{ hostName, config, pkgs, ... }:
{
  config = {
    boot.initrd.network = {
      enable = true;
      ssh = {
        enable = true;
        hostKeys = with config.sops.secrets; [ initrd_ssh_host_rsa_key.path initrd_ssh_host_ed25519_key.path ];
        authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys ++ map (kF: builtins.readFile kF) config.users.users.root.openssh.authorizedKeys.keyFiles;
      };
    };
    
    sops.secrets = {
      initrd_ssh_host_rsa_key = {
          key = "rsa";
          path = "/etc/initrd-ssh/ssh_host_rsa_key";
          sopsFile = ./host-keys + "/${hostName}-private.yaml";
      };
      initrd_ssh_host_ed25519_key = {
          key = "ed25519";
          path = "/etc/initrd-ssh/ssh_host_ed25519_key";
          sopsFile = ./host-keys + "/${hostName}-private.yaml";
      };
    };
    environment.etc =
      let
        mkPubkey = typ: pkgs.runCommand "initrd_ssh_host_${typ}_key" { buildInputs = with pkgs; [ yq ]; } ''
          yq -r '.${typ}' ${./host-keys + "/${hostName}-public.yaml"} > $out
        '';
      in {
        "initrd-ssh/ssh_host_rsa_key.pub".source = mkPubkey "rsa";
        "initrd-ssh/ssh_host_ed25519_key.pub".source = mkPubkey "ed25519";
      };
  };
}