{
  pkgs,
  config,
  inputs,
  ...
}: {
  imports = with inputs; [
    chaotic.nixosModules.default
    lanzaboote.nixosModules.lanzaboote
  ];
  boot = {
    # kernelPackages = pkgs.linuxPackages_latest;
    consoleLogLevel = 0;
    kernelPackages = pkgs.linuxPackages_cachyos;
    kernelModules = ["kvm-amd"];
    kernelParams = [
      # "mitigations=auto"
      # "spectre_v2=on"
      # "spectre_v2_user=on"
      # "spectre_bhi=on"
      # "spec_store_bypass_disable=on"
      # "tsx=off"
      # "kvm.nx_huge_pages=force"
      # "l1d_flush=on"
      "amd_iommu=force_isolation"
      "debugfs=off"
      "efi=disable_early_pci_dma"
      "gather_data_sampling=force"
      # "ia32_emulation=0"
      "intel_iommu=on"
      "iommu.passthrough=0"
      "iommu.strict=1"
      "iommu=force"
      # "lockdown=confidentiality"
      # "module.sig_enforce=1"
      "page_alloc.shuffle=1"
      # "reg_file_data_sampling=on"
      # "spec_rstack_overflow=safe-ret"
      "vsyscall=none"
    ];
    initrd = {
      availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod"];
      systemd.enable = true; # needed for auto-unlocking with TPM
    };
    loader.efi.canTouchEfiVariables = true;
    loader.systemd-boot = {
      enable = !config.boot.lanzaboote.enable;
      consoleMode = "auto";
    };
    lanzaboote = {
      enable = true;
      pkiBundle = "/var/lib/sbctl";
    };
    plymouth.enable = true;
  };
}