From d1ec187cba3d052b355a3b301792f9537056e3f9 Mon Sep 17 00:00:00 2001
From: ItsDrike <itsdrike@protonmail.com>
Date: Sun, 23 Jun 2024 16:35:21 +0200
Subject: [PATCH 1/4] Fix typo in bootctl command (docs)

---
 docs/03_SECURE_BOOT.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/03_SECURE_BOOT.md b/docs/03_SECURE_BOOT.md
index 69ca0e0..832097b 100644
--- a/docs/03_SECURE_BOOT.md
+++ b/docs/03_SECURE_BOOT.md
@@ -12,7 +12,7 @@ As a first step, you will want to confirm that you really are on a UEFI system.
 this is very likely the case. Nevertheless, let's check and make sure:
 
 ```shell
-bootctl info
+bootctl status
 ```
 
 Make sure the `Firmware` is reported as `UEFI`.

From 8254d6ee635c807d203cd518474024ea83c1a426 Mon Sep 17 00:00:00 2001
From: ItsDrike <itsdrike@protonmail.com>
Date: Sun, 23 Jun 2024 16:54:17 +0200
Subject: [PATCH 2/4] Fix typo in secure boot docs

---
 docs/03_SECURE_BOOT.md | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/docs/03_SECURE_BOOT.md b/docs/03_SECURE_BOOT.md
index 832097b..6b8e98e 100644
--- a/docs/03_SECURE_BOOT.md
+++ b/docs/03_SECURE_BOOT.md
@@ -36,8 +36,9 @@ boot.
 > fact, if someone is able to get a hold of your machine, they can simply pull out the CMOS battery, which usually
 > resets the UEFI. That means turning off Secure Boot, and getting rid of the BIOS password.
 >
-> While UEFI is generally a good extra measure to have, it is by no means a reliable way to really prevent others from
-> ever being able to boot untrusted systems, unless you use a specialized motherboard, which persists the UEFI state.
+> While Secure Boot is generally a good extra measure to have, it is by no means a reliable way to really prevent
+> others from ever being able to boot untrusted systems, unless you use a specialized motherboard, which persists the
+> UEFI state.
 
 ## Create your keys
 

From 4f5aa6c33d97fab788774979ab91f59ff6c3cb51 Mon Sep 17 00:00:00 2001
From: ItsDrike <itsdrike@protonmail.com>
Date: Sun, 23 Jun 2024 16:54:46 +0200
Subject: [PATCH 3/4] Add e2fsprogs cli pkg

---
 home/packages/cli/shared.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/home/packages/cli/shared.nix b/home/packages/cli/shared.nix
index 631ffcf..a5c1873 100644
--- a/home/packages/cli/shared.nix
+++ b/home/packages/cli/shared.nix
@@ -23,6 +23,7 @@
     curl # CLI tool for transfering data with URLs
     lm_sensors # tools for reading hw sensors
     p7zip # 7zip fork with some improvements
+    e2fsprogs # tools for creating and checking ext filesystems
 
     # Rust replacements
     procs # better ps

From eefda2047d63ba701a59f290813a2ba0388f5883 Mon Sep 17 00:00:00 2001
From: ItsDrike <itsdrike@protonmail.com>
Date: Sun, 23 Jun 2024 17:04:29 +0200
Subject: [PATCH 4/4] Update secure boot docs

---
 docs/03_SECURE_BOOT.md | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/docs/03_SECURE_BOOT.md b/docs/03_SECURE_BOOT.md
index 6b8e98e..70b9142 100644
--- a/docs/03_SECURE_BOOT.md
+++ b/docs/03_SECURE_BOOT.md
@@ -61,8 +61,8 @@ permissions of the secret key so that only root can read it.
 
 ## lanzaboote
 
-`lanzaboote` is a tool to help you set up secure boot in NixOS. To install it, you can add
-it as an input for your flake:
+`lanzaboote` is a tool to help you set up secure boot in NixOS. To install it, you can add it as an input for your
+flake:
 
 ```nix
 lanzaboote = {
@@ -111,7 +111,8 @@ Note that you shouldn't really need to use this.
 
 ## Enabling secure boot
 
-Now that NixOS is ready for secure-boot, we will set up firmware. At the end of this section, Secure Boot will be enabled on your system and your firmware will only boot binaries that are signed with your keys.
+Now that NixOS is ready for secure-boot, we will set up firmware. At the end of this section, Secure Boot will be
+enabled on your system and your firmware will only boot binaries that are signed with your keys.
 
 ### Enter Setup mode
 
@@ -138,11 +139,18 @@ You will now have to enroll your new keys to activate Secure Boot.
 sudo sbctl enroll-keys -m
 ```
 
-> [!NOTE]
+> [!WARNING]
 > The `-m` option (also known as `--microsoft`) will make sure to also include the Microsoft
 > signing keys. This is required by most motherboards, not using it could brick your device.
 
-This should automatically enable secure boot in user mode for you. You can now reboot the system.
+> [!NOTE]
+> If you encounter "File is immutable" warnings after running sbctl, it should be safe to simply add the `-i` (or
+> `--ignore-immutable`) flag, which will run `chattr` and remove the immutable flags from these files for you.
+>
+> If you still encounter errors even with this flag, it means you have probably done something wrong when entering the
+> setup mode. Try looking for a option like "Reset keys" in your UEFI, then try this again.
+
+This should automatically enable secure boot in user mode for you. You can now **reboot the system**.
 
 ### Make sure it worked