{
  config,
  pkgs,
  lib,
  ...
}:

{
  imports = [ ];

  boot = {
    consoleLogLevel = 0;
    kernelParams = [
      "quiet"
      "splash"
      "loglevel=0"
      "udev.log_priority=3"
      "vt.global_cursor_default=0"
      "rd.systemd.show_status=auto"
      "rd.udev.log_level=3"
      "boot.shell_on_fail"
      "console=tty1"
    ];

    initrd = {
      verbose = false;
      systemd.enable = true;
    };

    plymouth = {
      enable = true;
      theme = "bgrt";
      logo = "${pkgs.nixos-icons}/share/icons/hicolor/128x128/apps/nix-snowflake.png";
      font = "${pkgs.dejavu_fonts}/share/fonts/truetype/DejaVuSansMono.ttf";
    };
  };

  fonts.packages = with pkgs; [
    dejavu_fonts
  ];

  # Integrate with Lanzaboote
  boot.loader.systemd-boot.enable = lib.mkForce false;
  boot.loader.grub.enable = lib.mkForce false;
  boot.lanzaboote = {
    enable = true;
    #pkiBundle = "/etc/secureboot"; # old way. use sbctl setup --migrate
    pkiBundle = "/var/lib/sbctl"; # sudo sbctl create-keys
  };

  # TPM-based LUKS unlock put in hardware configuration.nix.
  # boot.initrd.luks.devices = {
  #   cryptroot = {
  #     device = "/dev/sda2";
  #     crypttabExtraOpts = [
  #       "tpm2-device=auto"
  #       "tpm2-measure-pcr=yes"
  #     ];
  #   };
  # };

  security.tpm2 = {
    enable = true;
    pkcs11.enable = true;
    tctiEnvironment.enable = true;
  };

  environment.systemPackages = with pkgs; [
    sbctl
    tpm2-tools
  ];
}