{ pkgs, ... }:{
    boot = {
	    kernelPackages = pkgs.linuxPackages_latest;
	    supportedFilesystems = [ "btrfs" ];

	    initrd = {
	        kernelModules = ["uas" "usbcore" "usb_storage" "vfat" "nls_cp437" "nls_iso8859_1"];
	        # Mount USB key before trying to decrypt root filesystem
	        # postDeviceCommands = pkgs.lib.mkBefore ''
	        #   mkdir -m 0755 -p /key
	        #   sleep 2 # To make sure the usb key has been loaded
	        #   mount -n -t vfat -o ro `findfs UUID=${PRIMARYUSBID}` /key || mount -n -t vfat -o ro `findfs UUID=${BACKUPUSBID}` /key
	        # '';
	        ### ----> Instead use systemd mount unit
	        systemd = {
	            enable = true; # tpm2 unlock requires systemd initrd
	            mounts = [{
	                what = "";
	                where = "/key";
	                type = "btrfs";
	            }];
	        };
	        luks.devices."crypted" = {
	            bypassWorkqueues = true;
                    # ~~~> Define this in system configuration <~~~ search by uuid, partuuid, id, or other stable identification ~> lsblk, blkid or ls -l
	            # device = lib.mkDefault "/dev/disk/by-partuuid/5e65cc4c-eb35-4d62-8fcd-387d6a87c067"; 
	            
                    # crypttabExtraOpts = [ "tpm2-device=auto" ]; # tpm2 unlock
	            preLVM = true; 
	            allowDiscards = true;

	            # If using a USB or SD Card :
                    keyFileSize = 4096;
	            keyFile = "/key/hdd.key";
	
	            # Use this if you want to fallback to the encryption password when the drive can't be found. HIGHLY RECCOMENDED!!!! 
	            fallbackToPassword = true;
	
	        };
	    };
	    resumeDevice = "/dev/nvme0n1"; # should be pointing to disk/dev  where swap resides, for some reason my disk does not have uuid
	    kernelParams = [
	        # hibernation
	        "resume_offset=533760"
	    ];
	  };
}