feat: enable secure boot

pkgs/systemd/default.nix

@@ -30,6 +30,8 @@ stdenv.mkDerivation (finalAttrs: {
     hash = "sha256-6rxJUYRq785U6aik5VhQRqG+Ss67lBB6T3eQF+tkyhk=";
   };
 
+  patches = [ ./skip-verify-esp.patch ];
+
   dontCheckForBrokenSymlinks = true;
 
   nativeBuildInputs = with pkgs; [

pkgs/systemd/skip-verify-esp.patch

@@ -0,0 +1,24 @@
+diff --git a/src/shared/find-esp.c b/src/shared/find-esp.c
+index f830d6dfe3..7ad2a8cd1d 100644
+--- a/src/shared/find-esp.c
++++ b/src/shared/find-esp.c
+@@ -403,15 +403,15 @@ static int verify_esp(
+                                               "File system \"%s\" is not a FAT EFI System Partition (ESP) file system.", p);
+         }
+ 
+-        r = verify_fsroot_dir(pfd, p, flags, FLAGS_SET(flags, VERIFY_ESP_SKIP_DEVICE_CHECK) ? NULL : &devid);
+-        if (r < 0)
+-                return r;
+-
+         /* In a container we don't have access to block devices, skip this part of the verification, we trust
+          * the container manager set everything up correctly on its own. */
+         if (FLAGS_SET(flags, VERIFY_ESP_SKIP_DEVICE_CHECK))
+                 goto finish;
+ 
++        r = verify_fsroot_dir(pfd, p, flags, FLAGS_SET(flags, VERIFY_ESP_SKIP_DEVICE_CHECK) ? NULL : &devid);
++        if (r < 0)
++                return r;
++
+         if (devnum_is_zero(devid))
+                 return log_full_errno(searching ? LOG_DEBUG : LOG_ERR,
+                                       SYNTHETIC_ERRNO(searching ? EADDRNOTAVAIL : ENODEV),