diff --git a/modules/nixos/bin-bash-wrapper.nix b/modules/nixos/bin-bash-wrapper.nix
index 3068129..c1e4c7f 100644
--- a/modules/nixos/bin-bash-wrapper.nix
+++ b/modules/nixos/bin-bash-wrapper.nix
@@ -12,6 +12,23 @@ let
   cryptrootUnlockWrapper = pkgs.writeShellScriptBin "cryptroot-unlock" ''
     exec /run/current-system/sw/bin/systemd-tty-ask-password-agent --query --watch "$@"
   '';
+  unlockHost = pkgs.writeShellScriptBin "unlock-host" ''
+    set -euo pipefail
+
+    usage() {
+      echo "Usage: unlock-host <host> [ssh-options...]"
+      echo "Unlocks a remote host waiting for a LUKS passphrase during boot."
+      exit 1
+    }
+
+    [[ $# -lt 1 ]] && usage
+    [[ "$1" == "-h" || "$1" == "--help" ]] && usage
+
+    HOST="$1"
+    shift
+
+    ssh -tt "$@" "$HOST" systemd-tty-ask-password-agent --query
+  '';
 in
 {
   options.my.binBashWrapper.enable = lib.mkEnableOption "create a /bin/bash wrapper";
@@ -20,6 +37,7 @@ in
     systemd.tmpfiles.rules = [
       "L+ /bin/bash - - - - ${bashWrapper}/bin/bash"
       "L+ /bin/cryptroot-unlock - - - - ${cryptrootUnlockWrapper}/bin/cryptroot-unlock"
+      "L+ /bin/unlock-host - - - - ${unlockHost}/bin/unlock-host"
     ];
   };
 }