nixfiles/nixos/profiles/secureboot.nix

{
  pkgs,
  lib,
  ...
}: let
  inherit (lib.modules) mkForce;
in {
  environment.systemPackages = with pkgs; [
    sbctl
  ];
  boot = {
    loader = {
      systemd-boot.enable = mkForce false;
    };
    lanzaboote = {
      enable = true;
      pkiBundle = "/etc/secureboot";
    };
  };
}