snowfall lib migration wip

modules/nixos/hardware/secureBoot/default.nix

@@ -0,0 +1,38 @@
+{
+  lib,
+  pkgs,
+  inputs,
+  namespace,
+  system,
+  target,
+  format,
+  virtual,
+  systems,
+  config,
+  ...
+}:
+with lib;
+with lib.${namespace}; let
+  cfg = config.${namespace}.hardware.secureBoot;
+in {
+  options.${namespace}.hardware.secureBoot = with types; {
+    enable = mkBoolOpt false "Enable support for secure boot. Note: Secure boot should still be configured imperatively. This module only handles the declarative part.";
+  };
+
+  config = mkIf cfg.enable {
+    boot = {
+      initrd.systemd.enable = true;
+
+      lanzaboote = {
+        enable = true;
+        pkiBundle = "/var/lib/sbctl";
+      };
+    };
+    environment.systemPackages = with pkgs; [
+      # For debugging and troubleshooting Secure Boot.
+      sbctl
+      # For tpm auto unlock
+      tpm2-tss
+    ];
+  };
+}