{ config, lib, ... }:
let
  secretsPath = config.dadada.secrets.path;
  initrdHostKey = "${config.networking.hostName}-ssh_host_ed25519_key";
in
{
  boot.initrd.availableKernelModules = [ "virtio-pci" ];

  boot.kernelParams = [
    # Wait forever for the filesystem root to show up
    "rootflags=x-systemd.device-timeout=0"

    # Wait forever to enter the LUKS passphrase via SSH
    "rd.luks.options=timeout=0"
  ];
  boot.initrd.network = {
    enable = true;
    ssh = {
      enable = true;
      port = 2223;
      hostKeys = [
        config.age.secrets."${initrdHostKey}".path
      ];
      authorizedKeys = with lib;
        concatLists (mapAttrsToList
          (name: user:
            if elem "wheel" user.extraGroups then
              user.openssh.authorizedKeys.keys
            else
              [ ])
          config.users.users);
    };
    postCommands = ''
      echo 'cryptsetup-askpass' >> /root/.profile
    '';
  };

  assertions = lib.singleton {
    assertion = (config.boot.initrd.network.ssh.hostKeys != [ ]) -> config.boot.loader.supportsInitrdSecrets == true;
    message = "Refusing to store private keys in store";
  };

  age.secrets."${initrdHostKey}" = {
    file = "${secretsPath}/initrd-${initrdHostKey}.age";
    mode = "600";
    path = "/etc/initrd/${initrdHostKey}";
    symlink = false;
  };
}