nix-config/systems/x86_64-linux/nas/boot.nix

{ config, lib, pkgs, ... }:
let
  configLimit = 50;
  kernel = pkgs.linuxPackages; # linuxPackages_latest;
in
{
  # Configure bootloader with lanzaboot and secureboot
  boot = {
    kernelModules = [ "nct6775" ];
    loader = {
      systemd-boot = {
        enable = false;
        configurationLimit = configLimit;
      };

      efi = {
        canTouchEfiVariables = true;
        efiSysMountPoint = "/boot";
      };
    };

    kernel.sysctl = {
      "net.ipv4.ip_forward" = 1;
      "net.ipv6.conf.all.forwarding" = 1;
      "vm.swappiness" = 60;
    };

    # Override kernel to latest
    kernelPackages = kernel;

    kernelParams = [
      "nohibernate"
    ];

    consoleLogLevel = 3;
    bootspec.enable = true;

    plymouth.enable = lib.mkForce false;

    initrd = {
      kernelModules = [
        "tpm"
        "tpm_tis"
        "tpm_crb"
        "tpm_infineon"
      ];
      systemd = {
        enable = true;
        # tpm2.enable = true;
        tpm2.enable = true;
      };
      clevis = {
        enable = true;
        devices = {
          "/dev/disk/by-label/nas_pool".secretFile = config.sops.secrets."jallen-nas/nas_pool".path;
        };
      };
    };

    # Enable binfmt emulation for ARM
    binfmt.emulatedSystems = [ "aarch64-linux" ]; # --argstr system aarch64-linux
  };

  environment.etc."clevis/nas_pool.jwe".source = config.sops.secrets."jallen-nas/nas_pool".path;

  zramSwap = {
    enable = true;
  };
}