{ pkgs, config, lib, inputs, ... }:

let
  cfg = config.my.secure-boot;
in {
  imports = [
    inputs.lanzaboote.nixosModules.lanzaboote
  ];

  options.my.secure-boot = {
    enable = lib.mkEnableOption null;
  };

  config = lib.mkIf cfg.enable {
    environment.systemPackages = [ pkgs.sbctl ];

    boot = {
      loader.systemd-boot.enable = lib.mkForce false;

      lanzaboote = {
        enable = true;
        pkiBundle = "/etc/secureboot";
      };
    };
  };
}