{
  options,
  config,
  lib,
  pkgs,
  ...
}:

with lib;
with lib.metacfg;
let
  cfg = config.metacfg.secureboot;
in
{
  options.metacfg.secureboot = with types; {
    enable = mkBoolOpt false "Whether or not to enable secureboot.";
  };

  config = mkIf cfg.enable {
    boot = {
      lanzaboote = {
        enable = true;
        pkiBundle = "/etc/secureboot";
      };
      loader.systemd-boot.enable = lib.mkForce false;
    };
  };
}