diff --git a/flake.nix b/flake.nix
index 7ccfa1a..855752a 100755
--- a/flake.nix
+++ b/flake.nix
@@ -69,6 +69,7 @@
             ./modules/manual.nix
             ./modules/sharepic.nix
             ./modules/zammad.nix
+            ./modules/initrd-ssh.nix
             {
               nixpkgs.overlays = [ self.overlays.default ];
               sops.defaultSopsFile = ./secrets/quitte.yaml;
diff --git a/modules/initrd-ssh.nix b/modules/initrd-ssh.nix
new file mode 100644
index 0000000..a67eda6
--- /dev/null
+++ b/modules/initrd-ssh.nix
@@ -0,0 +1,19 @@
+# Find the required kernel module for the network adapter using `lspci -v` and add it to `boot.initrd.availableKernelModules`.
+# Enable `networking.useDHCP` or set a static ip using the `ip=` kernel parameter.
+# Generate another SSH host key for the machine:
+# $ ssh-keygen -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key_initrd -C HOSTNAME-initrd
+# Add the public key to your known_hosts and create an ssh config entry.
+{ ... }:
+{
+  boot.initrd.network = {
+    enable = true;
+    ssh = {
+      enable = true;
+      port = 222;
+      shell = "/bin/cryptsetup-askpass";
+      hostKeys = [ "/etc/ssh/ssh_host_ed25519_key_initrd" ];
+      # authorizedKeys option inherits root's authorizedKeys.keys, but not keyFiles
+    };
+  };
+}
+