I run NixOS Linux on a Hetzner dedicated server which was installed from the Rescue system using this script, which sets up the disks using RAID1 and LVM.
I'd like add full-disk encryption to this install script. The NixOS manual recommends LUKS ... but this will have the user manually enter the encryption passphrase during boot time in front of the actual console (neither physically nor virtually accessible to me; at least with Hetzner) - something that's not directly possible when renting a dedicated server from another country.
One person recommended using a SSH service during initrd boot (see the corresponding Nix config) - but I do not know what the full setup would be? Apparently, you would ssh to the still-being-booted machine to manually enter the passphrase, somehow triggering the boot process to complete.
Question: how do you do this in Nix? More specifically, how would you patch the aforementioned install script to achieve this automatically?