use lanzaboote

nixos/default.nix

@@ -1,8 +1,6 @@
 { pkgs, config, lib, ... }: {
   imports = [ ./hardware-configuration.nix ];
 
-  boot = { loader.systemd-boot.enable = true; };
-
   time.timeZone = "Europe/Amsterdam";
   i18n.defaultLocale = "en_US.UTF-8";
 

nixos/hardware-configuration.nix

@@ -1,7 +1,7 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }: {
+{ config, lib, modulesPath, ... }: {
   imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
 
   boot.initrd.availableKernelModules =
@@ -9,6 +9,13 @@
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+
+  boot.lanzaboote = {
+    enable = true;
+    pkiBundle = "/etc/secureboot";
+  };
+
 
   fileSystems."/" = {
     device = "/dev/disk/by-uuid/33e4587b-fba3-4a9d-82d2-a9e49a8e75fa";