From 0928588c1ffb5210e725e4a2d7e8a7200a0a882d Mon Sep 17 00:00:00 2001
From: sandwich <sandwich@archworks.co>
Date: Thu, 2 Apr 2026 04:34:16 +0200
Subject: [PATCH] feat(bootstrap): add Secure Boot conditional packages for
 Debian, Ubuntu, and Arch

---
 roles/bootstrap/vars/main.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/roles/bootstrap/vars/main.yml b/roles/bootstrap/vars/main.yml
index 2b3e26e..340b6f6 100644
--- a/roles/bootstrap/vars/main.yml
+++ b/roles/bootstrap/vars/main.yml
@@ -222,6 +222,7 @@ bootstrap_debian:
       + (['software-properties-common'] if (os_version | string) not in ['13', 'unstable'] else [])
       + (['systemd-zram-generator'] if (os_version | string) not in ['10', '11'] else [])
       + (['tldr'] if (os_version | string) not in ['13', 'unstable'] else [])
+      + (['shim-signed'] if system_cfg.features.secure_boot.enabled | bool else [])
       + bootstrap_common_conditional
     }}
 
@@ -285,6 +286,7 @@ bootstrap_ubuntu:
   conditional: >-
     {{
       (['tldr'] if (os_version | default('') | string | length) > 0 else [])
+      + (['shim-signed'] if system_cfg.features.secure_boot.enabled | bool else [])
       + bootstrap_common_conditional
     }}
 
@@ -323,6 +325,7 @@ bootstrap_archlinux:
     {{
       (['openssh'] if system_cfg.features.ssh.enabled | bool else [])
       + (['iptables-nft'] if system_cfg.features.firewall.toolkit == 'nftables' and system_cfg.features.firewall.enabled | bool else [])
+      + (['sbctl'] if system_cfg.features.secure_boot.enabled | bool else [])
       + (bootstrap_common_conditional | reject('equalto', 'nftables') | list)
     }}