nixos-config/modules/system/devices/boot/lanzaboote/default.nix

{ config, lib, pkgs, lanzaboote, ... }:
{
  imports = [ lanzaboote.nixosModules.lanzaboote ];

  boot = lib.mkIf config.boot.lanzaboote.enable {
    loader.systemd-boot.enable = lib.mkForce false;
    lanzaboote.pkiBundle = "/etc/secureboot";
  };

  environment.systemPackages = with pkgs; [ sbctl ];
}