{
  description = "A SecureBoot-enabled NixOS configurations";

  inputs = {
    nixpkgs.url = "https://flakehub.com/f/NixOS/nixpkgs/*";

    lanzaboote = {
      url = "github:nix-community/lanzaboote/v1.0.0";
      inputs.nixpkgs.follows = "nixpkgs";
    };

    apple-fonts.url= "github:Lyndeno/apple-fonts.nix";
    apple-fonts.inputs.nixpkgs.follows = "nixpkgs";
  };


  outputs = { self, nixpkgs, lanzaboote, apple-fonts, ...}: {
    nixosConfigurations = {
      hermes = nixpkgs.lib.nixosSystem rec {
        system = "x86_64-linux";

        modules = [
          # This is not a complete NixOS configuration and you need to reference
          # your normal configuration here.

          lanzaboote.nixosModules.lanzaboote

          ./configuration.nix
	  ./hardware-configuration.nix

          ({ pkgs, lib, ... }: {
	   nixpkgs.config.allowUnfree = true;
            environment.systemPackages = [
              # For debugging and troubleshooting Secure Boot.
              pkgs.sbctl
            ];

	    fonts.packages = [
	      apple-fonts.packages."x86_64-linux".sf-pro
	    ];

	    nix.settings.experimental-features = [ "nix-command" "flakes" ];
            # Lanzaboote currently replaces the systemd-boot module.
            # This setting is usually set to true in configuration.nix
            # generated at installation time. So we force it to false
            # for now.
            boot.loader.systemd-boot.enable = lib.mkForce false;
	    boot.bootspec.enable = true;
	    boot.initrd.systemd.enable = true;
            boot.lanzaboote = {
              enable = true;
              pkiBundle = "/var/lib/sbctl";
            };
          })
        ];
      };
    };
  };
}