nixos-config/nixos/profiles/system/boot/secure-boot.nix

{ pkgs, lib, ... }:
{
  environment.systemPackages = with pkgs; [ sbctl ];

  boot.loader.systemd-boot.enable = lib.mkForce false;

  boot.lanzaboote = {
    enable = true;
    pkiBundle = "/etc/secureboot";
  };

  environment.globalPersistence.directories = [ "/etc/secureboot" ];
}