{
  config,
  lib,
  pkgs,
  ...
}:
with lib;
let
  cfg = config.services.storagebox;
in
{
  options.services.storagebox = {
    enable = mkEnableOption "storagebox";

    hostname = mkOption {
      type = types.str;
    };

    hostKey = mkOption {
      type = types.str;
    };

    user = mkOption {
      type = types.str;
    };

    sshKeyFile = mkOption {
      type = types.path;
    };

    plainMountPoint = mkOption {
      type = types.str;
      default = "/mnt/box";
    };

    cryptMountPoint = mkOption {
      type = types.str;
      default = "/data";
    };

    passFile = mkOption {
      type = types.path;
    };
  };

  config = mkIf cfg.enable {
    environment.systemPackages = with pkgs; [
      gocryptfs
      sshfs
    ];

    programs.ssh.knownHosts.storageBox = {
      hostNames = [ cfg.hostname ];
      publicKey = cfg.hostKey;
    };

    fileSystems."${cfg.plainMountPoint}" = {
      device = "${cfg.user}@${cfg.hostname}:/home";
      fsType = "fuse.sshfs";
      options = [
        "defaults"
        "_netdev"
        "allow_other"
        "default_permissions"
        "port=23"
        "compression=no"
        "reconnect"
        "ServerAliveInterval=15"
        "IdentityFile=${cfg.sshKeyFile}"
      ];
    };

    fileSystems."${cfg.cryptMountPoint}" = {
      depends = [
        "${cfg.plainMountPoint}"
      ];
      device = "${cfg.plainMountPoint}/crypt";
      fsType = "fuse.gocryptfs";
      options = [
        "rw"
        "allow_other"
        "passfile=${cfg.passFile}"
      ];
    };
  };
}