{ ... }:

let
  stage1Modules =  [
    "aesni_intel"
    "kvm-intel"
    "aes_x86_64"
    "nvme"
    "nvme_core"

    "pcieport"
    "thunderbolt"
    "e1000e"
    "xhci_pci"
    "hxci_hcd"
  ];

in
{
  # TASK: new device
  hardware.encryptedDisk = {
    enable = true;
    diskId = "nvme-Samsung_SSD_970_PRO_1TB_S462NF0K904663D";
  };

  # boot.initrd.availableKernelModules = stage1Modules;
  boot.initrd.kernelModules = stage1Modules;
  boot.extraModprobeConfig = ''
    options kvm-intel nested=1
    options kvm-intel enable_shadow_vmcs=1
    options kvm-intel enable_apicv=1
    options kvm-intel ept=1
  '';
}