{ config, lib, pkgs, modules, ... }:

with lib;

{
  imports = [ modules.bindMounts ];

  users.mutableUsers = false;

  boot.initrd = mkIf (config.fileSystems."/".fsType or "notzfs" == "zfs") {
    network.ssh.hostKeys = mkIf config.hacc.encboot.enable
      (mkForce [ /persist/ssh/encboot_host ]);

    postDeviceCommands = mkIf (!config.boot.initrd.systemd.enable)
      (mkAfter ''
        zfs rollback -r ${config.fileSystems."/".device}@blank
      '');

    systemd = mkIf config.boot.initrd.systemd.enable {
      storePaths = [ pkgs.zfs ];
      services.rollback = {
        description = "Rollback ZFS datasets to a pristine state";
        wantedBy = [ "initrd.target" ];
        after = [ "zfs-import-${head (splitString "/" config.fileSystems."/".device)}.service" ];
        before = [ "sysroot.mount" ];
        path = [ pkgs.zfs ];
        unitConfig.DefaultDependencies = "no";
        serviceConfig.Type = "oneshot";
        script = ''
          zfs rollback -r ${config.fileSystems."/".device}@blank && echo "rollback complete"
        '';
      };
    };
  };

  services.openssh = {
    hostKeys = [
      {
        path = "/persist/ssh/ssh_host_ed25519_key";
        type = "ed25519";
      }
      {
        path = "/persist/ssh/ssh_host_rsa_key";
        type = "rsa";
        bits = 4096;
      }
    ];
  };

  services.postgresql.dataDir =
    "/persist/postgresql/${config.services.postgresql.package.psqlSchema}";
}