{
  pkgs,
  inputs,
  config,
  lib,
  ...
}: let
  cfg = config.system.secure_boot;
in {
  options.system.secure_boot = {
    enable = lib.mkEnableOption "enables secureboot with lanzaboote";
  };

  imports = [inputs.lanzaboote.nixosModules.lanzaboote];

  config = lib.mkIf cfg.enable {

    # install userspace secureboot tools
    environment.systemPackages = with pkgs; [
      sbctl
    ];

    # force disable systemd-boot so lanzaboote can be used
    boot.loader.systemd-boot.enable = lib.mkForce false;

    # make sure the keys are generated and in the pkiBundle path
    # with `nix-shell -p --run "sbctl create-keys"`
    boot.lanzaboote = {
      enable = true;
      pkiBundle = "/var/lib/sbctl";
    };
  };
}