{ config, lib, pkgs, ... }:

with lib;

let
  cfg = config.grub2;
  payloadName =
    if cfg.asSecondaryPayload then "img/grub2" else "fallback/payload";

  configText = (readFile ./files/grub.cfg) + cfg.extraConfig
    + (optionalString (cfg.signKey != null) ''
      trust (cbfsdisk)/etc/trusted.key
      set check_signatures=enforce
    '') + (optionalString (cfg.scanDevices) (readFile ./files/grub-scan.cfg))
    + (optionalString (cfg.users != { }) ((concatStringsSep "\n" (mapAttrsToList
      (n: u: ''
        ${
          if u.passwordIsHashed then "password_pbkdf2" else "password"
        } ${n} ${u.password}
      '') cfg.users)) + ''
        set superusers="${
          concatStringsSep " "
          (attrNames (filterAttrs (n: u: u.superuser) cfg.users))
        }"
        export superusers
      '')) + (optionalString cfg.generateSecondaryPayloadEntries
        (concatMapStrings (n: ''
          menuentry '${removePrefix "img/" n}' {
            chainloader (cbfsdisk)/${n}
          }
        '') (filter (hasPrefix "img/") (attrNames config.corenix.extraFiles))));

  userOpts = { ... }: {
    options = {
      superuser = mkOption {
        type = types.bool;
        default = true;
      };
      password = mkOption { type = types.str; };
      passwordIsHashed = mkOption {
        type = types.bool;
        default = true;
      };
    };
  };
in {
  options.grub2 = {
    enable = mkEnableOption "grub2 coreboot primary payload";

    asSecondaryPayload = mkOption {
      type = types.bool;
      default = false;
    };

    generateSecondaryPayloadEntries = mkOption {
      type = types.bool;
      default = true;
    };

    scanDevices = mkOption {
      type = types.bool;
      default = true;
      description = ''
        Scan internal and external storage devices for GRUB2/syslinux/isolinux/NetBSD
        configs and at runtime and create boot entries for each of them.
      '';
    };

    extraConfig = mkOption {
      type = types.lines;
      default = "";
    };

    configFile = mkOption { type = types.path; };

    users = mkOption {
      type = types.attrsOf (types.submodule userOpts);
      default = { };
    };

    font = mkOption {
      type = types.path;
      default = "${pkgs.unifont}/share/fonts/truetype/unifont.ttf";
      example = "${pkgs.dejavu_fonts}/share/fonts/truetype/DejaVuSansMono.ttf";
    };

    package = mkOption {
      type = types.package;
      default = pkgs.coreboot-payload-grub2;
    };

    signKey = mkOption {
      type = types.nullOr types.path;
      default = null;
    };

    extraPayloadModules = mkOption {
      type = types.listOf types.str;
      default = [ ];
    };
  };

  config = mkIf cfg.enable {
    grub2.configFile = pkgs.writeText "grub.cfg" configText;
    grub2.extraPayloadModules = [
      "png"
      "gfxmenu"
      "gfxterm_background"
      "ls"
      "cat"
      "echo"
      "linux"
      "xfs"
      "bsd"
    ];

    corenix.extraFiles = {
      ${payloadName} = {
        type = "payload";
        src = "${
            cfg.package.override { inherit (cfg) extraPayloadModules; }
          }/default_payload.elf";
      };
      "font.pf2".src =
        (pkgs.runCommand "font.pf2" { buildInputs = with pkgs; [ grub2 ]; }
          "grub-mkfont --range=0x20-0x7E,0x2501-0x251F,0x2191-0x2193 --size=14 -o $out ${cfg.font}");
      "etc/grub.cfg".src = cfg.configFile;
      "background.png".src = ./files/background.png;
    } // (optionalAttrs (cfg.signKey != null) {
      "etc/trusted.key".src = cfg.signKey;
    });
  };
}