{
  config,
  lib,
  pkgs,
  ...
}:

{
  boot = {
    loader.systemd-boot.enable = lib.mkForce false;

    lanzaboote = {
      enable = true;
      # needed to be in `/etc/secureboot` for sbctl to work
      pkiBundle = "/etc/secureboot";
    };

  };
  system.activationScripts = {
    # extract secureboot keys from agenix-decrypted tar
    "secureboot-keys" = {
      deps = [ "agenix" ];
      text = ''
        #!/bin/sh
        rm -fr ${config.boot.lanzaboote.pkiBundle} || true
        mkdir -p ${config.boot.lanzaboote.pkiBundle}
        ${pkgs.gnutar}/bin/tar xf ${config.age.secrets.secureboot-tar.path} -C ${config.boot.lanzaboote.pkiBundle}
        chown -R root:wheel ${config.boot.lanzaboote.pkiBundle}
        chmod -R 500 ${config.boot.lanzaboote.pkiBundle}
      '';
    };
  };
}