From 0fb53a4294e871ae916ef0a5dd40108a5aee3dae Mon Sep 17 00:00:00 2001
From: Tom Alexander <tom@fizz.buzz>
Date: Sun, 12 Jan 2025 21:00:56 -0500
Subject: [PATCH] Add preparations for the new location for secureboot keys.

---
 nix/configuration/roles/boot/default.nix | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/nix/configuration/roles/boot/default.nix b/nix/configuration/roles/boot/default.nix
index 3ccb635..acef3a1 100644
--- a/nix/configuration/roles/boot/default.nix
+++ b/nix/configuration/roles/boot/default.nix
@@ -75,11 +75,15 @@
       boot.lanzaboote = {
         enable = true;
         pkiBundle = "/etc/secureboot";
+        # TODO:
+        #     pkiBundle = "/var/lib/sbctl";
       };
       environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
         hideMounts = true;
         directories = [
-          "/etc/secureboot" # Secure Boot Keys
+          "/etc/secureboot" # Old Secure Boot Keys location
+          # TODO: run `doas sbctl setup --migrate` to move keys
+          "/var/lib/sbctl" # Secure Boot Keys
         ];
       };
     })