diff --git a/common/default.nix b/common/default.nix
index cd0c15a..8659653 100644
--- a/common/default.nix
+++ b/common/default.nix
@@ -19,6 +19,7 @@ in
     ./audio-sharing.nix
     ./angrr.nix
     ./sops.nix
+    ./secureboot.nix
   ];
 
   services.davfs2.enable = true;
diff --git a/common/secureboot.nix b/common/secureboot.nix
new file mode 100644
index 0000000..63a19a6
--- /dev/null
+++ b/common/secureboot.nix
@@ -0,0 +1,25 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  options.schmittlauch.secureboot.enable = lib.mkEnableOption "Enable lanzaboote secure boot, make sure keys and firmware are setup correctly.";
+  config = lib.mkIf config.schmittlauch.secureboot.enable {
+    boot.loader.efi.canTouchEfiVariables = true;
+
+    # UEFI secure boot
+    environment.systemPackages = [ pkgs.sbctl ];
+    # Lanzaboote currently replaces the systemd-boot module.
+    # This setting is usually set to true in configuration.nix
+    # generated at installation time. So we force it to false
+    # for now.
+    boot.loader.systemd-boot.enable = lib.mkForce false;
+
+    boot.lanzaboote = {
+      enable = true;
+      pkiBundle = "/var/lib/sbctl";
+    };
+  };
+}
diff --git a/hosts/framenix/default.nix b/hosts/framenix/default.nix
index b3794b8..89ae9b9 100644
--- a/hosts/framenix/default.nix
+++ b/hosts/framenix/default.nix
@@ -84,5 +84,8 @@ in
     unstable.amd-debug-tools
   ];
 
-  schmittlauch.audio-sharing.enable = true;
+  schmittlauch = {
+    audio-sharing.enable = true;
+    secureboot.enable = true;
+  };
 }
diff --git a/hosts/thinknix/default.nix b/hosts/thinknix/default.nix
index 431f3ba..53bb6a4 100644
--- a/hosts/thinknix/default.nix
+++ b/hosts/thinknix/default.nix
@@ -12,8 +12,6 @@
     ./hardware-configuration.nix
     ./storage.nix
     ./swap.nix
-    # FIXME: move this to common, conditional enabling
-    ./secureboot.nix
   ];
 
   hardware.trackpoint = {
@@ -24,7 +22,10 @@
 
   boot.extraModprobeConfig = "options thinkpad_acpi fan_control=1"; # enable fan control via echo to /proc/acpi/ibm/fan
 
-  schmittlauch.guestUser.enable = true;
+  schmittlauch = {
+    guestUser.enable = true;
+    secureboot.enable = true;
+  };
 
   networking.hostName = "thinknix";
 
diff --git a/hosts/thinknix/secureboot.nix b/hosts/thinknix/secureboot.nix
deleted file mode 100644
index 657838e..0000000
--- a/hosts/thinknix/secureboot.nix
+++ /dev/null
@@ -1,22 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-{
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  # UEFI secure boot
-  environment.systemPackages = [ pkgs.sbctl ];
-  # Lanzaboote currently replaces the systemd-boot module.
-  # This setting is usually set to true in configuration.nix
-  # generated at installation time. So we force it to false
-  # for now.
-  boot.loader.systemd-boot.enable = lib.mkForce false;
-
-  boot.lanzaboote = {
-    enable = true;
-    pkiBundle = "/etc/secureboot";
-  };
-}