{ config, lib, pkgs, ... }:
with lib; let
  cfg = config.local.boot.secureBoot;
in
{
  options.local.boot.secureBoot = {
    enable = mkEnableOption "secure boot";
  };

  config = mkIf cfg.enable {
    assertions = [
      {
        assertion = config.local.boot.efi.enable;
        message = "secure boot requires EFI";
      }
      {
        assertion = config.local.boot.loader == "systemd-boot";
        message = "lanzaboote requires systemd-boot";
      }
    ];

    boot = {
      loader.systemd-boot.enable = mkForce false;

      lanzaboote = {
        enable = true;
        pkiBundle = "/etc/secureboot";
      };
    };

    environment.systemPackages = [
      pkgs.sbctl
    ];

    local.boot.impermanence.directories = [ "/etc/secureboot" ];
  };
}