{
  config,
  lib,
  pkgs,
  ...
}:
let
  cfg = config.my.initrdSshUnlock;
in
{
  options.my.initrdSshUnlock = {
    enable = lib.mkEnableOption "enable initrd SSH unlock";

    authorizedKeys = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [ ];
      description = "SSH public keys allowed to connect to initrd for disk unlock.";
    };

    hostKeyPath = lib.mkOption {
      type = lib.types.str;
      default = "/persist/etc/secrets/initrd/ssh_host_ed25519_key";
      description = "Path to the initrd SSH host private key on the target system.";
    };

    port = lib.mkOption {
      type = lib.types.port;
      default = 2222;
      description = "Port used by the initrd SSH server.";
    };
  };

  config = lib.mkIf cfg.enable {
    boot.kernelParams = [ "ip=dhcp" ];

    boot.initrd.network = {
      enable = true;
      ssh = {
        enable = true;
        port = cfg.port;
        hostKeys = [ cfg.hostKeyPath ];
        authorizedKeys = cfg.authorizedKeys;
      };
    };

    system.activationScripts.initrdSshHostKey = {
      deps = [ "users" "groups" ];
      text = ''
        install -d -m 700 "$(dirname "${cfg.hostKeyPath}")"
        if [ ! -f "${cfg.hostKeyPath}" ]; then
          ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f "${cfg.hostKeyPath}"
          chmod 600 "${cfg.hostKeyPath}"
        fi
      '';
    };
  };
}