{ config, ... }:
{
  networking.nftables.ruleset = ''
    table inet filter {
      chain input-net {
        tcp dport 10022 counter accept comment "SSH (reverse to losurdo)"
      }
    }
  '';

  services.openssh = {
    openFirewall = true;
    settings.GatewayPorts = "clientspecified";
  };
  systemd.services.sshd.serviceConfig.LoadCredentialEncrypted = [
    "host.key:${ssh/host.key.cred}"
  ];

  boot.initrd.network.ssh = {
    enable = true;
    # To prevent ssh from freaking out because a different host key is used,
    # a different port for dropbear is useful
    # (assuming the same host has also a normal sshd running)
    port = 2222;
    authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
    hostKeys = [ "/root/initrd/ssh.key" ];
  };
  boot.initrd.network = {
    enable = true;
    # This will automatically load the zfs password prompt on login
    # and kill the other prompt so boot can continue
    # The pkill zfs kills the zfs load-key from the console
    # allowing the boot to continue.
    postCommands = ''
      echo >>/root/.profile "zfs load-key rpool && pkill zfs"
    '';
  };
}