x1: secure boot and encrypted swap

Signed-off-by: Harald Hoyer <harald@hoyer.xyz>

systems/x86_64-linux/x1/default.nix

@@ -13,9 +13,11 @@ with lib.plusultra;
     operation = "boot";
     allowReboot = false;
     flags = [
-        "--update-input" "nixpkgs"
-        "--update-input" "unstable"
-        ];
+      "--update-input"
+      "nixpkgs"
+      "--update-input"
+      "unstable"
+    ];
     flake = "git+https://git.hoyer.xyz/harald/nixcfg#x1";
   };
 
@@ -26,9 +28,13 @@ with lib.plusultra;
   };
 
   boot = {
+    lanzaboote = {
+      enable = true;
+      pkiBundle = "/etc/secureboot";
+    };
     tmp.cleanOnBoot = true;
     loader = {
-      systemd-boot.enable = true;
+      systemd-boot.enable = false;
       efi.canTouchEfiVariables = true;
       timeout = 2;
     };
@@ -62,6 +68,7 @@ with lib.plusultra;
       openssl
       restic
       rrsync
+      sbctl
       sops
       strace
       tmux

systems/x86_64-linux/x1/hardware-configuration.nix

@@ -22,6 +22,7 @@
     };
 
   boot.initrd.luks.devices."luks-0e2792db-1b80-49a7-b2eb-54e4b5fc3502".device = "/dev/disk/by-uuid/0e2792db-1b80-49a7-b2eb-54e4b5fc3502";
+  boot.initrd.luks.devices."luks-280f2e07-e5fc-478e-b7ee-445c99bea415".device = "/dev/disk/by-uuid/280f2e07-e5fc-478e-b7ee-445c99bea415";
 
   fileSystems."/boot" =
     {
@@ -29,7 +30,7 @@
       fsType = "vfat";
     };
 
-  swapDevices = [ ];
+  swapDevices = [{ device = "/dev/mapper/luks-280f2e07-e5fc-478e-b7ee-445c99bea415"; }];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's