{ config, lib, inputs, ... }: {
  imports = [
    inputs.lanzaboote.nixosModules.lanzaboote
  ];

  options = {
    pim.lanzaboote.enable = lib.mkEnableOption {
      description = ''
        Whether to enable lanzaboote
      '';
    };
  };

  config = lib.mkIf config.pim.lanzaboote.enable {
    boot = {
      # generate keys first with: `sudo nix run nixpkgs#sbctl create-keys`
      # switch from lzb to bootspec by adding following line to the system configuration:
      # bootspec.enable = true;

      loader = {
        systemd-boot.enable = lib.mkForce false;
        # Use lanzaboote instead see below, default is:
        # systemd-boot.enable = true;

        efi = {
          canTouchEfiVariables = true;
        };
      };

      lanzaboote = {
        enable = true;
        pkiBundle = "/etc/secureboot";
      };
    };
  };
}