{ config, ... }:

{
  imports = [ ../common ../services/openssh.nix ../system/headless.nix ];

  boot.loader.grub = {
    efiInstallAsRemovable = true;
    efiSupport = true;
    enableCryptodisk = true;
    device = "nodev";
  };

  boot.kernelParams = [ "panic=10" "mitigations=off" ];

  boot.initrd = {
    availableKernelModules = [ "sd_mod" "cryptd" ];
    kernelModules = [ "md_mod" "raid0" "raid1" ];

    # Manually start degraded arrays if needed, to still allow booting from them.
    # See https://github.com/NixOS/nixpkgs/issues/72608
    preLVMCommands = ''
      for dev in /dev/md*; do
        if [ -b "$dev" ]; then
          mdadm --run "$dev"
        fi
      done
    '';

    network = {
      enable = true;
      ssh = {
        enable = true;
        authorizedKeys =
          config.users.users.christoph.openssh.authorizedKeys.keys;
        hostKeys = [ "/var/secrets/initrd/hostkey" ];
        extraConfig = ''
          PubkeyAcceptedAlgorithms ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com
        '';
      };
      udhcpc.enable = true;
      postCommands = ''
        echo 'importing all zpools ..'
        /bin/zpool import -a
        echo 'mdadm --detail /dev/md*; /bin/zpool status;' >>/root/.profile
        echo '/bin/zfs load-key -r -a && /bin/cryptsetup-askpass && echo >/tmp/unlocked' >>/root/.profile
        echo 'starting sshd ..'
      '';
    };

    postDeviceCommands = ''
      echo 'waiting for encrypted devices unlock ..'
      mkfifo /tmp/unlocked
      echo /tmp/unlocked
      killall sshd
    '';
  };

  hardware.rasdaemon.enable = true;
}