{ inputs, pkgs, ... }:
let
  # Configuration of shell/modules/
  # to expand shellHook and buildInputs of this shell.nix
  shellConfig = {config, ...}: {
    imports = [
      shell/gnupg.nix
    ];
    nix = {
      nixConf = ''
        auto-optimise-store = true
        experimental-features nix-command flake
      '';
    };
    gnupg = {
      enable = true;
      gnupgHome = "../sec/gnupg";
      gpgExtraConf = ''
        # julm@sourcephile.fr
        trusted-key 0xB2450D97085B7B8C
      '';
      gpgAgentExtraConf = ''
        #pretend-request-origin remote
        #extra-socket ${toString ./.}/S.gpg-agent.extra
        #log-file ${toString ./.}/gpg-agent.log
        #no-grab
        #debug-level expert
        #allow-loopback-pinentry
      '';
    };
    /*
    openssl = {
      enable = true;
      opensslHome = "../sec/openssl";
      certificates = import shell/x509.nix;
    };
    */
    openssh = {
      enable = true;
      sshConf = ''
        Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr
        Compression no
        #CompressionLevel 4
        ControlMaster auto
        ControlPath .ssh-%h-%p-%r.socket
        HashKnownHosts no
        #SSAPIAuthentication no
        SendEnv LANG LC_*
        StrictHostKeyChecking yes
        UserKnownHostsFile ${inputs.secrets + "/ssh/known_hosts"}
      '';
    };
    virtualbox = {
      enable = false;
    };
  };

  # Using modules enables to separate specific configurations
  # from reusable code in shell/modules.nix and shell/modules/
  # which may find its way in another git repository one day.
  shell = (pkgs.lib.evalModules {
    modules = [ shellConfig ] ++ map import (pkgs.lib.findFiles ".*\\.nix" (inputs.shell + "/modules"));
    args = { inherit inputs pkgs; };
  }).config;

  pwd = toString (./. + "");
  sourcephile-shred-tmp = pkgs.writeShellScriptBin "sourcephile-shred-tmp" ''
    # This is done when entering the nix-shell
    # because direnv already hooks trap EXIT.
    cd "${pwd}"
    test ! -e sec/tmp || {
    find sec/tmp -type f -exec shred -fu {} +
    rm -rf sec/tmp
    }
  '';
in
pkgs.mkShell {
  name = "sourcephile-nix";
  src = null;
  #preferLocalBuild = true;
  #allowSubstitutes = false;
  buildInputs = shell.nix-shell.buildInputs ++ [
    sourcephile-shred-tmp
    (pkgs.nixos []).nixos-generate-config
    (pkgs.nixos []).nixos-install
    (pkgs.nixos []).nixos-enter
    #pkgs.binutils
    pkgs.coreutils
    pkgs.cryptsetup
    pkgs.curl
    #pkgs.direnv
    pkgs.dnsutils
    #pkgs.dropbear
    pkgs.e2fsprogs
    pkgs.git
    pkgs.glibcLocales
    pkgs.gnumake
    pkgs.gnupg
    pkgs.htop
    #pkgs.inetutils
    pkgs.ipcalc
    #pkgs.iputils
    pkgs.less
    pkgs.libfaketime
    pkgs.ldns
    #pkgs.ldns.examples
    #pkgs.mailutils
    pkgs.man
    pkgs.mdadm
    pkgs.gptfdisk
    pkgs.ncdu
    pkgs.ncurses
    #pkgs.nixops
    #pkgs.openssl
    pkgs.pass
    pkgs.procps
    pkgs.rsync
    #pkgs.rxvt_unicode.terminfo
    #pkgs.sqlite
    pkgs.sqlite
    #pkgs.sudo
    pkgs.tig
    pkgs.time
    #pkgs.tmux
    pkgs.tree
    pkgs.utillinux
    #pkgs.vim
    #pkgs.virtualbox
    pkgs.which
    pkgs.xdg_utils
    pkgs.zfs
    pkgs.fio
    pkgs.strace
    pkgs.utillinux
    #pkgs.zfstools
    pkgs.linuxPackages.perf
    #pkgs.go2nix
    pkgs.wireguard
    pkgs.stun
    pkgs.mkpasswd
  ];
  #enableParallelBuilding = true;

  PASSWORD_STORE_DIR = "pass";
  PATH = "$NIX_SHELL_PATH:$PATH";
  NIX_PATH = pkgs.lib.concatStringsSep ":" [
    "nixpkgs=${pkgs.path}"
    "nixpkgs-overlays=${inputs.self + "/nixpkgs/overlays.nix"}"
  ];

  shellHook = ''
    echo >&2 "nix: running shellHook"

    # Since the .envrc calls this shellHook
    # the EXIT trap cannot be freely used
    # because it's already used by direnv,
    # hence shred at startup, which is not ideal.
    sourcephile-shred-tmp

    ${shell.nix-shell.shellHook}

    # gpg
    export GPG_TTY=$(tty)
    gpg-connect-agent updatestartuptty /bye >/dev/null
  '';
}