{
  config,
  lib,
  modulesPath,
  pkgs,
  ...
}:
{

  imports = [ (modulesPath + "/profiles/all-hardware.nix") ];

  options.usbauth = lib.mkOption {
    description = "USB Auth";
    type = lib.types.submodule {
      options = lib.mkOption {
        device = lib.types.str;
        keyname = lib.types.str;
        uuid = lib.types.str;
      };
    };
  };

  config = {
    boot.initrd.postDeviceCommands = pkgs.lib.mkBefore ''
      mkdir -m 0755 -p /key
      lsblk -o NAME,UUID
      while ! findfs UUID=${config.usbauth.uuid} 2> /dev/null; do sleep 0.1; done
      cryptsetup open $(findfs UUID=${config.usbauth.uuid}) _key
      mount -o ro "/dev/mapper/_key" /key
    '';

    boot.initrd.luks.devices."${config.usbauth.device
    }".keyFile = "/key/.keys/${config.usbauth.keyname}";
    boot.initrd.luks.devices."${config.usbauth.device}".preLVM = false;
  };
}