Setup secure boot on x86 linux using lanzaboote

nix/system/linux_x86.nix

@@ -1,4 +1,4 @@
-{ ... }:
+{ pkgs, lib, ... }:
 {
   imports = [
     ./hardware-configuration.nix
@@ -7,13 +7,23 @@
 
   boot = {
     loader = {
-      systemd-boot.enable = true;
+      systemd-boot.enable = lib.mkForce false; # lanzaboote replaces systemd-boot module
       efi.canTouchEfiVariables = true;
     };
+    lanzaboote = {
+      enable = true;
+      pkiBundle = "/var/lib/sbctl";
+    };
   };
 
   networking.hostName = "walnut-nixos";
 
+  environment = {
+    systemPackages = with pkgs; [
+      sbctl
+    ];
+  };
+
   programs = {
     sway.extraOptions = [
       "--unsupported-gpu"