nix-system/os/remote-disk-unlock.nix

kernelModules: sshKeys: ({ config, pkgs, ... }: {
  boot = {
    initrd = {
      availableKernelModules = kernelModules;
      network = {
        enable = true;
        udhcpc = {
          enable = true;
          extraArgs = [ "--background" "--retries" "1" ];
        };
        flushBeforeStage2 = true;
        ssh = {
          enable = true;
          port = 22;
          authorizedKeys = sshKeys;
          hostKeys = [ "/etc/ssh/ssh_host_ed25519_key" ];
          # shell = "/bin/cryptsetup-askpass";
        };
        postCommands = ''
          # Automatically ask for the password on SSH login
          echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1' >> /root/.profile
        '';
      };
    };
  };
})