{ config, lib, pkgs, factsGenerator, clanLib, ... }:
with lib;
with types;
{
  options.features.boot.tor = {
    enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
    };
  };

  config = mkIf (config.features.boot.tor.enable) {

    # tor secrets
    clan.core.facts.services."initrd.tor" = factsGenerator.tor {
      name = "initrd";
      addressPrefix = "init";
    };
    boot.initrd.secrets =
      mapAttrs' (name: file: nameValuePair "/etc/tor/onion/bootup/${name}" file)
        (genAttrs [
          "hostname"
          "hs_ed25519_public_key"
          "hs_ed25519_secret_key"
        ]
          (secret: config.clan.core.facts.services."initrd.tor".secret."tor.initrd.${secret}".path));

    boot.initrd.systemd.storePaths = [
      pkgs.tor
      pkgs.iproute2
      pkgs.coreutils
    ];
    boot.initrd.systemd.contents = {
      "/etc/tor/tor.rc".text = ''
        DataDirectory /etc/tor
        SOCKSPort 127.0.0.1:9050 IsolateDestAddr
        SOCKSPort 127.0.0.1:9063
        HiddenServiceDir /etc/tor/onion/bootup
        HiddenServicePort 2222 127.0.0.1:2222
      '';
    };

    boot.initrd.systemd.services.tor = {
      description = "tor during init";
      wantedBy = [ "initrd.target" ];
      after = [ "network.target" "initrd-nixos-copy-secrets.service" ];
      before = [ "shutdown.target" ];
      conflicts = [ "shutdown.target" ];

      unitConfig.DefaultDependencies = false;
      path = [
        pkgs.tor
        pkgs.iproute2
        pkgs.coreutils
      ];
      script =
        ''
          echo "tor: preparing onion folder"
          # have to do this otherwise tor does not want to start
          chmod -R 700 /etc/tor

          echo "tor: starting tor"
          tor -f /etc/tor/tor.rc --verify-config
          tor -f /etc/tor/tor.rc
        '';
    };
  };
}