{
  config,
  lib,
  ...
}: let
  baseCfg = config.gen.system.bootloader;
  cfg = baseCfg.luksSsh;
in {
  options.gen.system.bootloader.luksSsh = {
    enable = lib.mkEnableOption "use boot process with luks unlock over ssh";
    port = lib.mkOption {
      type = lib.types.port;
      description = "port for ssh server to listen on";
    };
    hostKeys = lib.mkOption {
      type = lib.types.listOf lib.types.path;
      description = "paths of host keys for the ssh server to use";
    };
  };

  config = lib.mkIf cfg.enable {
    # ### Use systemd-boot ###
    # boot.loader = {
    #   efi.canTouchEfiVariables = true;

    #   timeout = 2;
    #   systemd-boot = {
    #     enable = true;
    #     configurationLimit = 3;
    #   };
    # };

    ### LUKS unlock through SSH ###
    boot.initrd = {
      network = {
        enable = true;
        flushBeforeStage2 = true;

        ssh = {
          enable = true;
          authorizedKeys = import ../../../keys/ssh.nix;
          inherit (cfg) hostKeys port;
        };

        postCommands = ''
          # Automatically ask for the password on SSH login
          echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1' >> /root/.profile
        '';
      };
    };
  };
}