{
  config,
  lib,
  pkgs,
  ...
}:
let
  cfg = config.my.binBashWrapper;
  bashWrapper = pkgs.writeShellScriptBin "bash" ''
    exec /usr/bin/env bash "$@"
  '';
  cryptrootUnlockWrapper = pkgs.writeShellScriptBin "cryptroot-unlock" ''
    exec /run/current-system/sw/bin/systemd-tty-ask-password-agent --query --watch "$@"
  '';
  unlockHost = pkgs.writeShellScriptBin "unlock-host" ''
    set -euo pipefail

    usage() {
      echo "Usage: unlock-host <host> [ssh-options...]"
      echo "Unlocks a remote host waiting for a LUKS passphrase during boot."
      exit 1
    }

    [[ $# -lt 1 ]] && usage
    [[ "$1" == "-h" || "$1" == "--help" ]] && usage

    HOST="$1"
    shift

    ssh -tt "$@" "$HOST" systemd-tty-ask-password-agent --query
  '';
in
{
  options.my.binBashWrapper.enable = lib.mkEnableOption "create a /bin/bash wrapper";

  config = lib.mkIf cfg.enable {
    systemd.tmpfiles.rules = [
      "L+ /bin/bash - - - - ${bashWrapper}/bin/bash"
      "L+ /bin/cryptroot-unlock - - - - ${cryptrootUnlockWrapper}/bin/cryptroot-unlock"
      "L+ /bin/unlock-host - - - - ${unlockHost}/bin/unlock-host"
    ];
  };
}