{
  config,
  lib,
  pkgs,
  ...
}:
with lib; let
  cfg = config.local.boot.fscrypt;
in {
  options.local.boot.fscrypt = {
    enable = mkEnableOption "fscrypt support";
  };

  config = mkIf cfg.enable {
    environment.systemPackages = [
      pkgs.fscryptctl
      pkgs.fscrypt-experimental
    ];

    local.boot.impermanence = {
      directories = [
        {
          directory = "/.fscrypt";
          mode = "u=rwx,g=rx,o=rx";
        }
      ];

      files = [
        "/etc/fscrypt.conf"
      ];
    };
  };
}