I made such a config for ssh with Hetzner cloud for the play.
@TLATER is right, after reading many post on stackoverflow, security is a mirage when it concerns machine you cannot control physically (A RPI 4 for example). I migrate my data i want to protect on an encrypted SSD with RPI4 nixos connected to my VPS by tunnelling (tailscale or equivalent).
Grub manage LUKS decryption but you need an access to console because that happen before ssh, see Full encrypted nixos system on legacy boot with secrets and remote unlock, for unstable 20.03