1 files changed, 17 insertions, 3 deletions

diff --git a/modules/by-name/bo/boot/module.nix b/modules/by-name/bo/boot/module.nix
index 8b71ce65..4b95aedf 100644
--- a/modules/by-name/bo/boot/module.nix
+++ b/modules/by-name/bo/boot/module.nix
@@ -1,7 +1,17 @@
+# nixos-config - My current NixOS configuration
+#
+# Copyright (C) 2025 Benedikt Peetz <benedikt.peetz@b-peetz.de>
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# This file is part of my nixos-config.
+#
+# You should have received a copy of the License along with this program.
+# If not, see <https://www.gnu.org/licenses/gpl-3.0.txt>.
 {
   config,
   lib,
   pkgs,
+  modules,
   ...
 }: let
   cfg = config.soispha.boot;
@@ -12,6 +22,10 @@ in {
     # enableIsoEntry = lib.mkEnableOption "an tails iso boot entry";
   };
 
+  imports = [
+    modules.lanzaboote.nixosModules.lanzaboote
+  ];
+
   config = lib.mkIf cfg.enable (
     # let
     # cfg = config.boot.loader.systemd-boot;
@@ -32,7 +46,7 @@ in {
     # #    stay on disk forever) <2024-05-11>
     # copyExtraFiles = ''
     #   echo "[systemd-boot] copying files to ${bootMountPoint}"
-    #   empty_file=$(mktemp)
+    #   empty_file=$(mktemp boot_empty_file_XXX)
     #
     #   ${lib.concatStrings (lib.mapAttrsToList (n: v:
     #     /*
@@ -70,7 +84,7 @@ in {
       # This should only be necessary for `lanzaboote`, but that is the current default in
       # this module.
       soispha.impermanence.directories = [
-        "/etc/secureboot"
+        "/var/lib/sbctl"
       ];
 
       boot = {
@@ -82,7 +96,7 @@ in {
 
         lanzaboote = {
           enable = true;
-          pkiBundle = "/etc/secureboot";
+          pkiBundle = "/var/lib/sbctl";
 
           settings = {
             # Disable editing the kernel command line (which could allow someone to become root)