enable secure boot wit Lanzaboote

flake.nix

@@ -9,7 +9,12 @@
       url = "github:nix-community/home-manager/release-23.05";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    nur.url = "github:nix-community/NUR";
+    lanzaboote = {
+      url = "github:nix-community/lanzaboote/v0.3.0";
+      # deliberately do _not_ follow the nixpkgs input here, because paranoia and test coverage
+    };
+
+      nur.url = "github:nix-community/NUR";
     # TODO: possible make this a flake as well
     mysecrets = {
       flake = false;
@@ -19,7 +24,7 @@
   };
 
   outputs = 
-  { self, nixpkgs, nur, ... }@inputs: 
+  { self, nixpkgs, nur, lanzaboote, ... }@inputs: 
   let
     system = "x86_64-linux";
     pkgs = nixpkgs.legacyPackages.${system};
@@ -28,7 +33,7 @@
 
     nixosConfigurations.thinknix = nixpkgs.lib.nixosSystem {
       inherit system;
-      modules = [ ./nixos/configuration.nix ];
+      modules = [ ./nixos/configuration.nix lanzaboote.nixosModules.lanzaboote ];
       # necessary to make the top-level inputs available to system configuration
       specialArgs = {
         #TODO: for system, consider moving to flake-utils