From a99646bb01f352e849fddcd6f9638f5829866d8b Mon Sep 17 00:00:00 2001
From: Raito Bezarius <masterancpp@gmail.com>
Date: Fri, 25 Nov 2022 11:29:56 +0100
Subject: [PATCH] nixos: enrollment is optional

---
 nix/lanzaboote.nix | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/nix/lanzaboote.nix b/nix/lanzaboote.nix
index dc27a8f..2149bd9 100644
--- a/nix/lanzaboote.nix
+++ b/nix/lanzaboote.nix
@@ -37,9 +37,11 @@ in
       enable = true;
       passBootspec = true;
       installHook = "${pkgs.writeShellScriptBin "bootinstall" ''
-        mkdir -p /tmp/pki
-        cp -r ${cfg.pkiBundle}/* /tmp/pki
-        ${sbctlWithPki}/bin/sbctl enroll-keys --yes-this-might-brick-my-machine
+          ${optionalString cfg.enrollKeys ''
+            mkdir -p /tmp/pki
+            cp -r ${cfg.pkiBundle}/* /tmp/pki
+            ${sbctlWithPki}/bin/sbctl enroll-keys --yes-this-might-brick-my-machine
+          ''}
         ${cfg.package}/bin/lanzatool install --pki-bundle ${cfg.pkiBundle} --public-key ${cfg.publicKeyFile} --private-key ${cfg.privateKeyFile} "$@"
       ''}/bin/bootinstall";
       # ${cfg.package}/bin/lanzatool install ${optionalString cfg.enrollKeys "--auto-enroll"} --pki-bundle ${cfg.pkiBundle}