baremetal: add untested ssh unlock in initrd

modules/baremetal.nix

@@ -4,6 +4,24 @@
   options.c3d2.baremetal = lib.mkEnableOption "baremetal";
 
   config = lib.mkIf config.c3d2.baremetal {
+    boot.initrd.network = {
+      enable = true;
+      ssh = {
+        enable = true;
+        authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
+        hostKeys = [
+          "/etc/ssh/initrd/ssh_host_ed25519_key"
+          "/etc/ssh/initrd/ssh_host_rsa_key"
+        ];
+        port = 4748;
+      };
+      postCommands = ''
+        cat <<EOF > /root/.profile
+        cryptsetup-askpass
+        EOF
+      '';
+    };
+
     environment.systemPackages = with pkgs; [
       lshw
       pciutils # lscpi