{
  parted,
  cryptsetup,
  e2fsprogs,
  dosfstools,
  writeShellApplication,
}: let
  driveData = import ../data/drives/encryptedDrive.nix;
in (writeShellApplication {
  name = "mk-encrypted-drive";
  runtimeInputs = [
    parted
    cryptsetup
    e2fsprogs
    dosfstools
  ];
  text = ''
    if [ -z "''${BIOS-}" ]; then
      echo "If making a drive for bios then you will need to set BIOS env variable"
    fi

    if [ -z "''${PASSWORD_FILE-}" ]; then
      echo "If the drive is for a encrypted server then password will need to be set with PASSWORD_FILE"
    fi

    if [ -z "''${1-}" ]; then
      echo "Please specify a path to device as first argument"
      exit 1
    fi

    if [ -z "''${2-}" ]; then
      echo "Please specify a path to key file as second argument"
      exit 1
    fi

    DRIVE_PATH=$1
    KEY_FILE=$2

    if echo "$DRIVE_PATH" | grep -q "[0-9]$"; then
        PARTITION_SEPARATOR="p"
    else
        PARTITION_SEPARATOR=""
    fi

    if [ "$EUID" -ne 0 ]; then
      echo "Please run as root"
      exit
    fi

    echo "Creating Partitions..."
    if [ -n "''${BIOS-}" ]; then
      # EFI Install
      parted "$DRIVE_PATH" -- mklabel gpt
      parted "$DRIVE_PATH" -- mkpart ESP fat32 1MiB 512MiB
      parted "$DRIVE_PATH" -- mkpart primary 620MiB -1MiB
      parted "$DRIVE_PATH" -- set 1 esp on
      parted "$DRIVE_PATH" -- name 1 "${driveData.bootLabel}"
      parted "$DRIVE_PATH" -- name 2 "${driveData.encryptedPartLabel}"
    else
      parted "$DRIVE_PATH" -- mklabel gpt
      parted "$DRIVE_PATH" -- mkpart ESP fat32 1MiB 512MiB
      parted "$DRIVE_PATH" -- mkpart primary 620MiB -1MiB
      parted "$DRIVE_PATH" -- set 1 boot on
      parted "$DRIVE_PATH" -- name 1 "${driveData.bootLabel}"
      parted "$DRIVE_PATH" -- name 2 "${driveData.encryptedPartLabel}"
    fi

    echo "Formatting boot partition"
    mkfs.fat -n "${driveData.bootLabel}" "''${DRIVE_PATH}''${PARTITION_SEPARATOR}1"

    echo "Creating Encrypted Partition"
    cryptsetup luksFormat "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" --key-file "$KEY_FILE"
    if [ -n "''${PASSWORD_FILE-}" ]; then
      cryptsetup luksAddKey "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" --key-file "$KEY_FILE" < "$PASSWORD_FILE"
    fi

    echo "Opening Encrypted Partition"
    cryptsetup open "''${DRIVE_PATH}''${PARTITION_SEPARATOR}2" "mk_encrypted_drive" --key-file "$KEY_FILE"

    echo "Formatting Encrypted Root Filesystem"
    mkfs.ext4 -L "${driveData.unencryptedLabel}" /dev/mapper/mk_encrypted_drive

    echo "mount /dev/mapper/mk_encrypted_drive to install"
  '';
})