{
  config,
  lib,
  modulesPath,
  pkgs,
  ...
}:
{

  imports = [ (modulesPath + "/profiles/all-hardware.nix") ];

  options.usbauth = lib.mkOption {
    description = "USB Auth";
    type = lib.types.submodule {
      options = {
        enable = lib.mkOption { type = lib.types.bool; };
        device = lib.mkOption { type = lib.types.str; };
        keyname = lib.mkOption { type = lib.types.str; };
        uuid = lib.mkOption { type = lib.types.str; };
      };
    };
  };

  config = lib.mkIf config.usbauth.enable {
    boot.initrd.postDeviceCommands = pkgs.lib.mkBefore ''
      mkdir -m 0755 -p /key
      while ! findfs UUID=${config.usbauth.uuid} 2> /dev/null; do sleep 0.1; done
      cryptsetup open $(findfs UUID=${config.usbauth.uuid}) _key
      mount -o ro "/dev/mapper/_key" /key
    '';

    boot.initrd.luks.devices."${config.usbauth.device}" = {
      keyFile = "/key/.keys/${config.usbauth.keyname}";
      preLVM = false;
    };
  };
}