{ config, inputs, ... }:

{
  imports = [
    inputs.lanzaboote.nixosModules.lanzaboote
  ];

  age.secrets.secureBootKey.file = ../../../secrets/secure-boot-private-key-jericho.age;

  boot.lanzaboote = {
    enable = true;
    configurationLimit = 50;
    publicKeyFile = ./secure-boot/db.pem;
    # BUG: the bootloader installation runs before/without the activation script,
    # so this key may not exist unless the system has been activated beforehand.
    privateKeyFile = config.age.secrets.secureBootKey.path;
  };
}