encrypted usb key

system/work/hardware.nix

@@ -9,7 +9,7 @@
     ];
 
   boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod" "sdhci_pci" ];
-  boot.initrd.kernelModules = [ ];
+  boot.initrd.kernelModules = ["uas" "usbcore" "usb_storage" "vfat" "nls_cp437" "nls_iso8859_1"];
   boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
 
@@ -19,10 +19,22 @@
       options = [ "subvol=@" "compress=zstd" "autodefrag" ];
     };
 
+  boot.initrd.postDeviceCommands = pkgs.lib.mkBefore ''
+    mkdir -m 0755 -p /key
+
+    sleep 2
+    echo "found block devices"
+    ls /dev/disk/by-id/
+
+    cryptsetup luksOpen /dev/disk/by-id/usb-Generic_Flash_Disk_BCC97785-0:0 usbkey
+    mount -n -t vfat -o ro /dev/mapper/usbkey /key
+  '';
+
   boot.initrd.luks.devices."cryptroot" = {
     device = "/dev/disk/by-uuid/570cc51f-bd5c-4bee-a18f-f6aabaf60881";
     keyFileSize = 4096;
-    keyFile = "/dev/sda";
+    keyFile = "/key/keyfile";
+    preLVM = false;
   };
 
   fileSystems."/home" =