{
  self,
  config,
  tree,
  lib,
  pkgs,
  ...
}: let
  inherit (lib.modules) mkForce;
  inherit (lib.lists) optionals;

  inherit (pkgs) system;

  driveData = import "${self}/data/drives/encryptedDrive.nix";
in {
  imports = with tree; [
    profiles.sshd
  ];

  boot = {
    loader.supportsInitrdSecrets = true;
    initrd = {
      availableKernelModules =
        [
          "nvme"
          "ahci"
          "ehci_pci"
          "xhci_pci"
          "sd_mod"
          "sr_mod"
          "usbhid"
          "dm_crypt"
          "dm_mod"
          "cryptd"
        ]
        ++ (optionals (system == "x86_64_linux") ["aesni_intel"]);

      secrets = {
        "/ssh_host_ed25519_key" = mkForce "/initrd_ssh_host_ed25519_key";
      };

      luks = {
        forceLuksSupportInInitrd = true;
        devices = {
          "${driveData.mapperName}" = {
            device = "${driveData.encryptedPath}";
            preLVM = false;
            allowDiscards = true;
          };
        };
      };
    };

    initrd.network = {
      enable = true;
      ssh = {
        enable = true;
        port = 22;
        authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
        hostKeys = ["/ssh_host_ed25519_key"];
      };
      postCommands = ''
        echo 'cryptsetup-askpass' >> /root/.profile
      '';
    };
  };

  fileSystems = {
    "/" = {
      device = "${driveData.decryptedPath}";
      fsType = "${driveData.unencryptedFSType}";
    };
    "/boot" = {
      device = "${driveData.bootPath}";
      fsType = "${driveData.bootFSType}";
    };
  };
}