{
  config,
  lib,
  pkgs,
  ...
}:
let
  cfg = config.my.binBashWrapper;
  bashWrapper = pkgs.writeShellScriptBin "bash" ''
    exec /usr/bin/env bash "$@"
  '';
  cryptrootUnlockWrapper = pkgs.writeShellScriptBin "cryptroot-unlock" ''
    exec /run/current-system/sw/bin/systemd-tty-ask-password-agent --query --watch "$@"
  '';
in
{
  options.my.binBashWrapper.enable = lib.mkEnableOption "create a /bin/bash wrapper";

  config = lib.mkIf cfg.enable {
    systemd.tmpfiles.rules = [
      "L+ /bin/bash - - - - ${bashWrapper}/bin/bash"
      "L+ /bin/cryptroot-unlock - - - - ${cryptrootUnlockWrapper}/bin/cryptroot-unlock"
    ];
  };
}