{ pkgs, lib, ... }:

{
  environment.systemPackages = with pkgs; [
    sbctl
    cryptsetup
    sbsigntool
  ];
  security.tpm2 = {
    enable = true;
    pkcs11.enable = true;
  };

  boot.loader.systemd-boot.enable = lib.mkForce false;

  boot.initrd.systemd.enable = true;
  boot.initrd.luks.devices.root.crypttabExtraOpts = [ "tpm2-device=auto" ];

  boot.lanzaboote = {
    enable = true;
    pkiBundle = "/var/lib/sbctl";
  };
}