diff --git a/lib/modules/os.nix b/lib/modules/os.nix
index d5ed8e54..ff661b02 100644
--- a/lib/modules/os.nix
+++ b/lib/modules/os.nix
@@ -25,7 +25,20 @@
                 ];
               };
 
-              linuxVariant = osVariant.extendModules { };
+              linuxVariant = osVariant.extendModules {
+                modules = [
+                  ({ ... }: {
+                    options = {
+                      secureBoot = mkOption {
+                        type = types.bool;
+                        description = "A value indicating whether the system supports Secure Boot.";
+                        default = false;
+                      };
+                    };
+                  })
+                ];
+              };
+
               windowsVariant = osVariant.extendModules { };
             in {
               options = {
diff --git a/profiles/machines/manuel/DerGeret/config.nix b/profiles/machines/manuel/DerGeret/config.nix
index 3f67fcb6..c93b195b 100644
--- a/profiles/machines/manuel/DerGeret/config.nix
+++ b/profiles/machines/manuel/DerGeret/config.nix
@@ -6,6 +6,7 @@
   config = {
     valhalla = {
       hostname = lib.mkDefault "der-geret";
+      linux.secureBoot = true;
 
       windows = {
         dualboot = {
diff --git a/profiles/machines/manuel/ManuSurface/config.nix b/profiles/machines/manuel/ManuSurface/config.nix
index abce2810..5f59a796 100644
--- a/profiles/machines/manuel/ManuSurface/config.nix
+++ b/profiles/machines/manuel/ManuSurface/config.nix
@@ -6,6 +6,7 @@
   config = {
     valhalla = {
       hostname = "manu-surface";
+      linux.secureBoot = true;
       partition.os.deviceName = "nvme0n1";
     };
   };
diff --git a/scripts/Arch/Config/SecureBoot/main.fish b/scripts/Arch/Config/SecureBoot/main.fish
new file mode 100755
index 00000000..be5c3fcc
--- /dev/null
+++ b/scripts/Arch/Config/SecureBoot/main.fish
@@ -0,0 +1,35 @@
+#!/bin/env fish
+begin
+    set -l dir (status dirname)
+    source "$dir/../../Scripts/software.fish"
+
+    function installSW -V dir
+        yayinst secureboot-grub
+    end
+
+    function configureSW -V dir
+        source "$dir/../../../Common/Scripts/config.fish"
+        set -l label (getConfig valhalla.boot.label)
+        set -l efiDir (getConfig valhalla.boot.efiMountPoint)
+        set -l bootNums (efibootmgr | sed "/$label/{ s/^.*Boot\([[:digit:]]\+\)\*.*\$/\1/; p; }; d")
+
+        for bootNum in $bootNums
+            sudo efibootmgr --delete-bootnum --bootnum $bootNum
+        end
+
+        sudo sed -i \
+            -e "/esp=/{" \
+                -e "a esp=\"$efiDir\"" \
+                -e "d" \
+            -e "}" \
+            -e "/bootloader_id=/{" \
+                -e "a bootloader_id=\"$label\"" \
+                -e "d" \
+            -e "}" \
+            /etc/secureboot.conf
+
+        sudo secure-grub-install
+    end
+
+    runInstaller $argv
+end
diff --git a/scripts/Arch/Scripts/deploy.fish b/scripts/Arch/Scripts/deploy.fish
index 30056674..b90b73a6 100644
--- a/scripts/Arch/Scripts/deploy.fish
+++ b/scripts/Arch/Scripts/deploy.fish
@@ -14,7 +14,11 @@ function deploySoftware -d "Deploys a the specified software action" -a action
         end
     )
 
-    if collectionActive essential
+    if getConfig valhalla.linux.secureBoot --json | jq --exit-status > /dev/null
+        source "$dir/../Config/SecureBoot/main.fish" $argv
+    end
+
+    and if collectionActive essential
         if $isInstall
             yayinst \
                 mkinitcpio-firmware \