{
  config,
  lib,
  namespace,
  ...
}:
with lib;
let
  cfg = config.${namespace}.bootloader.lanzaboote;
  inherit (lib.${namespace}) mkOpt;
in
{
  options.${namespace}.bootloader.lanzaboote = {
    enable = mkEnableOption "enable lanzaboote";

    configLimit = mkOpt types.int 10 "Number of boot items to keep";
  };

  config = mkIf cfg.enable {
    assertions = [
      {
        assertion = cfg.configLimit > 0;
        message = "mjallen.bootloader.lanzaboote.configLimit must be a positive integer (got ${toString cfg.configLimit}).";
      }
    ];

    boot = {
      loader = {
        efi = {
          canTouchEfiVariables = true;
          efiSysMountPoint = "/boot";
        };
      };
      lanzaboote = {
        enable = true;
        pkiBundle = "/etc/secureboot";
        settings = {
          console-mode = "max";
        };
        configurationLimit = cfg.configLimit;
      };
    };
  };
}