diff --git a/faucet/boot/default.nix b/faucet/boot/default.nix
new file mode 100644
index 00000000..4df70fd5
--- /dev/null
+++ b/faucet/boot/default.nix
@@ -0,0 +1,28 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.faucet.boot;
+in {
+  options.faucet.boot = {
+    enable = mkEnableOption "bootloader installation and maintenance" // { default = true; };
+    systemd-boot = mkEnableOption "generation selection via systemd-boot" // { default = !cfg.lanzaboote; };
+    lanzaboote = mkEnableOption "secure boot maintenance via lanzaboote";
+  };
+
+  config = let
+    sbPath = "/nix/persist/lanzaboote";
+  in mkIf cfg.enable {
+    boot = {
+      initrd.systemd.enable = true;
+      lanzaboote.enable = cfg.lanzaboote;
+      lanzaboote.pkiBundle = sbPath;
+      loader.systemd-boot.enable = cfg.systemd-boot;
+      loader.efi.canTouchEfiVariables = true;
+    };
+
+    # symlink for sbctl
+    environment.etc.secureboot = mkIf cfg.lanzaboote { source = sbPath; };
+    #environment.systemPackages = optional cfg.lanzaboote pkgs.sbctl;
+  };
+}