{
  config,
  pkgs,
  system,
  lib,
  namespace,
  ...
}:
with lib;
let
  inherit (lib.${namespace}) mkOpt mkBoolOpt;
  cfg = config.${namespace}.boot.common;
  isArm = ("aarch64-linux" == system) || ("aarch64-darwin" == system);
in
{
  options.${namespace}.boot.common = {
    enable = mkBoolOpt true "Enable common boot stuff";

    yubikeyEncryption = mkBoolOpt false "Enable Yubikey root encryption";

    yubikeyGracePeriod = mkOpt types.int 180 "Time to wait for yubikey in seconds";
  };

  config = mkIf cfg.enable {
    boot = {

      kernelModules = [ "kvm" ];

      binfmt = lib.mkIf isArm {
        registrations."x86_64-linux" = {
          magicOrExtension = ''\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x3e\x00'';
          mask = ''\xff\xff\xff\xff\xff\xfe\xfe\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff'';
          openBinary = true;
          interpreter = "${lib.getExe pkgs.box64}";
          preserveArgvZero = true;
          matchCredentials = true;
          fixBinary = false;
        };
      };

      supportedFilesystems = [ "bcachefs" ];

      consoleLogLevel = lib.mkForce 3;
      bootspec.enable = (!isArm);

      initrd = {
        #   secrets = {
        #     "/etc/clevis/nuc-nixos.jwe" = (lib.snowfall.fs.get-file "secrets/nuc-nixos.jwe");
        #   };

        # systemd.services."unlock-disk" = {
        #   enable = false;
        #   path = [
        #     pkgs.clevis
        #     pkgs.bcachefs-tools
        #   ];
        #   script = ''
        #     ${pkgs.clevis}/bin/clevis decrypt < "/etc/clevis/nuc-nixos.jwe"
        #     # | ${pkgs.bcachefs-tools}/bin/bcachefs unlock -k session /dev/disk/by-label/disk-main-nuc-nixos-bcachefs-root
        #   '';
        #   wantedBy = [ "initrd-root-fs.target" ];
        #   requiredBy = [ "initrd-root-fs.target" ];
        #   serviceConfig = {
        #     Type = "oneshot";
        #     TimeoutSec = "10s";
        #   };
        # };

        # clevis = mkIf (config.${namespace}.hardware.disko.filesystem == "bcachefs"){
        #   enable = true;
        # };

        luks = mkIf cfg.yubikeyEncryption {
          devices = {
            "${config.disko.devices.disk.main.content.partitions.root.name}" = {
              yubikey = {
                storage = {
                  device = "/dev/disk/by-label/${config.disko.devices.disk.main.content.partitions.root.name}";
                  fsType = config.${namespace}.hardware.disko.filesystem;
                  path = "/";
                };
                slot = 2;
                twoFactor = false;
                gracePeriod = yubikeyGracePeriod;
              };
            };
          };
        };
      };
    };

    zramSwap.enable = lib.mkDefault true;
  };
}