{ config, pkgs, ... }:
{
  # Unlock encrypted root partition remotely with SSH.
  # TODO: Some manual steps are required, see https://nixos.wiki/wiki/Remote_LUKS_Unlocking#Prepare_SSH_host_keys
  # -> ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key
  #
  # Additional references:
  # https://wiki.archlinux.org/title/Dm-crypt/Specialties#Remote_unlocking_of_root_(or_other)_partition

  # SSH in initrd
  boot.initrd.network.enable = true;
  boot.initrd.network.ssh = {
    enable = true;
    port = (
      if (config.networking.hostName == "yodaTux") || (config.networking.hostName == "yodaTab") || (config.networking.hostName == "yodaGaming")
        then 22
      else if (config.networking.hostName == "yodaYoga")
        then 2225
      else if (config.networking.hostName == "yodaNas")
        then 2223
      else if (config.networking.hostName == "yodaHedgehog")
        then 2227
      else throw "Please add initrd ssh port here"
    );
    shell = "/bin/cryptsetup-askpass";
    authorizedKeys = [
      (builtins.readFile ../assets/ssh/nitrokey.pub)
    ];
    hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
  };

  # Network in initrd
  #
  # Find out which module is used for network card:
  #   lspci -v | grep -iA8 'network\|ethernet'
  # Or check the "Network" part of:
  #   inxi -F
  #
  boot.initrd.availableKernelModules = (
    if (config.networking.hostName == "yodaTux") || (config.networking.hostName == "yodaHedgehog")
      then [ "r8169" ]
    else if (config.networking.hostName == "yodaYoga") || (config.networking.hostName == "yodaNas")
      then [ "e1000e" ]
    else if (config.networking.hostName == "yodaGaming")
      then [ "tg3" ]
    else throw "Please add kernel module of networ card here"
  );
  #
  # dmesg -> enp0s20f0u1u2: renamed from eth0 (yodaTux)
  # dmesg -> enp0s31f6: renamed from eth0 (yodaYoga)
  #boot.kernelParams = [ "ip=:::::eth0:dhcp" ];
  boot.kernelParams = [ "ip=dhcp" ];

  # Clear the configuration of the interfaces that were set up in the initrd right before stage 2 takes over.
  # Stage 2 will do the regular network configuration based on the NixOS networking options.
  # https://nixos.org/manual/nixos/stable/options#opt-boot.initrd.network.flushBeforeStage2
  #boot.initrd.network.flushBeforeStage2 = true;

  # TODO: Timeout if no Internet connection is available (to be able to enter password with a keyboard).
}