{
  config,
  lib,
  pkgs,
  factsGenerator,
  clanLib,
  ...
}:
with lib;
with types;

{
  options.features.boot.ssh = {
    enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
    };
    kernelModules = mkOption {
      type = listOf str;
      default = [ ];
      description = "nix-shell -p pciutils --run 'lspci -v' will tell you which kernel module is used for the ethernet interface";
    };
  };

  config = mkIf (config.features.boot.ssh.enable) {

    # ssh host key
    clan.core.facts.services."boot.ssh" = factsGenerator.ssh { name = "boot"; };

    # todo: maybe put this in a component
    # boot
    boot.initrd.systemd.enable = true;
    boot.initrd.systemd.contents."/etc/hostname".text = "unlock.${config.networking.hostName}";

    # network
    boot.initrd.systemd.network.enable = true;
    boot.initrd.availableKernelModules = config.features.boot.ssh.kernelModules;

    # ssh
    boot.initrd.network.enable = true;
    boot.initrd.network.ssh = {
      enable = true;
      authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
      port = 2222;
      hostKeys = [ config.clan.core.facts.services."boot.ssh".secret."ssh.boot.id_ed25519".path ];
    };

  };

}