diff --git a/system/modules/bootloader/default.nix b/system/modules/bootloader/default.nix
index 5674575c..5e7ac3fa 100644
--- a/system/modules/bootloader/default.nix
+++ b/system/modules/bootloader/default.nix
@@ -1,4 +1,5 @@
 {
+  pkgs,
   config,
   lib,
   mylib,
@@ -31,5 +32,20 @@ in {
         device = bootloader.grub.bootDevice;
       };
     })
+    (lib.mkIf (bootloader.loader == "lanzaboote") {
+      environment.systemPackages = with pkgs; [
+        sbctl
+      ];
+
+      # Lanzaboote replaces systemd-boot
+      boot.loader.systemd-boot.enable = lib.mkForce false;
+
+      boot.lanzaboote = {
+        enable = true;
+
+        # WARN: Make sure to persist this if using impermanence!
+        pkiBundle = "/var/lib/sbctl";
+      };
+    })
   ]);
 }
diff --git a/system/modules/bootloader/options.nix b/system/modules/bootloader/options.nix
index 666c9b3e..1b411105 100644
--- a/system/modules/bootloader/options.nix
+++ b/system/modules/bootloader/options.nix
@@ -9,6 +9,7 @@
     type = lib.types.enum [
       "grub"
       "systemd-boot"
+      "lanzaboote"
     ];
     description = "What boot loader to use";
     example = "systemd-boot";