{ config, lib, pkgs, factsGenerator, clanLib, ... }:
with lib;
with types;

{
  options.components.nixos.boot = {

    enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
    };

    kernelModules = mkOption {
      type = listOf str;
      default = [ ];
      description =
        "lspci -v will tell you which kernel module is used for the ethernet interface";
    };

    ssh.enable = lib.mkOption {
      type = lib.types.bool;
      default = config.components.nixos.boot.enable;
    };

    tor.enable = lib.mkOption {
      type = lib.types.bool;
      default = config.components.nixos.boot.ssh.enable;
    };
  };

  config = mkMerge [

    # todo : not working at the moment, because onion hostnames are secrets
    (
      let
        onionIds = clanLib.readFactFromAllMachines "tor.initrd.hostname";
        generateOnionUnlockScript = machine: onionId: pkgs.writers.writeDashBin "unlock-boot-${machine}-via-tor" ''
          ${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 2222
        '';
      in
      {
        # add known hosts
        services.openssh.knownHosts =
          mapAttrs
            (_machine: onionId: {
              hostNames = [ "[${onionId}]:2222" ];
            })
            onionIds;

        # create unlook tor boot script
        environment.systemPackages =
          mapAttrsToList generateOnionUnlockScript onionIds;
      }
    )

    # tor part
    # --------
    (mkIf (config.components.nixos.boot.tor.enable) {

      #services.tor = {
      #  enable = true;
      #  client.enable = true;
      #  relay.onionServices.bootup.map = [{ port = 2222; }];
      #};

      # tor setup
      clan.core.facts.services.initrd_tor = factsGenerator.tor { name = "initrd"; };

      boot.initrd.secrets = {
        "/etc/tor/onion/bootup/tor.priv" = config.clan.core.facts.services.initrd_tor.secret."tor.initrd.priv".path;
        "/etc/tor/onion/bootup/hostname" = config.clan.core.facts.services.initrd_tor.secret."tor.initrd.hostname".path;
      };

      #boot.initrd.extraUtilsCommands = ''
      #  copy_bin_and_libs ${pkgs.tor}/bin/tor
      #'';

      # fixme: this thing is not working for some reason.
      boot.initrd.systemd.packages = [ pkgs.tor pkgs.iproute2 pkgs.coreutils ];
      boot.initrd.systemd.services.tor = {
        path = [ pkgs.tor pkgs.iproute2 pkgs.coreutils ];
        # todo: set wanted by
        script =
          let
            torRc = pkgs.writeText "tor.rc" ''
              DataDirectory /etc/tor
              SOCKSPort 127.0.0.1:9050 IsolateDestAddr
              SOCKSPort 127.0.0.1:9063
              HiddenServiceDir /etc/tor/onion/bootup
              HiddenServicePort 2222 127.0.0.1:2222
            '';
          in
          ''
            echo "tor: preparing onion folder"
            # have to do this otherwise tor does not want to start
            chmod -R 700 /etc/tor

            echo "make sure localhost is up"
            ip a a 127.0.0.1/8 dev lo
            ip link set lo up

            echo "tor: starting tor"
            tor -f ${torRc} --verify-config
            tor -f ${torRc}
          '';
      };
    })


    # ssh part
    # --------
    (mkIf (config.components.nixos.boot.ssh.enable) {

      # boot
      boot.initrd.systemd.enable = true;
      boot.initrd.systemd.contents."/etc/hostname".text = "unlock.${config.networking.hostName}";

      # network
      boot.initrd.systemd.network.enable = true;
      boot.initrd.availableKernelModules = config.components.nixos.boot.kernelModules;

      # ssh
      boot.initrd.network.enable = true;
      boot.initrd.network.ssh = {
        enable = true;
        #authorizedKeys =     config.users.users.root.openssh.authorizedKeys.keys ;
        #authorizedKeyFiles = config.users.users.root.openssh.authorizedKeys.keyFiles;
        port = 2222;
        hostKeys = map ({ path, ... }: path) config.services.openssh.hostKeys;
      };


    })

  ];
}