{
  systemConfig ? null,
  lib,
  writeShellApplication,
  writeScriptBin,
  btrfs-progs,
  parted,
  openssh,
}:

if systemConfig != null then
  writeShellApplication {
    name = "setup-disk-${systemConfig.networking.hostName}";
    runtimeInputs = [
      btrfs-progs
      parted
      openssh
    ];
    text =
      let
        inherit (systemConfig.networking) hostName;
        bootDisk = "/dev/disk/by-partlabel/${hostName}-boot";
        rootDisk = "/dev/disk/by-partlabel/${hostName}-root";
        subvolumes = lib.pipe systemConfig.fileSystems [
          builtins.attrValues
          (builtins.filter (element: element.device == "/dev/mapper/root"))
          (builtins.map (element: element.options))
          lib.flatten
          (builtins.filter (value: (builtins.substring 0 6 value) == "subvol"))
          (builtins.map (element: builtins.substring 7 (builtins.builtins.stringLength element) element))
        ];
      in
      ''
        set -euo pipefail

        read -rp 'Disk: ' disk
        read -srp "LUKS passphrase: " pass1
        echo ""
        read -srp 'LUKS passphrase (repeat): ' pass2
        echo ""

        if [[ "$pass1" != "$pass2" ]]
        then
          echo "Passphrases don't match"
          exit
        fi

        parted --script --align optimal --fix "$disk" -- mklabel gpt \
          mkpart ${hostName}-boot fat32 1M    1024M \
          mkpart ${hostName}-root btrfs 1025M 100% \
          set 1 esp on \
          type 2 C12A7328-F81F-11D2-BA4B-00A0C93EC93B \
          type 2 6523f8ae-3eb1-4e2a-a05a-18b695ae656f

        echo "$pass1" | cryptsetup -q luksFormat "${rootDisk}"
        echo "$pass1" | cryptsetup -q luksOpen "${rootDisk}" root

        mkfs.vfat "${bootDisk}"
        mkfs.btrfs /dev/mapper/root

        mount --verbose /dev/mapper/root /mnt

        ${lib.optionalString systemConfig.common.configure.persist.system.enable ''
          btrfs subvolume create /mnt/nixos-root-1
          btrfs subvolume create /mnt/nixos-root-2
          btrfs subvolume create /mnt/nixos-root-3
          btrfs subvolume create /mnt/nixos-root-4
          btrfs subvolume set-default /mnt/nixos-root-1
        ''}
        ${lib.optionalString (systemConfig.common.configure.persist.system.enable == false) ''
          btrfs subvolume create /mnt/nixos-root
          btrfs subvolume set-default /mnt/nixos-root
        ''}
        ${lib.optionalString (builtins.elem "swap" subvolumes) ''
          btrfs subvolume create /mnt/swap
          btrfs filesystem mkswapfile --size ${systemConfig.common.configure.rootDisk.swap.size} --uuid clear /mnt/swap/swapfile
        ''}
        ${lib.pipe subvolumes [
          (lib.remove "nixos-root-1")
          (lib.remove "nixos-root")
          (lib.remove "swap")
          (builtins.map (element: "btrfs subvolume create /mnt/${element}"))
          (builtins.concatStringsSep "\n")
        ]}

        umount --verbose /mnt

        ${lib.pipe systemConfig.fileSystems [
          (lib.filterAttrs (name: value: value.device == "/dev/mapper/root"))
          (lib.concatMapAttrsStringSep "\n" (
            name: value:
            "mount --verbose --mkdir --options ${
              lib.pipe value.options [
                (builtins.filter (value: value != "x-initrd.mount"))
                (builtins.concatStringsSep ",")
              ]
            } ${value.device} ${lib.strings.normalizePath "/mnt${lib.removeSuffix "/" name}"}"
          ))
        ]}

        # generate ssh hostkey
        mkdir -p /mnt${lib.removeSuffix "ssh_host_ed25519_key" (lib.last systemConfig.sops.age.sshKeyPaths)}
        ssh-keygen -t ed25519 -f /mnt${lib.last systemConfig.sops.age.sshKeyPaths}
        cat /mnt${lib.last systemConfig.sops.age.sshKeyPaths}.pub
      '';
  }
else
  writeScriptBin "setup-disk-none" "echo 'No system config given!'"