{ pkgs, config, lib, ... }:
let cfg = config.my.system.boot;
in {
  options.my.system.boot = with lib; {
    tmp = { clean = mkEnableOption "clean `/tmp` on boot."; };
    initrd = {
      network = { enable = mkEnableOption "enable SSH with initrd"; };
    };
  };

  config = {
    boot = {
      loader = {
        # Use the systemd-boot EFI boot loader.
        systemd-boot.enable = true;
        # Prohibits gaining root access by passing init=/bin/sh as a kernel parameter
        systemd-boot.editor = false;
        efi.canTouchEfiVariables = true;
      };

      kernelPackages = pkgs.linuxPackages_latest;
      cleanTmpDir = cfg.tmp.clean;
      tmpOnTmpfs = true;

      initrd = {
        luks.devices."system".allowDiscards = true;
        network = lib.mkIf cfg.initrd.network.enable {
          enable = true;
          postCommands = ''
            echo "cryptsetup-askpass; exit" > /root/.profile
          '';
          ssh = {
            enable = true;
            port = 2222;
            hostKeys =
              [ /etc/ssh/ssh_host_ed25519_key /etc/ssh/ssh_host_rsa_key ];
            authorizedKeys =
              config.users.users.fcuny.openssh.authorizedKeys.keys;
          };
        };
      };
    };
  };
}