{ pkgs
, lib
, config
, ... }: with lib; let
  cfg = config.faucet.boot;
in {
  options.faucet.boot = {
    enable = mkEnableOption "bootloader installation and maintenance" // { default = true; };
    systemd-boot = mkEnableOption "generation selection via systemd-boot" // { default = !cfg.lanzaboote; };
    lanzaboote = mkEnableOption "secure boot maintenance via lanzaboote";
  };

  config = let
    sbPath = "/nix/persist/lanzaboote";
  in mkIf cfg.enable {
    boot = {
      initrd.systemd.enable = true;
      lanzaboote.enable = cfg.lanzaboote;
      lanzaboote.pkiBundle = sbPath;
      loader.systemd-boot.enable = cfg.systemd-boot;
      loader.efi.canTouchEfiVariables = true;
      tmp.cleanOnBoot = true;
    };

    # symlink for sbctl
    environment.etc.secureboot.source = sbPath;
    environment.systemPackages = [ pkgs.sbctl ];
  };
}