{ ... }:
let
  usb_label = "my_usb";
  encrypted_root_uuid = "";
  unencrypted_root_uuid = "";
in {
  boot = {
    loader = {
      systemd-boot.enable = true;
      efi.canTouchEfiVariables = true;
    };
    initrd.availableKernelModules = [
      "xhci_pci"
      "ahci"
      "nvme"
      "usb_storage"
      "sd_mod"
      "rtsx_pci_sdmmc"
      "uas"
      "usbcore"
      "usb_storage"
      "vfat"
      "nls_cp437"
      "nls_iso8859_1"
      "aesni_intel"
      "cryptd"
    ];
    kernelModules = [ "kvm-intel" ];
  };

  # TODO: encrypted storage
  #initrd.postDeviceCommands = pkgs.lib.mkBefore ''
  #  mkdir -m 0755 -p /key
  #  sleep 3
  #  mount -n -t vfat -o ro `findfs LABEL=${usb_label}` /key
  #'';

  #boot.initrd.luks.devices."cryptroot".device =
  #  "/dev/disk/by-uuid/${encrypted_root_uuid}";

  #initrd.luks.devices."cryptroot" = {
  #  keyFile = "/key/encryption-keys/lappy.key";
  #  preLVM = false;
  #  allowDiscards = true;
  #};

  
  fileSystems = {
    "/" = {
      device = "/dev/disk/by-label/nixos";
      fsType = "ext4";
    };
    #"/" = {
    #  device = "/dev/mapper/cryptroot";
    #  fsType = "ext4";
    #};
    "/boot" = {
      device = "/dev/disk/by-label/nixboot";
      fsType = "vfat";
    };
  };

}