{ hostName, config, pkgs, lib, ... }:

with lib;

{
  imports = [ ./module.nix ];

  config = {
    boot.initrd = {
      network = {
        enable = true;
        ssh = {
          enable = true;
          hostKeys = [ "/etc/ssh/ssh_host_ed25519_key" "/etc/ssh/ssh_host_rsa_key" ];
          authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys ++ map (kF: builtins.readFile kF) config.users.users.root.openssh.authorizedKeys.keyFiles;
        };
      };

      secrets = with config.sops.secrets; {
        "/etc/ssh/ssh_host_ed25519_key" = initrd_ssh_host_ed25519_key.path;
        "/etc/ssh/ssh_host_rsa_key" = initrd_ssh_host_rsa_key.path;
      };

      extraFiles = let
        mkPubkey = typ: pkgs.runCommand "ssh_host_${typ}_key.pub" { buildInputs = with pkgs; [ yq ]; } ''
          yq -r '.${typ}' ${./host-keys + "/${hostName}-public.yaml"} > $out
        '';
      in {
        "/etc/ssh/ssh_host_rsa_key.pub".source = mkPubkey "rsa";
        "/etc/ssh/ssh_host_ed25519_key.pub".source = mkPubkey "ed25519";
      };
    };

    sops.secrets = {
      initrd_ssh_host_rsa_key = {
          key = "rsa";
          sopsFile = ./host-keys + "/${hostName}-private.yaml";
      };
      initrd_ssh_host_ed25519_key = {
          key = "ed25519";
          sopsFile = ./host-keys + "/${hostName}-private.yaml";
      };
    };
  };
}