{ lib, config, pkgs, ...}: {

  imports = [ ./boot.nix ];
  
  # SecureBoot
  boot.loader.systemd-boot.enable = lib.mkForce false;
  boot.lanzaboote.enable = true;
  boot.lanzaboote.pkiBundle = "/etc/secureboot";

  # Bootloader
  boot.loader.efi.canTouchEfiVariables = true;
  boot.tmp.cleanOnBoot = true;
  boot.initrd.systemd.enable = true;
}