{ pkgs, ... }:
{
  boot = {
    kernelPackages = pkgs.linuxPackages_hardened;
    lanzaboote.enable = true;
  };
}