{ pkgs, lib, config, ... }:
{
networking.nftables.ruleset = ''
  add rule inet filter net2fw tcp dport 10022 counter accept comment "SSH (reverse to losurdo)"
'';
services.openssh = {
  gatewayPorts = "clientspecified";
  openFirewall = true;
};
boot.initrd.network.ssh = {
  enable = true;
  # To prevent ssh from freaking out because a different host key is used,
  # a different port for dropbear is useful
  # (assuming the same host has also a normal sshd running)
  port = 2222;
  authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
  hostKeys = [ "/root/initrd/ssh.key" ];
};
boot.initrd.network = {
  enable = true;
  # This will automatically load the zfs password prompt on login
  # and kill the other prompt so boot can continue
  # The pkill zfs kills the zfs load-key from the console
  # allowing the boot to continue.
  postCommands = ''
    echo >>/root/.profile "zfs load-key rpool && pkill zfs"
  '';
};
}