feat: add lanzaboote for sausebiene

hosts/sausebiene/default.nix

@@ -2,12 +2,15 @@
   globals,
   inputs,
   nodes,
+  pkgs,
+  lib,
   ...
 }:
 {
   imports = [
     inputs.nixos-hardware.nixosModules.common-cpu-intel
     inputs.nixos-hardware.nixosModules.common-pc-ssd
+    inputs.lanzaboote.nixosModules.lanzaboote
 
     ../../config
     ../../config/hardware/intel.nix
@@ -22,6 +25,27 @@
 
   nixpkgs.hostPlatform = "x86_64-linux";
   boot.mode = "efi";
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+  boot.lanzaboote = {
+    enable = true;
+    pkiBundle = "/var/lib/sbctl";
+  };
+  boot.initrd.availableKernelModules = [
+    "r8169"
+    "tpm_crb"
+  ];
+  security.tpm2 = {
+    enable = true;
+    pkcs11.enable = true;
+  };
+
+  environment.systemPackages = [ pkgs.sbctl ];
+  environment.persistence."/persist".directories = [
+    {
+      directory = "/var/lib/sbctl";
+      mode = "0700";
+    }
+  ];
 
   meta.promtail = {
     enable = true;

hosts/sausebiene/net.nix

@@ -1,6 +1,5 @@
 {
   config,
-  globals,
   ...
 }:
 {
@@ -24,7 +23,7 @@
   systemd.network.networks = {
     "10-lan" = {
       address = [ "192.168.1.17/24" ];
-      gateway = [ globals.net.home-lan.vlans.services.hosts.ward.ipv4 ];
+      gateway = [ "192.168.1.1" ];
       matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.lan.mac;
       networkConfig = {
         IPv6PrivacyExtensions = "yes";