better unlock hopefully

hosts/i001/hardware-mounts.nix

@@ -1,4 +1,4 @@
-{ ... }:
+{ pkgs, ... }:
 let
   BOOT = "/dev/disk/by-uuid/ABDB-2A38";
   PRIMARY = "/dev/disk/by-uuid/08610781-26d3-456f-9026-35dd4a40846f";
@@ -16,11 +16,6 @@ in
     ];
   };
 
-  # PRIMARY unencrypt
-  # TODO how to auto unencrypt with options...
-  # - USB key
-  # - TPM
-
   # PRIMARY
   fileSystems."/" = {
     device = PRIMARY;
@@ -70,6 +65,34 @@ in
     }
   ];
 
+  # PRIMARY unencrypt
+  # TODO how to auto unencrypt with options...
+  # - USB key
+  # - TPM
+  boot.initrd.availableKernelModules = [ "bcachefs" ];
+  boot.initrd.extraUtilsCommands = ''
+    copy_bin_and_libs ${pkgs.bcachefs-tools}/bin/bcachefs
+  '';
+
+  boot.initrd.preDeviceCommands = ''
+    ${pkgs.bcachefs-tools}/bin/bcachefs unlock /dev/disk/by-uuid/XXXX
+  '';
+
+  # # Run unlock before devices are scanned/mounted
+  # boot.initrd.preDeviceCommands = ''
+  #   echo "Unlocking bcachefs..."
+  #   # Example: ask for a passphrase
+  #   /bin/echo -n "Bcachefs passphrase: "
+  #   /bin/stty -echo
+  #   read PASSPHRASE
+  #   /bin/stty echo
+  #   echo
+  #
+  #   # Use the passphrase to unlock the device
+  #   # Replace /dev/disk/by-uuid/XXXX with your actual device
+  #   echo "$PASSPHRASE" | ${pkgs.bcachefs-tools}/bin/bcachefs unlock /dev/disk/by-uuid/XXXX
+  # '';
+
   # Reset root
   # TODO
   # boot.initrd.systemd.services.rollback-root = {