{
  lib,
  config,
  pkgs,
  ...
}:
with lib;
let
  luksDevicesModule = types.submodule {
    options.name = mkOption {
      type = types.str;
      description = ''
        The partition name.
      '';
    };

    options.deviceUUID = mkOption {
      type = types.str;
      description = ''
        The partition device UUID.
      '';
    };

    options.isPreLVM = mkOption {
      type = types.bool;
      default = false;
      example = true;
      description = ''
        Whether the decrypted partition will be a LVM device.
      '';
    };
  };
in
{
  options.enableSystemdBoot = mkOption {
    type = types.bool;
    default = true;
    example = false;
    description = ''
      Whether or not enable the default systemd boot system.
      Can be useful for devices using u-boot.
    '';
  };

  options.luksDevices = mkOption {
    type = types.listOf luksDevicesModule;
    default = [ ];
    description = ''
      List of LUKS devices.
    '';
  };

  config = {
    boot.initrd.luks.devices = builtins.listToAttrs (
      map (fs: {
        name = fs.name;
        value = {
          device = "/dev/disk/by-uuid/${fs.deviceUUID}";
          preLVM = fs.isPreLVM;
        };
      }) config.luksDevices
    );

    boot.loader.systemd-boot.enable = false;
    boot.lanzaboote = lib.mkIf config.enableSystemdBoot {
      enable = true;
      pkiBundle = "/etc/secureboot";
    };

    environment.systemPackages = lib.mkIf config.enableSystemdBoot [ pkgs.sbctl ];
  };
}