systemPackages = [
+    # For debugging and troubleshooting Secure Boot.
+    pkgs.sbctl
+    # For tpm auto unlock
+    pkgs.tpm2-tss
+  ];
+}