{
  config,
  lib,
  pkgs,
  ...
}:
let
  kernel = pkgs.linuxPackages; # linuxPackages_latest;
in
{
  # Configure bootloader with lanzaboot and secureboot
  boot = {
    loader = {
      efi = {
        canTouchEfiVariables = true;
        efiSysMountPoint = "/boot";
      };
    };

    kernel.sysctl = {
      "net.ipv4.ip_forward" = 1;
      "net.ipv6.conf.all.forwarding" = 1;
      "vm.swappiness" = 60;
    };

    # Override kernel to latest
    kernelPackages = kernel;

    kernelParams = [
      "nohibernate"
    ];

    consoleLogLevel = 3;
    bootspec.enable = true;

    plymouth.enable = lib.mkForce false;

    initrd = {
      kernelModules = [
        "tpm"
        "tpm_tis"
        "tpm_crb"
        "tpm_infineon"
      ];
      systemd = {
        enable = true;
        tpm2.enable = true;
      };
      clevis = {
        enable = true;
        devices = {
          "/dev/disk/by-label/nas_pool".secretFile = config.sops.secrets."jallen-nas/nas_pool".path;
        };
      };
    };

    # Enable binfmt emulation for ARM
    binfmt.emulatedSystems = [ "aarch64-linux" ]; # --argstr system aarch64-linux
  };

  environment.etc."clevis/nas_pool.jwe".source = config.sops.secrets."jallen-nas/nas_pool".path;
}