{
  pkgs,
  lib,
  config,
  ...
}: let
  cfg = config.boot.loader.systemd-boot;
  inherit (config.boot.loader) efi;

  esa = n: lib.strings.escapeShellArg n;

  bootMountPoint =
    if cfg.xbootldrMountPoint != null
    then cfg.xbootldrMountPoint
    else efi.efiSysMountPoint;

  nixosDir = "/EFI/nixos";

  copyExtraFiles = ''
    echo "[systemd-boot] copying files to ${bootMountPoint}"
    empty_file=$(mktemp)

    ${lib.concatStrings (lib.mapAttrsToList (n: v:
      /*
      bash
      */
      ''
        if ! [ -e ${esa "${bootMountPoint}/${n}"} ]; then
          install -Dp "${v}" ${esa "${bootMountPoint}/${n}"}
          install -D "$empty_file" ${esa "${bootMountPoint}/${nixosDir}/.extra-files/${n}"}
        fi
      '')
    cfg.extraFiles)}

    ${lib.concatStrings (lib.mapAttrsToList (n: v:
      /*
      bash
      */
      ''
        if ! [ -e ${esa "${bootMountPoint}/loader/entries/${n}"} ]; then
          install -Dp "${pkgs.writeText n v}" ${esa "${bootMountPoint}/loader/entries/${n}"}
          install -D "$empty_file" ${esa "${bootMountPoint}/${nixosDir}/.extra-files/loader/entries/${n}"}
        fi
      '')
    cfg.extraEntries)}
  '';
in {
  system.activationScripts = {
    copyExtraFilesForBoot = copyExtraFiles;
  };

  # Help lanzaboote with the filesystems
  # source: https://github.com/nix-community/lanzaboote/issues/173#issuecomment-1532386210
  # TODO: Remove this workaround <2024-05-11>
  fileSystems = {
    "/efi/EFI/Linux" = {
      device = "/boot/EFI/Linux";
      options = ["bind"];
    };
    "/efi/EFI/nixos" = {
      device = "/boot/EFI/nixos";
      options = ["bind"];
    };
  };

  boot = {
    initrd = {
      #compressor = "lz4";
      #compressorArgs = ["-9"];
      kernelModules = ["nvme" "btrfs"];
    };

    kernelPackages = pkgs.linuxPackages_latest;

    lanzaboote = {
      enable = true;
      pkiBundle = "/etc/secureboot";

      settings = {
        # Disable editing the kernel command line (which could allow someone to become root)
        editor = false;
      };
    };

    loader = {
      systemd-boot = {
        # Lanzaboote currently replaces the systemd-boot module.
        # This setting is usually set to true in configuration.nix
        # generated at installation time. So we force it to false
        # for now.
        enable = false;

        xbootldrMountPoint = "/boot";

        extraEntries = {
          "live.conf" = ''
            title Archlinux Live ISO
            linux /live/vmlinuz-linux
            initrd /live/initramfs-linux.img
            options img_dev=${config.soispha.disks.disk} img_loop=/archlinux.iso copytoram
          '';
        };

        extraFiles = let
          iso = import ./archlive_iso.nix {inherit pkgs;};
        in {
          "archlinux.iso" = "${iso}/archlinux.iso";
          "live/initramfs-linux.img" = "${iso}/live/initramfs-linux.img";
          "live/vmlinuz-linux" = "${iso}/live/vmlinuz-linux";
        };
      };

      grub = {
        enable = false;
        # theme = pkgs.nixos-grub2-theme;
        splashImage = ./boot_pictures/gnu.png;
        efiSupport = true;
        device = "nodev"; # only for efi
      };

      efi = {
        canTouchEfiVariables = true;
        efiSysMountPoint = "/boot";
      };
    };
  };
}