{
  config,
  lib,
  pkgs,
  ...
}:
with lib; let
  cfg = config.local.boot.stack.luksExt4FscryptImpermanence;
in {
  options.local.boot.stack.luksExt4FscryptImpermanence = {
    enable = mkEnableOption "filesystem stack: whatever LUKS approach+ext4+impermanence with per-boot keys";

    target = mkOption {
      type = types.str;
    };

    persistInToplevel = mkOption {
      type = types.bool;
      default = true;
    };
  };

  # - boot device
  #   - some unknown fs, probably vfat
  #     - detached luks header file
  #
  # - toplevel device
  #   - headerless luks
  #     - /toplevel (ext4)
  #       - /toplevel/nix (if !cfg.persistInToplevel)
  #       - /toplevel/persist (if cfg.persistInToplevel)
  #         - /toplevel/persist/nix
  #       - /toplevel/boot-archive.pub
  #       - /toplevel/boot-keys
  #         - /toplevel/boot-keys/2000-01-01T00:00:00-06:00.key.age (encrypted for /toplevel/boot-archive.pub)
  #         - /toplevel/boot-keys/...
  #         - /toplevel/boot-keys/last.key.age -> 2000-01-01T00:00:00-06:00.key.age
  #       - /toplevel/boots
  #         - /toplevel/boots/2000-01-01T00:00:00-06:00 (raw protector in last.key.age)
  #         - /toplevel/boots/...
  #         - /toplevel/boots/last -> 2000-01-01T00:00:00-06:00 (mounted as /)
  config = mkIf cfg.enable {
    boot.initrd.luks.devices.${cfg.target}.postOpenCommands = let
      fscryptctl = "${pkgs.fscryptctl}/bin/fscryptctl";
    in ''
      # FIXME: posiblemente algunos --make-* son innecesarios a partir de aquí
      mkdir -p /mnt-root /mnt-toplevel
      mount -o noatime /dev/mapper/${cfg.target} /mnt-toplevel
      mount --make-private /mnt-toplevel

      boot_stamp="$(date -Is)"
      root_from_toplevel="/mnt-toplevel/boots/$boot_stamp"

      mkdir -p "$root_from_toplevel" /mnt-toplevel/boot-keys
      chmod 700 /mnt-toplevel/boot-keys

      head -c64 /dev/urandom >/boot-key
      key_id=$(${fscryptctl} add_key /mnt-toplevel </boot-key)
      ${fscryptctl} set_policy "$key_id" "$root_from_toplevel"
      (umask 077; test -f /mnt-toplevel/boot-archive.pub && \
        ${getExe pkgs.rage} -ae \
          -R /mnt-toplevel/boot-archive.pub \
          -o "/mnt-toplevel/boot-keys/$boot_stamp.key.age" \
          /boot-key)
      rm -f /boot-key

      ln -Tsf "$boot_stamp" /mnt-toplevel/boots/last
      ln -Tsf "$boot_stamp.key.age" /mnt-toplevel/boot-keys/last.key.age

      mount --bind "$root_from_toplevel" /mnt-root
      mount --make-shared /mnt-root

      # mount --move es mala idea, ya que "moving a mount residing under a
      # shared mount is unsupported"
      mkdir -p /mnt-root/toplevel
      mount --bind /mnt-toplevel /mnt-root/toplevel
      mount --make-private /mnt-root/toplevel
      umount /mnt-toplevel
    '';

    fileSystems =
      {
        "/" = {
          device = "none";
          fsType = "ext4";
          options = ["remount"];
        };

        "/nix" = {
          device =
            if cfg.persistInToplevel
            then "/persist/nix"
            else "/toplevel/nix";
          options = ["bind"];
        };
      }
      // optionalAttrs cfg.persistInToplevel {
        "/persist" = {
          device = "/toplevel/persist";
          options = ["bind"];
          neededForBoot = true;
        };
      };

    local.boot = {
      fscrypt.enable = true;
      impermanence = {
        enable = true;
        trust.path = "/toplevel/trust";
      };
    };
  };
}