{
  pkgs,
  lib,
  ...
}: let
in {
  boot.loader.grub = {
    enable = true;
    version = 2;
    device = "/dev/vda";
    efiSupport = true;
    enableCryptodisk = true;
  };
  boot.loader.efi.canTouchEfiVariables = true;
  boot.loader.systemd-boot.enable = true;

  boot.initrd.luks.devices = [
    {
      name = "crypt";
      device = "/dev/disk/uuid/463d886d-7dfe-421b-8cef-f9af3a3fa09d";
      preLVM = true;
      allowDiscards = true;
    }
  ];
  fileSystems."/" = {label = "root";};

  fileSystems."/boot" = {label = "boot";};

  boot.tmpOnTmpfs = true;

  boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc"];

  users.extraUsers.root.initialPassword = lib.mkForce "toorroot";
  users.mutableUsers = false;
}