Update to the new secureboot location.

nix/configuration/roles/boot/default.nix

@@ -22,6 +22,14 @@
   };
 
   config = lib.mkMerge [
+    {
+      environment.systemPackages = with pkgs; [
+        tpm2-tools # For tpm2_eventlog to check for OptionRoms
+        # cp /sys/kernel/security/tpm0/binary_bios_measurements eventlog
+        # tpm2_eventlog eventlog | grep "BOOT_SERVICES_DRIVER"
+        sbctl # For debugging and troubleshooting Secure Boot.
+      ];
+    }
     (lib.mkIf (!config.me.buildingIso) {
 
       boot.loader.grub.enable = false;
@@ -67,22 +75,18 @@
       # };
     })
     (lib.mkIf (config.me.secureBoot.enable) {
-      # For debugging and troubleshooting Secure Boot.
+
       environment.systemPackages = with pkgs; [
         sbctl
       ];
       boot.loader.systemd-boot.enable = lib.mkForce false;
       boot.lanzaboote = {
         enable = true;
-        pkiBundle = "/etc/secureboot";
-        # TODO:
-        #     pkiBundle = "/var/lib/sbctl";
+        pkiBundle = "/var/lib/sbctl";
       };
       environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
         hideMounts = true;
         directories = [
-          "/etc/secureboot" # Old Secure Boot Keys location
-          # TODO: run `doas sbctl setup --migrate` to move keys
           "/var/lib/sbctl" # Secure Boot Keys
         ];
       };