modules/secure-boot.nix

{ pkgs, lanzaboote, lib, ... }: {
  imports = [
    lanzaboote.nixosModules.lanzaboote
  ];
  config = {
    boot = {
      bootspec.enable = true;
      loader.systemd-boot.enable = lib.mkForce false;
      lanzaboote = {
        enable = true;
        pkiBundle = "/etc/secureboot";
      };
    };

    environment = {
      persistence."/nix/persist".directories = [
        "/etc/secureboot"
      ];
      systemPackages = [ pkgs.sbctl ];
    };
  };
}