{
  config,
  lib,
  pkgs,
  inputs,
  ...
}:
{
  imports = [
    inputs.lanzaboote.nixosModules.lanzaboote
  ];

  boot = {
    loader.systemd-boot.enable = lib.mkForce false;

    lanzaboote = {
      enable = true;
      # sbctl expects the bundle at /var/lib/sbctl; muffin uses /etc/secureboot
      # because it is wiped on every activation there (impermanence) — desktops
      # extract to the historical sbctl path so existing tooling keeps working.
      pkiBundle = "/var/lib/sbctl";
    };
  };

  system.activationScripts = {
    # Extract the secureboot PKI bundle from the agenix-decrypted tar. Mirrors
    # modules/server-lanzaboote-agenix.nix; skip when keys are already present
    # (e.g., disko-install staged them via --extra-files).
    "secureboot-keys" = {
      deps = [ "agenix" ];
      text = ''
        #!/bin/sh
        (
          umask 077
          if [[ -d ${config.boot.lanzaboote.pkiBundle} && -f ${config.boot.lanzaboote.pkiBundle}/db.key ]]; then
            echo "secureboot keys already present, skipping extraction"
          else
            echo "extracting secureboot keys from agenix"
            rm -fr ${config.boot.lanzaboote.pkiBundle} || true
            install -d -o root -g wheel -m 0500 ${config.boot.lanzaboote.pkiBundle}
            ${pkgs.gnutar}/bin/tar xf ${config.age.secrets.secureboot-tar.path} -C ${config.boot.lanzaboote.pkiBundle}
          fi
          chown -R root:wheel ${config.boot.lanzaboote.pkiBundle}
          chmod -R 500 ${config.boot.lanzaboote.pkiBundle}
        )
      '';
    };
  };
}