{...}: { # TODO: lanzaboote boot = { initrd.systemd = { enable = true; enableTpm2 = true; }; loader = { efi.canTouchEfiVariables = true; timeout = 2; systemd-boot = { enable = true; configurationLimit = 3; }; }; }; }