{ pkgs
, lib
, config
, ... }: with lib; let
  cfg = config.global.boot;
in {
  options.global.boot = {
    enable = mkEnableOption "bootloader installation and maintenance" // { default = true; };
    systemd-boot = mkEnableOption "generation selection via systemd-boot" // { default = !cfg.lanzaboote; };
    lanzaboote = mkEnableOption "secure boot maintenance via lanzaboote";
    memtest = mkOption {
      type = with types; nullOr int;
      default = null;
      description = "memtest passes to perform on boot";
    };
  };

  config = let
    sbPath = "/nix/persist/lanzaboote";
  in mkIf cfg.enable {
    boot = {
      initrd.systemd.enable = true;
      lanzaboote.enable = cfg.lanzaboote;
      lanzaboote.pkiBundle = sbPath;
      loader.systemd-boot.enable = cfg.systemd-boot;
      loader.efi.canTouchEfiVariables = true;
      tmp.cleanOnBoot = true;
      kernelParams = optional (cfg.memtest != null) "memtest=${toString cfg.memtest}";
    };

    # symlink for sbctl
    environment.etc.secureboot.source = sbPath;
    environment.systemPackages = [ pkgs.sbctl ];
  };
}