{ config, lib, pkgs, lanzaboote, ... }:
{
  imports = [ lanzaboote.nixosModules.lanzaboote ];

  boot = lib.mkIf config.boot.lanzaboote.enable {
    lanzaboote.pkiBundle = "/etc/secureboot";
  };

  environment.systemPackages = with pkgs; [ sbctl ];
}