{ config, pkgs, ... }:
let
  gpgPubKeyStaging = ''
    -----BEGIN PGP PUBLIC KEY BLOCK-----

    mDMEZvb3mhYJKwYBBAHaRw8BAQdAvyH7AMLukMEF/1as7auAh757//LlO/kBG8pm
    zhOlTj20LFBhdGFnaWEgU3RhZ2luZyA8bm9yZXBseStzdGFnaW5nQHBhdGFnaWEu
    aW8+iJQEExYKADwWIQTjWE8tGxWc+3+vxyy1R4V5MjgMzAUCZvb3mgIbAwUJBaOa
    gAQLCQgHBBUKCQgFFgIDAQACHgUCF4AACgkQtUeFeTI4DMwDWAEAlMAhSZh086Ux
    OfLBR1QYgHtXmk6tObJurWkZq6cGICwA/2fBOtZcLfAPRWYPLHAtsqtFrO6CIyQG
    H6n4Iv3D5ZsCuDgEZvb3mhIKKwYBBAGXVQEFAQEHQPKKcltfHlELIHf0AYcd0nOe
    GaWcAnoW4o3zLZUVNnlpAwEIB4h+BBgWCgAmFiEE41hPLRsVnPt/r8cstUeFeTI4
    DMwFAmb295oCGwwFCQWjmoAACgkQtUeFeTI4DMzuegEA62XIq4Ir+4DWdTql58bA
    +0Vr89dMQsAxwVzGGzl8D8wBAMuPY6/2SwbA7KwWuz8L/cTPQVLBt+TSdYeuCBps
    e5UE
    =m2st
    -----END PGP PUBLIC KEY BLOCK-----
  '';
  gpgKeyring = pkgs.runCommand "gpg-keyring" { buildInputs = [ pkgs.gnupg ]; } ''
    mkdir -p $out
    export GNUPGHOME=$out
    gpg --no-default-keyring --keyring=$out/import-pubring.gpg --fingerprint
    gpg --no-default-keyring --keyring=$out/import-pubring.gpg --import <<< '${gpgPubKeyStaging}'
    rm $out/S.scdaemon $out/S.gpg-agent $out/S.gpg-agent.*
  '';
in
{
  environment.etc."systemd/import-pubring.gpg".source = "${gpgKeyring}/import-pubring.gpg";

  systemd.additionalUpstreamSystemUnits = [
    "systemd-sysext.service"
  ];

  systemd.services."systemd-sysext.service".enable = true;

  systemd.sysupdate = {
    enable = true;

    transfers = {
      "10-uki" = {
        Source = {
          MatchPattern = [
            "${config.boot.uki.name}_@v.efi.xz"
          ];

          Path = "https://images.dl.patagia.dev/patos/";
          Type = "url-file";
        };
        Target = {
          InstancesMax = 2;
          MatchPattern = [
            "${config.boot.uki.name}_@v.efi"
          ];

          Mode = "0444";
          Path = "/EFI/Linux";
          PathRelativeTo = "boot";

          Type = "regular-file";
        };
        Transfer = {
          ProtectVersion = "%A";
          Verify = "no";
        };
      };

      "20-store" = {
        Source = {
          MatchPattern = [
            "${config.boot.uki.name}_@v.img.xz"
          ];
          Path = "https://images.dl.patagia.dev/patos/";
          Type = "url-file";
        };

        Target = {
          InstancesMax = 2;

          # This doesn't work, because / is a tmpfs and the heuristic is not that smart.
          #
          # Path = "auto";
          Path = "/dev/sda";

          MatchPattern = "${config.boot.uki.name}_@v";

          Type = "partition";
          ReadOnly = "yes";
        };
        Transfer = {
          Verify = "no";
        };
      };

    };
  };
}