global: rename from faucet

global/boot/default.nix

@@ -0,0 +1,29 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.global.boot;
+in {
+  options.global.boot = {
+    enable = mkEnableOption "bootloader installation and maintenance" // { default = true; };
+    systemd-boot = mkEnableOption "generation selection via systemd-boot" // { default = !cfg.lanzaboote; };
+    lanzaboote = mkEnableOption "secure boot maintenance via lanzaboote";
+  };
+
+  config = let
+    sbPath = "/nix/persist/lanzaboote";
+  in mkIf cfg.enable {
+    boot = {
+      initrd.systemd.enable = true;
+      lanzaboote.enable = cfg.lanzaboote;
+      lanzaboote.pkiBundle = sbPath;
+      loader.systemd-boot.enable = cfg.systemd-boot;
+      loader.efi.canTouchEfiVariables = true;
+      tmp.cleanOnBoot = true;
+    };
+
+    # symlink for sbctl
+    environment.etc.secureboot.source = sbPath;
+    environment.systemPackages = [ pkgs.sbctl ];
+  };
+}