{
  pkgs,
  patosPkgs,
  runCommand,
  ...
}:
let
  secureBootEnroll = ./secure-boot-enroll.sh;
in
runCommand "patos-initrd" {
  inherit secureBootEnroll;

  buildInputs = with pkgs; [
    cpio
    xz
  ];
}
''
echo "Building initram disk"
mkdir -p $out/root
pushd $out/root

### copy rootfs
cp -prP ${patosPkgs.rootfs}/* .
find . -type d -exec chmod 755 {} \;
mkdir sysroot

### create directories
ln -sf ../usr/lib/systemd/systemd init

### Create needed files
echo patos > ./etc/hostname

ln -sf /etc/os-release ./etc/initrd-release

# set default target to initrd inside initrd
ln -sf initrd.target ./usr/lib/systemd/system/default.target

# setup secure boot
cat $secureBootEnroll > ./usr/bin/secure-boot-enroll
chmod +x ./usr/bin/secure-boot-enroll

cat <<EOF > ./usr/lib/systemd/system/secure-boot-enroll.service
[Unit]
Description=Enroll Secure Boot
DefaultDependencies=false
After=sysroot-run.mount
Requires=sysroot-run.mount
Before=systemd-repart.service initrd.target shutdown.target sysinit.target
ConditionKernelCommandLine=patos.secureboot=true
ConditionPathExists=|!/sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c

[Service]
Type=oneshot
ExecStart=/usr/bin/secure-boot-enroll
RemainAfterExit=yes
EOF
ln -sf ../secure-boot-enroll.service ./usr/lib/systemd/system/initrd-root-fs.target.wants/secure-boot-enroll.service

# bind mount /run to /sysroot/run
cat <<EOF > ./usr/lib/systemd/system/sysroot-run.mount
[Unit]
Before=initrd-fs.target
DefaultDependencies=false

[Mount]
Options=bind
What=/run
Where=/sysroot/run
EOF
mkdir ./usr/lib/systemd/system/initrd-fs.target.requires/
ln -sf ../sysroot-run.mount ./usr/lib/systemd/system/initrd-fs.target.requires/sysroot-run.mount

# repart: generate crypttab and fstab under /run
mkdir ./usr/lib/systemd/system/systemd-repart.service.d
cat <<EOF > ./usr/lib/systemd/system/systemd-repart.service.d/override.conf
[Unit]
After=sysroot-run.mount
Requires=sysroot-run.mount

[Service]
Environment=SYSTEMD_REPART_MKFS_OPTIONS_BTRFS=--nodiscard
ExecStart=
ExecStart=systemd-repart --dry-run=no --generate-crypttab=/run/crypttab --generate-fstab=/run/fstab
EOF
ln -sf ../systemd-repart.service ./usr/lib/systemd/system/initrd-root-fs.target.wants/systemd-repart.service

# gen initrd
find . -print0 | cpio --null --owner=root:root -o --format=newc | xz -9 --check=crc32 > ../initrd.xz

popd
rm -rf $out/root
''