{ pkgs, lib, config, ... }:
let
  inherit (config.security) pass;
  rootKey = "root/key";
  initrdKey = "initrd/ssh.key";
in
{
imports = [
  <nixpkgs/nixos/modules/profiles/hardened.nix>
];
security.pass = {
  store = ../../../sec/pass/machines/losurdo;
  secrets."${rootKey}" = {
    gpg = ../../../sec/gnupg/machines/losurdo/root/key.gpg;
    # Symmetrically decrypt and load the rootKey into root's gnupg secret keyring.
    postStart = ''
      set -x
      ${pkgs.gnupg}/bin/gpg --batch --pinentry-mode loopback \
       --passphrase-file /${rootKey}.pass \
       --import '${pass.secrets."${rootKey}".path}'
      shred -u '${pass.secrets."${rootKey}".path}'
    '';
  };
};
install.ssh-nixos = {
  PATH = with pkgs; [gnupg openssh];
  # Decrypt the rootKey passphrase and the initrd SSH host key
  # and send them to the target host.
  script = lib.mkBefore ''
    gpg --decrypt '${pass.store}/${rootKey}.pass.gpg' |
    ssh 'root@${config.install.ssh-nixos.target}' install -D -m 400 -o root -g root /dev/stdin /${rootKey}.pass
    gpg --decrypt '${pass.store}/${initrdKey}.gpg' |
    ssh 'root@${config.install.ssh-nixos.target}' install -D -m 400 -o root -g root /dev/stdin /root/${initrdKey}
  '';
};
boot.initrd.network.ssh.hostKeys = [ "/root/${initrdKey}" ];
systemd.services = lib.mapAttrs' (target: secret:
  # Start the rootKey service before the other services decrypting secrets.
  lib.nameValuePair (lib.removeSuffix ".service" secret.service)
    (lib.optionalAttrs (target != "${rootKey}") {
      after = [ pass.secrets."${rootKey}".service ];
      wants = [ pass.secrets."${rootKey}".service ];
    })
  ) pass.secrets;
}