{ config, lib, pkgs, ... }:
with lib; let
  cfg = config.local.boot.detachedLuks;
in
{
  options.local.boot.detachedLuks = {
    enable = mkEnableOption "detached LUKS header in initrd";

    headerFromBoot = mkOption {
      type = types.str;
    };

    crypt = mkOption {
      type = types.str;
    };

    target = mkOption {
      type = types.str;
    };
  };

  config = mkIf cfg.enable {
    boot.initrd =
      let
        headerPath = "/initrd-boot/${cfg.headerFromBoot}";
      in
      {
        preDeviceCommands =
          let
            headerPathEscaped = escapeShellArg headerPath;
          in
          ''
            mkdir -p `dirname ${headerPathEscaped}`
            touch ${headerPathEscaped}
          '';

        postDeviceCommands = mkIf (!config.boot.initrd.systemd.enable) ''
          # Set the system time from the hardware clock to work around a
          # bug in qemu-kvm > 1.5.2 (where the VM clock is initialised
          # to the *boot time* of the host).
          hwclock -s
        '';

        #FIXME: Demasiado vulgar
        preLVMCommands = optionalString (config.local.boot.efi.enable && config.local.boot.efi.removable) ''
          sleep 2
        '';

        luks.devices.${cfg.target} = {
          device = cfg.crypt;
          header = headerPath;
          preLVM = false;

          preOpenCommands =
            let
              boot = config.fileSystems."/boot";
            in
            ''
              mount -o ro -t ${boot.fsType} ${boot.device} /initrd-boot
            '';

          postOpenCommands = mkBefore ''
            umount /initrd-boot
          '';
        };
      };

    local.boot.stack = {
      btrfsToplevelMultidrive.toplevel.device = "/dev/mapper/${cfg.target}";
      luksExt4FscryptImpermanence = { inherit (cfg) target; };
    };
  };
}