{ config, lib, pkgs, lanzaboote, ... }:
{
  imports = [ lanzaboote.nixosModules.lanzaboote ];

  options.system.lanzaboote.enable = lib.mkEnableOption "Enable lanzaboote";

  config = lib.mkIf config.system.lanzaboote.enable {
    boot = {
      loader.systemd-boot.enable = lib.mkForce false;
      lanzaboote = {
        enable = true;
        pkiBundle = "/etc/secureboot";
      };
    };
    environment.systemPackages = with pkgs; [ sbctl ];
  };
}