Update to the new secureboot location.

nix/configuration/configuration.nix

@@ -109,6 +109,7 @@
     randomizedDelaySec = "14m";
     options = "--delete-older-than 30d";
   };
+  # nix.settings.auto-optimise-store = true;
 
   # Use doas instead of sudo
   security.doas.enable = true;

nix/configuration/flake.lock

@@ -123,11 +123,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1736785676,
-        "narHash": "sha256-TY0jUwR3EW0fnS0X5wXMAVy6h4Z7Y6a3m+Yq++C9AyE=",
+        "lastModified": 1737120639,
+        "narHash": "sha256-p5e/45V41YD3tMELuiNIoVCa25/w4nhOTm0B9MtdHFI=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "fc52a210b60f2f52c74eac41a8647c1573d2071d",
+        "rev": "a0046af169ce7b1da503974e1b22c48ef4d71887",
         "type": "github"
       },
       "original": {
@@ -138,11 +138,11 @@
     },
     "impermanence": {
       "locked": {
-        "lastModified": 1734945620,
-        "narHash": "sha256-olIfsfJK4/GFmPH8mXMmBDAkzVQ1TWJmeGT3wBGfQPY=",
+        "lastModified": 1736688610,
+        "narHash": "sha256-1Zl9xahw399UiZSJ9Vxs1W4WRFjO1SsNdVZQD4nghz0=",
         "owner": "nix-community",
         "repo": "impermanence",
-        "rev": "d000479f4f41390ff7cf9204979660ad5dd16176",
+        "rev": "c64bed13b562fc3bb454b48773d4155023ac31b7",
         "type": "github"
       },
       "original": {
@@ -180,11 +180,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1736798957,
-        "narHash": "sha256-qwpCtZhSsSNQtK4xYGzMiyEDhkNzOCz/Vfu4oL2ETsQ=",
+        "lastModified": 1737062831,
+        "narHash": "sha256-Tbk1MZbtV2s5aG+iM99U8FqwxU/YNArMcWAv6clcsBc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "9abb87b552b7f55ac8916b6fc9e5cb486656a2f3",
+        "rev": "5df43628fdf08d642be8ba5b3625a6c70731c19c",
         "type": "github"
       },
       "original": {

nix/configuration/hosts/odo/hardware-configuration.nix

@@ -20,7 +20,7 @@
     "thunderbolt"
   ];
   boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-amd" ];
+  boot.kernelModules = [ ];
   boot.extraModulePackages = [ ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking

nix/configuration/hosts/odo/optimized_build.nix

@@ -39,7 +39,7 @@
         # linux
         # linux_6_11
         # linux_zen
-        linux_znver4 = optimizeWithFlags super.linux_6_11 [
+        linux_znver4 = optimizeWithFlags super.linux_6_12 [
           "-march=znver4"
           "-mtune=znver4"
         ];

nix/configuration/roles/boot/default.nix

@@ -22,6 +22,14 @@
   };
 
   config = lib.mkMerge [
+    {
+      environment.systemPackages = with pkgs; [
+        tpm2-tools # For tpm2_eventlog to check for OptionRoms
+        # cp /sys/kernel/security/tpm0/binary_bios_measurements eventlog
+        # tpm2_eventlog eventlog | grep "BOOT_SERVICES_DRIVER"
+        sbctl # For debugging and troubleshooting Secure Boot.
+      ];
+    }
     (lib.mkIf (!config.me.buildingIso) {
 
       boot.loader.grub.enable = false;
@@ -67,22 +75,18 @@
       # };
     })
     (lib.mkIf (config.me.secureBoot.enable) {
-      # For debugging and troubleshooting Secure Boot.
+
       environment.systemPackages = with pkgs; [
         sbctl
       ];
       boot.loader.systemd-boot.enable = lib.mkForce false;
       boot.lanzaboote = {
         enable = true;
-        pkiBundle = "/etc/secureboot";
-        # TODO:
-        #     pkiBundle = "/var/lib/sbctl";
+        pkiBundle = "/var/lib/sbctl";
       };
       environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
         hideMounts = true;
         directories = [
-          "/etc/secureboot" # Old Secure Boot Keys location
-          # TODO: run `doas sbctl setup --migrate` to move keys
           "/var/lib/sbctl" # Secure Boot Keys
         ];
       };