{
  pkgs,
  patosPkgs,
  runCommand,
  ...
}:
runCommand "patos-initrd" {
  buildInputs = with pkgs; [
    cpio
    xz
  ];
}
''
echo "Building initram disk"
mkdir -p $out/root
pushd $out/root

### copy rootfs
cp -prP ${patosPkgs.rootfs}/* .
find . -type d -exec chmod 755 {} \;
mkdir sysroot

### create directories
ln -sf ../usr/lib/systemd/systemd init

### Create needed files
echo patos > ./etc/hostname

ln -sf /etc/os-release ./etc/initrd-release

# set default target to initrd inside initrd
ln -sf initrd.target ./usr/lib/systemd/system/default.target

# setup secure boot
cat <<EOF > ./usr/bin/secure-boot-enroll
#!/bin/sh
set -ex -o pipefail

SETUP_MODE=\$(sbctl status --json | xq -r '.setup_mode')

[ "\$SETUP_MODE" = "false" ] && exit 0

cat <<EOL> /run/sbctl.yml
---
keydir: /sysroot/boot/sbctl/keys
guid: /sysroot/boot/sbctl/GUID
EOL

ESP=\$(blkid --label ESP)

mount \$ESP /sysroot/boot && \
  sbctl --config /run/sbctl.yml create-keys && \
  sbctl --config /run/sbctl.yml enroll-keys --yolo && \
  # Sign EFIs
  find /sysroot/boot -type f \( -iname "*.efi" -o -iname "*.EFI" \) -print0 | xargs -I {} sbctl --config /run/sbctl.yml sign {}

umount /sysroot/boot && \
  systemctl reboot -f
EOF
chmod +x ./usr/bin/secure-boot-enroll

cat <<EOF > ./usr/lib/systemd/system/secure-boot-enroll.service
[Unit]
Description=Enroll Secure Boot
DefaultDependencies=false
After=sysroot-run.mount
Requires=sysroot-run.mount
Before=systemd-repart.service initrd.target shutdown.target sysinit.target

[Service]
Type=oneshot
ExecStart=/usr/bin/secure-boot-enroll
RemainAfterExit=yes
EOF
ln -sf ../secure-boot-enroll.service ./usr/lib/systemd/system/initrd-root-fs.target.wants/secure-boot-enroll.service

# bind mount /run to /sysroot/run
cat <<EOF > ./usr/lib/systemd/system/sysroot-run.mount
[Unit]
Before=initrd-fs.target
DefaultDependencies=false

[Mount]
Options=bind
What=/run
Where=/sysroot/run
EOF
mkdir ./usr/lib/systemd/system/initrd-fs.target.requires/
ln -sf ../sysroot-run.mount ./usr/lib/systemd/system/initrd-fs.target.requires/sysroot-run.mount

# repart: generate crypttab and fstab under /run
mkdir ./usr/lib/systemd/system/systemd-repart.service.d
cat <<EOF > ./usr/lib/systemd/system/systemd-repart.service.d/override.conf
[Unit]
After=sysroot-run.mount
Requires=sysroot-run.mount

[Service]
Environment=SYSTEMD_REPART_MKFS_OPTIONS_BTRFS=--nodiscard
ExecStart=
ExecStart=systemd-repart --dry-run=no --generate-crypttab=/run/crypttab --generate-fstab=/run/fstab
EOF
ln -sf ../systemd-repart.service ./usr/lib/systemd/system/initrd-root-fs.target.wants/systemd-repart.service

# gen initrd
find . -print0 | cpio --null --owner=root:root -o --format=newc | xz -9 --check=crc32 > ../initrd.xz

popd
rm -rf $out/root
''