{
  config,
  # inputs,
  lib,
  pkgs,
  ...
}: let
  inherit (lib) mkDefault mkEnableOption mkIf;
  cfg = config.module.config;
in {
  imports = [
    ./boot
    ./hardware
    ./networking
    ./nix
    ./security
    ./programs.nix
    ./services.nix
    ./users.nix
    ./sops.nix
  ];
  options = {
    module.config = {
      tpmDiskUnlock = mkEnableOption "set if luks enrolled in tpm2";
      secureBoot = mkEnableOption "set if secure boot is configured";
      useIwd = mkEnableOption "set to use iwd instead of wpa-supplicant";
      vaapi = lib.mkOption {
        type = lib.types.nullOr (lib.types.enum ["intel-media-driver"]);
        default = null;
      };
    };
  };
  config = lib.mkMerge [
    {
      boot.initrd.systemd.tpm2.enable = mkDefault cfg.tpmDiskUnlock;
      boot.loader.systemd-boot.enable = mkDefault (!cfg.secureBoot);
    }
    (mkIf cfg.useIwd {
      networking = {
        networkmanager.wifi.backend = "iwd";
        wireless.iwd.enable = true;
      };
    })
    (mkIf (cfg.vaapi == "intel-media-driver") {
      hardware.graphics.extraPackages = with pkgs; [
        intel-compute-runtime
        intel-media-driver
        vpl-gpu-rt
      ];
    })
  ];
}