{
  config,
  inputs,
  lib,
  pkgs,
  ...
}: let
  inherit (lib) mkDefault mkEnableOption mkIf;
  inherit (config.networking) hostName;
  cfg = config.module.config;
in {
  imports = [
    ./boot
    ./hardware
    ./networking
    ./nix
    ./programs.nix
    ./services.nix
    ./users.nix
    ./sops.nix
  ];
  options = {
    module.config = {
      tpmDiskUnlock = mkEnableOption "set if luks enrolled in tpm2";
      secureBoot = mkEnableOption "set if secure boot is configured";
      useIwd = mkEnableOption "set to use iwd instead of wpa-supplicant";
      vaapi = lib.mkOption {
        type = lib.types.enum ["intel-media-driver"];
        default = "intel-media-driver";
      };
    };
  };
  config =
    mkIf (cfg.vaapi
      == "intel-media-driver") {
      hardware.graphics.extraPackages = with pkgs; [
        intel-compute-runtime
        intel-media-driver
        vpl-gpu-rt
      ];
    }
    // mkIf cfg.tpmDiskUnlock {
      initrd.systemd.tpm2.enable = mkDefault true;
    }
    // mkIf cfg.useIwd {
      networking = {
        networkmanager.wifi.backend = "iwd";
        wireless.iwd.enable = true;
      };
    }
    // {
      boot.loader.systemd-boot.enable =
        if cfg.secureBoot
        then false
        else true;
    };
}