{
  config,
  lib,
  pkgs,
  ...
}:
with lib; let
  cfg = config.local.boot.secureBoot;

  pkiBundle =
    if cfg.legacyPath
    then "/etc/secureboot"
    else "/var/lib/sbctl";
in {
  options.local.boot.secureBoot = {
    enable = mkEnableOption "secure boot";

    legacyPath = mkOption {
      type = types.bool;
      default = false;
    };
  };

  config = mkIf cfg.enable {
    assertions = [
      {
        assertion = config.local.boot.efi.enable;
        message = "secure boot requires EFI";
      }
      {
        assertion = config.local.boot.loader == "systemd-boot";
        message = "lanzaboote requires systemd-boot";
      }
    ];

    boot = {
      loader.systemd-boot.enable = mkForce false;

      lanzaboote = {
        enable = true;
        inherit pkiBundle;
      };
    };

    environment.systemPackages = [
      pkgs.sbctl
    ];

    local.boot.impermanence.trust.directories = [
      {
        directory = pkiBundle;
        user = "root";
        group = "root";
        mode = "u=rwx,g=,o=";
      }
    ];
  };
}