I run such a setup with dropbear. It’s quite easy to configure:
# additional hardware configuration not discovered by hardware scan
boot.initrd.availableKernelModules = [ "virtio-pci" ];
boot.initrd.network = {
enable = true;
ssh = {
enable = true;
port = 2222;
hostECDSAKey = /var/src/secrets/dropbear/ecdsa-hostkey;
# this includes the ssh keys of all users in the wheel group, but you can just specify some keys manually
# authorizedKeys = [ "ssh-rsa ..." ];
authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users);
};
postCommands = ''
echo 'cryptsetup-askpass' >> /root/.profile
'';
};
Since the ssh server in initrd will use a different hostkey (it’s unencrypted), I always let it listen on a different port, so that the ssh client will not complain about the different host key.
Also note that the initrd networking will automatically include dhcp for the interfaces where you have enabled it (with networking.interfaces.xyz.useDHCP).
Just be aware that the networking from initrd is kept, and predictable interface names and IPv6 configuration might not work as expected.