Add secure-boot

options/system/default.nix

@@ -4,6 +4,7 @@ in
 {
   imports = [
     ./impermanence.nix
+    ./secure-boot.nix
   ];
 
   options.myOptions.system = {

options/system/secure-boot.nix

@@ -0,0 +1,23 @@
+{ lib, ... }: with lib; let
+  inherit (lib) mkEnableOption;
+in
+{
+  options.myOptions.system.secure-boot = {
+     enabled = mkEnableOption ''
+      secure-boot using lanzaboote.
+
+      Note that you will need to have UEFI firmware, and the rebuild
+      will report errors until you generate the secure boot keys with:
+      ```shell
+      sudo sbctl create-keys
+      ````
+
+      Optionally (though enabling this is pointless otherwise), you should
+      now enter secure-boot setup mode and enroll the keys:
+      ```shell
+      sudo sbctl enroll-keys -m
+      ```
+      Then reboot, and secure-boot should be enabled.
+     '';
+  };
+}