fix(stolas): enable lanzaboote and additional firmware

nixos/stolas/default.nix

@@ -12,12 +12,17 @@
   };
 
   boot = {
-    # TODO lanzaboote = {
-    #  enable = true;
-    #  pkiBundle = "/var/lib/sbctl";
-    #};
+    lanzaboote = {
+      enable = true;
+      pkiBundle = "/var/lib/sbctl";
+    };
     kernelModules = [ "kvm-amd" ];
     extraModulePackages = [ pkgs.linuxPackages.v4l2loopback ];
+    # Lanzaboote currently replaces the systemd-boot module.
+    # This setting is usually set to true in configuration.nix
+    # generated at installation time. So we force it to false
+    # for now.
+    loader.systemd-boot.enable = lib.mkForce false;
     initrd = {
       availableKernelModules = [
         "nvme"
@@ -26,16 +31,8 @@
         "usb_storage"
         "sd_mod"
       ];
-      # TODO disable for lanzaboote
-      systemd.enable = true;
-      # Lanzaboote currently replaces the systemd-boot module.
-      # This setting is usually set to true in configuration.nix
-      # generated at installation time. So we force it to false
-      # for now.
-      #boot.loader.systemd-boot.enable = lib.mkForce false;
       luks.devices = {
         root = {
-          # TODO 
           device = "/dev/disk/by-uuid/81dfbfa5-d578-479c-b11c-3ee5abd6848a";
           allowDiscards = true;
           # TODO lanzaboote + TPM2 unlock with PIN https://www.freedesktop.org/software/systemd/man/251/systemd-cryptenroll.html#--tpm2-with-pin=BOOL
@@ -54,6 +51,7 @@
     # NOTE: hardware.framework.enableKmod requires kernel patching, but enables access to some EC features
     bluetooth.enable = true;
     cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+    enableAllFirmware = true;
     framework.laptop13.audioEnhancement.enable = true;
     graphics = {
       enable = true;