encrypt usbkey

system/zenix/hardware.nix

@@ -9,7 +9,7 @@
     ];
 
   boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
-  boot.initrd.kernelModules = [ ];
+  boot.initrd.kernelModules = ["uas" "usbcore" "usb_storage" "vfat" "nls_cp437" "nls_iso8859_1"];
   boot.kernelModules = [ "kvm-amd" ];
   boot.extraModulePackages = [ ];
 
@@ -19,10 +19,22 @@
       options = [ "subvol=@" "compress=zstd" "autodefrag" ];
     };
 
+  boot.initrd.postDeviceCommands = pkgs.lib.mkBefore ''
+    mkdir -m 0755 -p /key
+
+    sleep 2
+    echo "found block devices"
+    ls /dev/disk/by-id/
+
+    cryptsetup luksOpen /dev/disk/by-id/usb-Generic_Flash_Disk_BCC97785-0:0 usbkey
+    mount -n -t vfat -o ro /dev/mapper/usbkey /key
+  '';
+
   boot.initrd.luks.devices."cryptroot" = {
     device = "/dev/disk/by-uuid/cc0617df-8cbf-4618-abbc-df64c96de151";
     keyFileSize = 4096;
-    keyFile = "/dev/disk/by-id/usb-Generic_Flash_Disk_BCC97785-0:0";
+    keyFile = "/key/keyfile";
+    preLVM = false;
   };
 
   fileSystems."/home" =