{pkgs, lib, ...}:
with lib; {
  # Kernel modules.
  boot.initrd.availableKernelModules = ["xhci_pci" "nvme" "usb_storage" "sd_mod"];
  boot.kernelModules = ["kvm-intel"];

  # Enable lanzaboote & secure boot.
  boot.initrd.systemd.enable = true;
  boot.loader.systemd-boot.enable = mkForce false;
  boot.bootspec.enable = true;

  boot.lanzaboote = {
    enable = true;
    pkiBundle = "/var/lib/sbctl";
    settings.timeout = 0;
  };

  # Full disk encryption.
  boot.initrd.luks.devices."nvme0n1p2_crypt".device = "/dev/disk/by-uuid/7196bd89-099f-4e9e-80e5-3d6d555272b1";

  # Root filesystem.
  fileSystems."/" = {
    device = "/dev/disk/by-uuid/bea34866-903b-460e-abff-c817e06891c7";
    fsType = "btrfs";
    options = ["subvol=root"];
  };

  # Nix directory.
  fileSystems."/nix" = {
    device = "/dev/disk/by-uuid/bea34866-903b-460e-abff-c817e06891c7";
    fsType = "btrfs";
    options = ["subvol=nix"];
  };

  # Home directory.
  fileSystems."/home" = {
    device = "/dev/disk/by-uuid/bea34866-903b-460e-abff-c817e06891c7";
    fsType = "btrfs";
    options = ["subvol=home"];
  };

  # Swap.
  fileSystems."/swap" = {
    device = "/dev/disk/by-uuid/bea34866-903b-460e-abff-c817e06891c7";
    fsType = "btrfs";
    options = ["subvol=swap"];
  };

  swapDevices = [{device = "/swap/swapfile";}];

  # Install some packages.
  environment.systemPackages = with pkgs; [deploy-rs];
}