nixos-blueprint/hosts/dunamis/boot/default.nix

{
  inputs,
  pkgs,
  ...
}: {
  imports = with inputs;
    [
      chaotic.nixosModules.default
      lanzaboote.nixosModules.lanzaboote
    ]
    ++ [
      ./loader.nix
    ];
  boot = {
    plymouth.enable = true;
    consoleLogLevel = 0;
    kernelPackages = pkgs.linuxPackages_cachyos;
    kernelParams = [
      "amd_iommu=force_isolation"
      "debugfs=off"
      "efi=disable_early_pci_dma"
      "gather_data_sampling=force"
      "intel_iommu=on"
      "iommu.passthrough=0"
      "iommu.strict=1"
      "iommu=force"
      "page_alloc.shuffle=1"
      "vsyscall=none"
      # "ia32_emulation=0"
      # "lockdown=confidentiality"
      # "module.sig_enforce=1"
    ];
    initrd = {
      systemd.enable = true; # needed for auto-unlocking with TPM
      systemd.tpm2.enable = true;
    };
  };
}