{ pkgs, lib, config, ... }:
let cfg = config.nix;
    inherit (lib) types;
    # Alternative which does not need to re-export envvars when called via sudo.
    # But this is maybe more clear to just (re-)export envvars.
    # And anyway, using NIX_CONF_DIR=${cfg.nixConf} directly does not work,
    # maybe because of filesystem restriction access set by nix, I don't know.
    /*
    nix = pkgs.writeShellScriptBin "nix" ''
      NIX_CONF_DIR=${cfg.nixConf} \
      NIX_SSL_CERT_FILE="${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" \
      SSL_CERT_FILE="${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" \
      ${pkgs.nix}/bin/nix "$@"
    '';
    */
in
{
  options.nix = {
    enable = lib.mkEnableOption "nix";
    nixConf = lib.mkOption {
      type = types.lines;
      apply = s: pkgs.writeText "nix.conf" s;
      default = ''
        auto-optimise-store = true
      '';
      description = ''
        Nix's nix.conf content.
      '';
    };
  };
  config = lib.mkIf cfg.enable {
    #nix-shell.buildInputs = [ nix ];
    nix-shell.shellHook = ''
      # nix
      # NOTE: linking NIX_CONF_DIR directly to ${cfg.nixConf} does not work.
      mkdir -p "$PWD"/.config/nix
      ln -fns ${cfg.nixConf} "$PWD"/.config/nix/nix.conf
      export NIX_CONF_DIR="$PWD"/.config/nix
      export NIX_SSL_CERT_FILE="${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
      export SSL_CERT_FILE="${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
    '';
  };
}