{ lanzaboote, lib, config, pkgs, ... }:
{
  imports = [ lanzaboote.nixosModules.lanzaboote ];

  options.system.lanzaboote = {
    enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = "Enable Lanzaboote and force disable Systemd-boot";
    };
  };

  config = lib.mkIf config.system.lanzaboote.enable {
    boot = {
      loader.systemd-boot.enable = lib.mkForce false;

      lanzaboote = {
        enable = true;
        pkiBundle = "/etc/secureboot";
      };
    };

    environment.systemPackages = with pkgs; [ sbctl ];
  };
}