diff --git a/hosts/muskduck/default.nix b/hosts/muskduck/default.nix
index bdaeb3e..9703476 100644
--- a/hosts/muskduck/default.nix
+++ b/hosts/muskduck/default.nix
@@ -1,8 +1,20 @@
-{
+{lib, ...}:
+with lib; {
   # Kernel modules.
   boot.initrd.availableKernelModules = ["xhci_pci" "nvme" "usb_storage" "sd_mod"];
   boot.kernelModules = ["kvm-intel"];
 
+  # Enable lanzaboote & secure boot.
+  boot.initrd.systemd.enable = true;
+  boot.loader.systemd-boot.enable = mkForce false;
+  boot.bootspec.enable = true;
+
+  boot.lanzaboote = {
+    enable = true;
+    pkiBundle = "/var/lib/sbctl";
+    settings.timeout = 0;
+  };
+
   # Full disk encryption.
   boot.initrd.luks.devices."nvme0n1p2_crypt".device = "/dev/disk/by-uuid/7196bd89-099f-4e9e-80e5-3d6d555272b1";