{
  pkgs,
  lib,
  config,
  ...
}:
with lib;
let
  cfg = config.global.boot;
in
{
  options.global.boot = {
    enable = mkEnableOption "bootloader installation and maintenance" // {
      default = true;
    };
    systemd-boot = mkEnableOption "generation selection via systemd-boot" // {
      default = !cfg.lanzaboote;
    };
    lanzaboote = mkEnableOption "secure boot maintenance via lanzaboote";
    memtest = mkOption {
      type = with types; nullOr int;
      default = null;
      description = "memtest passes to perform on boot";
    };
  };

  config =
    let
      sbPath = "/nix/persist/lanzaboote";
    in
    mkIf cfg.enable {
      boot = {
        initrd.systemd.enable = true;
        lanzaboote.enable = cfg.lanzaboote;
        lanzaboote.pkiBundle = sbPath;
        loader.systemd-boot.enable = cfg.systemd-boot;
        loader.efi.canTouchEfiVariables = true;
        tmp.cleanOnBoot = true;
        kernelParams = optional (cfg.memtest != null) "memtest=${toString cfg.memtest}";
      };

      # symlink for sbctl
      environment.etc.secureboot.source = sbPath;
      environment.systemPackages = [ pkgs.sbctl ];
    };
}