{ lib, config, ... }:
let
  cfg = config.my.modules.remote-unlock;
in
{
  options.my.modules.remote-unlock = with lib; {
    enable = mkEnableOption "remote unlock";
  };

  config = lib.mkIf cfg.enable {
    boot.kernelParams = [
      "ip=dhcp"
    ];

    boot.initrd.network = {
      enable = true;
      postCommands = "echo 'cryptsetup-askpass' >> /root/.profile";
      flushBeforeStage2 = true;
      ssh = {
        enable = true;
        port = 911;
        hostKeys = [
          "/etc/initrd/ssh_host_ed25519_key"
        ];
        authorizedKeys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"
        ];
      };
    };
  };
}