{ options, config, lib, pkgs, ... }:

with lib;
with lib.metacfg;
let cfg = config.metacfg.secureboot;
in
{
  options.metacfg.secureboot = with types; {
    enable = mkBoolOpt false "Whether or not to enable secureboot.";
  };

  config = mkIf cfg.enable {
    boot = {
      lanzaboote = {
        enable = true;
        pkiBundle = "/etc/secureboot";
      };
      loader.systemd-boot.enable = lib.mkForce false;
    };
  };
}