{ config, lib, pkgs, ... }:

with lib;

let cfg = config.services.dropbear;
in {
  options.services.dropbear = {
    enable = mkEnableOption "dropbear service";

    interface = mkOption {
      type = types.str;
      example = "enp0";
      description = ''
        Interface name.
      '';
    };

    ip = mkOption {
      type = types.str;
      example = "192.168.0.1";
      description = ''
        Host IP Address.
      '';
    };

    gateway = mkOption {
      type = types.str;
      example = "192.168.0.1";
      description = ''
        IP of gateway.
      '';
    };

    netmask = mkOption {
      type = types.str;
      example = "192.168.0.1";
      description = ''
        Netmask of internal network.
      '';
    };

    sshPort = mkOption {
      type = types.addCheck types.int (n: n > 0 && n < 65536);
      default = 2222;
      description = ''
        SSH Port of the dropbear deamon.
        Should be different from default SSH port to prevent known hosts collissions.
      '';
    };
  };

  config = mkIf cfg.enable {
    boot.initrd.network = {
      enable = true;
      ssh = {
        enable = true;
        port = cfg.sshPort;
        authorizedKeys = with lib;
          concatLists (mapAttrsToList (name: user:
            if elem "wheel" user.extraGroups then
              user.openssh.authorizedKeys.keys
            else
              [ ]) config.users.users);
        hostRSAKey = /boot/dropbear_rsa_host_key;
        hostECDSAKey = /boot/dropbear_ecdsa_host_key;
        # Key generation with dropbearkey -t <type> -f <output-keyfile>
      };
      postCommands = ''
        echo 'cryptsetup-askpass' >> /root/.profile
      '';
    };

    boot.kernelParams = [
      "ip=${cfg.ip}::${cfg.gateway}:${cfg.netmask}:${config.networking.hostName}:${cfg.interface}:none"
    ]; # see https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt

    boot.initrd.postMountCommands = ''
      ip link set ${cfg.interface} down
    '';
  };
}