NixOS on secure boot Debian-based laptop

Hi all! This is probably an unusual request.

I recently got a laptop from work for me to try out. I’d like to run NixOS on it.
The policy of our ICT department is to run Debian. It has Debian pre-installed, it has an encrypted root partition and it has secure boot enabled.

I installed Nix in multi-user mode. I installed the nixos-install package. I ran the installer inside of Debian. With the right configuration it installed NixOS on top of the existing Debian installation. Upon rebooting, grub has the right boot entries. However, when trying to start NixOS from Grub, it fails saying the kernel has an invalid signature.

Secure boot is enabled on the laptop. So, my thinking is that the NixOS kernel is not signed with a certificate that is allowed by secure boot. This makes sense. I can imagine that the laptop is pre-installed with certificates of Debian.

So I tried starting NixOS with Debians kernel and Debians initrd to get a step further in the process. With Grub I managed to run the (still ‘installed’) Debian kernel and initrd I managed to run a shell and could start a root bash shell. I can even run parts of NixOS’s systemd and also its debug-shell.

To get things working, I’d like to run initrd from NixOS with the Debian kernel and the Debian modules. I hoped it would be a matter of creating a Nix package that outputs the Debian linux-image as bzImage. Just like linuxPackages.kernel of NixOS does.

My first thought was to do something like:

boot.kernelPackages = {
  kernel = pkgs.runCommand "linux-debian" { } "mkdir $out && cp ${/boot/vmlinuz-5.8.0-0.bpo.2-amd64} $out/bzImage";

However, boot.kernelPackages.kernel apparently needs to support .override and .extend.

What is the best way to use a binary Linux kernel with NixOS?
I can image it is not officially supported, but if there is a dirty way to do this I’d really like to know.

Or am I overlooking some other way to get NixOS working on the laptop?

I worked around this issue. I used Grub EFI from Debian, started the Debian kernel + initrd and disabled kernel validation of grub using sudo mokutil --disable-validation.

It would still be nice to have secure boot support in NixOS, so that the laptop can be just as secure as with Debian. I see there is some progress here

That said, I can now run NixOS, so this question is resolved.