{ pkgs, lib, config, machineName, ... }:
let
  inherit (config.security) pass;
  rootKey = "root/key";
  initrdKey = "initrd/ssh.key";
in
{
imports = [
  <nixpkgs/nixos/modules/profiles/hardened.nix>
];
security.pass.store = ../../../sec/pass/machines/losurdo;
installer.ssh-nixos = {
  PATH = with pkgs; [gnupg openssh];
  script = lib.mkBefore ''
    # Send the rootKey's passphrase
    gpg --decrypt '${pass.store}/${rootKey}.pass.gpg' |
    ssh '${config.installer.ssh-nixos.target}' \
    install -D -m 400 -o root -g root /dev/stdin /${rootKey}.pass

    # Send the rootKey
    gpg --decrypt '${pass.store}/${rootKey}.pass.gpg' |
    gpg --batch --pinentry-mode loopback --passphrase-fd 0 --export-secret-subkeys @root@${machineName} |
    ssh '${config.installer.ssh-nixos.target}' \
    gpg --batch --pinentry-mode loopback --passphrase-file /root/key.pass --import

    # Send the SSH key of the initrd
    gpg --decrypt '${pass.store}/${initrdKey}.gpg' |
    ssh '${config.installer.ssh-nixos.target}' \
    install -D -m 400 -o root -g root /dev/stdin /root/${initrdKey}
  '';
};
boot.initrd.network.ssh.hostKeys = [ "/root/${initrdKey}" ];
}