{ pkgs, lib, ... }:
{
  environment.persistence."/persist/save".directories = [
    "/var/lib/sbctl"
  ];

  environment.systemPackages = with pkgs; [
    sbctl
    tpm2-tools
  ];

  boot = {
    loader.systemd-boot.enable = lib.mkForce false;
    initrd.systemd.enable = true;
    lanzaboote = {
      enable = true;
      pkiBundle = "/var/lib/sbctl";
    };
  };

  security.tpm2 = {
    enable = true;
    pkcs11.enable = true;
    tctiEnvironment.enable = true;
  };

  environment.shellAliases = {
    # Requires a device argument (/dev//dev/nvme0n1p3)
    cryptenroll = "systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+2+7+12 --wipe-slot=tpm2";
  };
}