{ pkgs, lib, config, machineName, ... }:
let
  inherit (config.security) gnupg;
  rootKey = "root/key";
  initrdKey = "initrd/ssh.key";
  keygrip = "9AA84E6F6D71F9163C46BF396B141A0806219077";
in
{
imports = [
  <nixpkgs/nixos/modules/profiles/hardened.nix>
];
security.gnupg.store = builtins.getEnv "PASSWORD_STORE_DIR" + "/machines/${machineName}";
services.openssh.extraConfig = ''
  StreamLocalBindUnlink yes
'';
installer.ssh-nixos = {
  PATH = [pkgs.gnupg pkgs.openssh];
  sshFlags = [
    #"-R" "/var/lib/gnupg/S.gpg-agent.extra:/run/user/1000/gnupg/d.w1sj57hx3zfcwadyxpr6wko9/S.gpg-agent.extra"
    #"-o" "StreamLocalBindUnlink=yes"
  ];
  script = lib.mkMerge [
    (lib.mkBefore ''
      # Send the SSH key of the initrd
      gpg --decrypt '${gnupg.store}/${initrdKey}.gpg' |
      ssh '${config.installer.ssh-nixos.target}' \
      install -D -m 400 -o root -g root /dev/stdin /root/${initrdKey}
    '')
    (lib.mkBefore ''
      gpg --decrypt '${gnupg.store}/${rootKey}.pass.gpg' |
      gpg --batch --pinentry-mode loopback --passphrase-fd 0 --export-secret-subkeys @root@${machineName} |
      ssh '${config.installer.ssh-nixos.target}' \
      install -D -d -m 640 /run/user/0/gnupg/d.6qoenf9br6fajbkknuz1i6ts '&&' \
      gpg --no-autostart --homedir /var/lib/gnupg --no-autostart --batch --pinentry-mode loopback --import || true

      # Send the rootKey's passphrase
      gpg --decrypt '${gnupg.store}/${rootKey}.pass.gpg' |
      ssh '${config.installer.ssh-nixos.target}' \
      install -D -d -m 640 /run/user/0/gnupg/d.6qoenf9br6fajbkknuz1i6ts '&&' \
      gpg-preset-passphrase \
        --homedir /var/lib/gnupg \
        --preset ${keygrip} || true
    '')
  ];
  /*
    # Send the rootKey
    gpg --decrypt '${gnupg.store}/${rootKey}.pass.gpg' |
    gpg --batch --pinentry-mode loopback --passphrase-fd 0 --export-secret-subkeys @root@${machineName} |
    ssh '${config.installer.ssh-nixos.target}' \
    gpg --homedir /var/lib/gnupg --no-autostart --batch --pinentry-mode loopback --import

      gpg --batch --export @root@${machineName} |
      ssh '${config.installer.ssh-nixos.target}' \
      gpg --no-autostart --homedir /var/lib/gnupg --no-autostart --batch --pinentry-mode loopback --import
  */

};
boot.initrd.network.ssh.hostKeys = [ "/root/${initrdKey}" ];
}