{ config, lib, pkgs, factsGenerator, clanLib, ... }:
with lib;
with types;

{
  options.components.nixos.boot.ssh = {
    enable = lib.mkOption {
      type = lib.types.bool;
      default = config.components.nixos.boot.enable;
    };
    kernelModules = mkOption {
      type = listOf str;
      default = [ ];
      description =
        "lspci -v will tell you which kernel module is used for the ethernet interface";
    };
  };

  config = mkIf (config.components.nixos.boot.ssh.enable) {

    # root password
    clan.core.facts.services.rootPassword = factsGenerator.password { name = "root"; };
    #users.users.root.hashedPasswordFile = config.clan.core.facts.services.rootPassword.secret."password.root.pam".path; # fixme not working for some reason
    #users.users.root.initalPassword = "admin";

    # ssh host key
    clan.core.facts.services."boot.ssh" = factsGenerator.ssh { name = "boot"; };

    # boot
    boot.initrd.systemd.enable = true;
    boot.initrd.systemd.contents."/etc/hostname".text = "unlock.${config.networking.hostName}";

    # network
    boot.initrd.systemd.network.enable = true;
    boot.initrd.availableKernelModules = config.components.nixos.boot.ssh.kernelModules;

    # ssh
    boot.initrd.network.enable = true;
    boot.initrd.network.ssh = {
      enable = true;
      authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
      port = 2222;
      hostKeys = [ config.clan.core.facts.services."boot.ssh".secret."ssh.boot.id_ed25519".path ];
    };

  };

}