nixos-config/modules/system/devices/boot/lanzaboote/default.nix

{ config, pkgs, lanzaboote, ... }:
{
  imports = [ lanzaboote.nixosModules.lanzaboote ];

  boot.lanzaboote.pkiBundle = "/etc/secureboot";

  environment = {
    systemPackages = with pkgs; [ sbctl ];
    persistence."/persist".directories = [{
      directory = config.boot.lanzaboote.pkiBundle;
      mode = "0700";
    }];
  };
}