secrets overhaul: use tpm for laptop (need to migrate desktop later)

modules/desktop-lanzaboote-agenix.nix

@@ -0,0 +1,49 @@
+{
+  config,
+  lib,
+  pkgs,
+  inputs,
+  ...
+}:
+{
+  imports = [
+    inputs.lanzaboote.nixosModules.lanzaboote
+  ];
+
+  boot = {
+    loader.systemd-boot.enable = lib.mkForce false;
+
+    lanzaboote = {
+      enable = true;
+      # sbctl expects the bundle at /var/lib/sbctl; muffin uses /etc/secureboot
+      # because it is wiped on every activation there (impermanence) — desktops
+      # extract to the historical sbctl path so existing tooling keeps working.
+      pkiBundle = "/var/lib/sbctl";
+    };
+  };
+
+  system.activationScripts = {
+    # Extract the secureboot PKI bundle from the agenix-decrypted tar. Mirrors
+    # modules/server-lanzaboote-agenix.nix; skip when keys are already present
+    # (e.g., disko-install staged them via --extra-files).
+    "secureboot-keys" = {
+      deps = [ "agenix" ];
+      text = ''
+        #!/bin/sh
+        (
+          umask 077
+          if [[ -d ${config.boot.lanzaboote.pkiBundle} && -f ${config.boot.lanzaboote.pkiBundle}/db.key ]]; then
+            echo "secureboot keys already present, skipping extraction"
+          else
+            echo "extracting secureboot keys from agenix"
+            rm -fr ${config.boot.lanzaboote.pkiBundle} || true
+            install -d -o root -g wheel -m 0500 ${config.boot.lanzaboote.pkiBundle}
+            ${pkgs.gnutar}/bin/tar xf ${config.age.secrets.secureboot-tar.path} -C ${config.boot.lanzaboote.pkiBundle}
+          fi
+          chown -R root:wheel ${config.boot.lanzaboote.pkiBundle}
+          chmod -R 500 ${config.boot.lanzaboote.pkiBundle}
+        )
+      '';
+    };
+  };
+}