{ config, lib, pkgs, ... }:
with lib;
let cfg = config.nix-plugins;
in
{
  options.nix-plugins = {
    enable = lib.mkEnableOption "nix-plugins";
    extra-builtins = mkOption {
      type = types.lines;
      default = ''
        pass         = path: exec [ "${config.nix-plugins.nix-pass}/bin/nix-pass" path ];
        pass-to-file = path: file: exec [ "${config.nix-plugins.nix-pass-to-file}/bin/nix-pass-to-file" path file ];
        git          = dir: args: exec ([ "${config.nix-plugins.nix-git}/bin/nix-git" (builtins.toPath dir) ] ++ args);
        git-time     = dir: path: exec [ "${config.nix-plugins.nix-git}/bin/nix-git" (builtins.toPath dir) "log" "-1" "--format=%ct" "--" path ];
      '';
      description = ''
        Content put in extra-builtins.nix for nix-plugins.
      '';
      apply = lines: pkgs.writeText "extra-builtins.nix" (''
        { exec, ... }:
        {
        '' + lines + ''
        }
        '');
    };

    nix-with-extra-builtins = mkOption {
      type = types.str;
      apply = pkgs.writeShellScriptBin "nix-with-extra-builtins";
      default = ''
        ${pkgs.nix}/bin/nix \
         --option plugin-files ${pkgs.nix-plugins}/lib/nix/plugins/libnix-extra-builtins.so \
         --option extra-builtins-file ${cfg.extra-builtins} \
         "$@"
      '';
      description = ''
        Wrapper around nix to load extra-builtins.nix with nix-plugins.
      '';
    };

    nix-pass = mkOption {
      type = types.str;
      apply = pkgs.writeShellScriptBin "nix-pass";
      default = ''
        set -e
        f=$(mktemp)
        trap "shred -u $f" EXIT
        ${pkgs.pass}/bin/pass show "$1" >$f
        nix-instantiate --eval -E "builtins.readFile $f"
      '';
      /*
        nix-store --add $f
      */
      /*
        set -o pipefail
        ${pkgs.pass}/bin/pass show "$1" |
        ${pkgs.gnused}/bin/sed \
         -e 's:\n:\\n:g;s:\r:\\r:g;s:\t:\\t:g;s:":\\":g;1s:^:":;$s:$:":;'
      */
      description = ''
        Wrapper around pass to call it with exec in extra-builtins.nix.
        Unfortunately it can only load secrets which can be represented as a Nix string,
        hence without null-byte and such special characters.
      '';
    };

    nix-pass-to-file = mkOption {
      type = types.str;
      apply = pkgs.writeShellScriptBin "nix-pass-to-file";
      default = ''
        set -e
        set -o pipefail
        ${pkgs.pass}/bin/pass show "$1" |
        install -D -m 400 /dev/stdin "$2"
        printf '%s\n' "$PWD/$2"
      '';
      description = ''
        Wrapper around pass to call it with exec in extra-builtins.nix and put the output in a file.
        Needed for boot.initrd.network.ssh.host*Key.
      '';
    };

    nix-git = mkOption {
      type = types.str;
      apply = pkgs.writeShellScriptBin "nix-git";
      default = ''
        cd "$1"; shift
        ${pkgs.git}/bin/git "$@"
      '';
      description = ''
        Wrapper around git to call it with exec in extra-builtins.nix.
      '';
    };
  };
}