{...}: {
  # TODO: lanzaboote
  boot.loader = {
    efi.canTouchEfiVariables = true;

    timeout = 2;
    systemd-boot = {
      enable = true;
      configurationLimit = 3;
    };
  };
}