{
  pkgs,
  inputs,
  config,
  lib,
  ...
}: let
  cfg = config.system.secure_boot;
in {
  options.system.secure_boot = {
    enable = lib.mkEnableOption "enables secureboot with lanzaboote";
  };

  imports = [inputs.lanzaboote.nixosModules.lanzaboote];

  config = lib.mkIf cfg.enable {
    # install userspace secureboot tools
    environment.systemPackages = with pkgs; [
      sbctl
      e2fsprogs
    ];

    # force disable systemd-boot so lanzaboote can be used
    boot.loader.systemd-boot.enable = lib.mkForce false;

    /*
    this uses the project lanzaboote for secureboot (fork of systemd)
    setup guide can be found here: https://github.com/nix-community/lanzaboote/blob/master/docs/QUICK_START.md
    tldr:
    while currently using systemd-boot
    generate keys with `nix-shell -p --run "sudo sbctl create-keys"`
    rebuild with this module enabled then check `sudo sbctl verify`
    reboot and enable secureboot setup mode in bios
    check that setup mode is enabled with `sudo sbctl status`
    enroll keys with `sudo sbctl enroll-keys` use the `--microsoft` flag to incude their keys for compatibality
    reboot (disable secureboot setup mode if not done automatically) then check secure boot status with `sudo bootctl status`
    */
    boot.lanzaboote = {
      enable = true;
      pkiBundle = "/var/lib/sbctl";
    };
  };
}