{ config, hostName, ... }:
{
  networking.nftables.ruleset = ''
    table inet filter {
      chain input-net {
        tcp dport 10022 counter accept comment "SSH (reverse to losurdo)"
      }
    }
  '';

  services.openssh = {
    openFirewall = true;
    settings.GatewayPorts = "clientspecified";
  };
  systemd.services.sshd.serviceConfig.LoadCredentialEncrypted = [
    "host.key:${ssh/host.key.cred}"
  ];

  security.initrd.secrets."${hostName}/ssh/initrd.key" =
    "hosts/${hostName}/ssh/initrd.key.gpg";
  boot.initrd.network.ssh = {
    enable = true;
    port = 2222;
    authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
    hostKeys = [ "${config.security.initrd.stage1Dir}/${hostName}/ssh/initrd.key" ];
  };
  boot.initrd.network = {
    enable = true;
    # This will automatically load the zfs password prompt on login
    # and kill the other prompt so boot can continue
    # The pkill zfs kills the zfs load-key from the console
    # allowing the boot to continue.
    postCommands = ''
      echo >>/root/.profile "zfs load-key rpool && pkill zfs"
    '';
  };
}