{
  config,
  lib,
  ...
}:
with lib; let
  baseCfg = config.gen.bootloader;
  cfg = baseCfg.luksSsh;
in {
  options.gen.bootloader.luksSsh = {
    enable = mkEnableOption "boot process with luks unlock over ssh";
    useDhcp = mkEnableOption "dhcp";
    port = mkOption {
      type = types.port;
      description = "port for ssh server to listen on";
    };
    hostKeys = mkOption {
      type = types.listOf types.path;
      description = "paths of host keys for the ssh server to use";
    };
  };

  config = mkIf cfg.enable {
    ### LUKS unlock through SSH ###
    boot.initrd.network = {
      enable = true;
      flushBeforeStage2 = true;
      udhcpc.enable = cfg.useDhcp;

      ssh = {
        enable = true;
        authorizedKeys = import ../../keys/ssh.nix;
        inherit (cfg) hostKeys port;
      };

      postCommands = ''
        # Automatically ask for the password on SSH login
        echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1' >> /root/.profile
      '';
    };
  };
}