add lanzaboote

modules/security/secure-boot/secure-boot.nix

@@ -1,7 +1,16 @@
-{ ... }: {
-  flake.nixosModules.secure-boot = { pkgs, ... }: {
-    environment.systemPackages = with pkgs; [
-      sbctl
+{ inputs, ... }: {
+  flake.nixosModules.secure-boot = { pkgs, lib, ... }: {
+    imports = [
+      inputs.lanzaboote.nixosModules.lanzaboote
     ];
+
+    environment.systemPackages = [ pkgs.sbctl ];
+
+    boot.loader.systemd-boot.enable = lib.mkForce false;
+
+    boot.lanzaboote = {
+      enable = true;
+      pkiBundle = "/var/lib/sbctl";
+    };
   };
 }