{ keys ? import ../../variables/keys.nix
, passwords ? import ../../variables/passwords.crypt.nix }:

{
  mkRoot = { }@args:
    {
      hashedPassword = passwords.users.root;
      openssh.authorizedKeys.keys = keys.users.steveej.openssh;
    } // args;

  mkUser = { uid, hashedPassword ? passwords.users.steveej, ... }@args:
    {
      inherit uid hashedPassword;
      isNormalUser = true;
      extraGroups = [
        "docker"
        "wheel"
        "libvirtd"
        "networkmanager"
        "vboxusers"
        "users"
        "input"
        "audio"
        "video"
        "cdrom"
        "adbusers"
      ];
      openssh.authorizedKeys.keys = keys.users.steveej.openssh;
    } // args;

  disk = rec {
    # TODO: verify the GPT PARTLABEL cap at 36 chars
    shortenGptPartlabel = partlabel: (builtins.substring 0 36 partlabel);

    # LVM doesn't allow most characters in VG names
    # TODO: replace this with a whitelist for: [a-zA-Z0-9.-_+]
    volumeGroup = diskId: builtins.replaceStrings [ ":" ] [ "" ] diskId;

    # This is important at install-time
    bootGrubDevice = diskId: "/dev/disk/by-id/" + diskId;

    # These are guaranteed by LVM
    rootFsDevice = diskId: "/dev/" + (volumeGroup diskId) + "/root";
    swapFsDevice = diskId: "/dev/" + (volumeGroup diskId) + "/swap";

    # Cannot use the disk ID here because might be different at install vs. runtime.
    # Example: MMC card which is used in the internal reader vs. USB reader
    bootFsDevice = diskId:
      "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("2-" + diskId));
    bootLuksDevice = diskId:
      "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("3-" + diskId));
    luksName = diskId: (volumeGroup diskId) + "pv";
    luksPhysicalVolume = diskId: "/dev/mapper/" + (luksName diskId);
    lvmPv = diskId: encrypted:
      if encrypted == true then
        luksPhysicalVolume diskId
      else
        bootLuksDevice diskId;
  };
}