{
  config,
  tree,
  ...
}: {
  imports = with tree; [profiles.sshd];

  config.boot = {
    loader.systemd-boot.enable = false;

    loader.grub = {
      enable = true;
      efiSupport = false;
      enableCryptodisk = true;
      device = "/dev/sda";
    };

    initrd.availableKernelModules = [
      "nvme"
      "ahci"
      "xhci_pci"
      "virtio_pci"
      "sd_mod"
      "sr_mod" # For Storage
      "virtio_net" # For Hetzner VMs Networking

      # For Cryptography
      "aesni_intel"
      "cryptd"
    ];

    loader.supportsInitrdSecrets = true;
    initrd.luks.forceLuksSupportInInitrd = true;
    initrd.network = {
      enable = true;
      ssh = {
        enable = true;
        port = 22;
        authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
        hostKeys = ["/ssh_host_ed25519_key"];
      };
      postCommands = ''
        echo 'cryptsetup-askpass' >> /root/.profile
      '';
    };

    initrd.secrets = {
      "/ssh_host_ed25519_key" = "/ssh_host_ed25519_key";
    };

    initrd.luks.devices = {
      "nixos_unencrypted" = {
        device = "/dev/sda3";
        preLVM = false;
        allowDiscards = true;
      };
    };
  };

  config.fileSystems = {
    "/" = {
      device = "/dev/mapper/nixos_unencrypted";
      fsType = "ext4";
    };
    "/boot" = {
      device = "/dev/sda2";
      fsType = "vfat";
    };
  };
}