diff --git a/flake.nix b/flake.nix
index 17b8997..57f755e 100644
--- a/flake.nix
+++ b/flake.nix
@@ -40,6 +40,7 @@
     let modules = nix-hexchen.nixosModules // {
           bindMounts = import ./modules/bindmounts.nix;
           nopersist = import ./modules/nopersist.nix;
+          encboot = import ./modules/encboot.nix;
         };
         profiles = nix-hexchen.nixosModules.profiles // {
           container = import ./modules/container-profile.nix;
diff --git a/modules/encboot.nix b/modules/encboot.nix
new file mode 100644
index 0000000..362f7af
--- /dev/null
+++ b/modules/encboot.nix
@@ -0,0 +1,45 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+let cfg = config.hacc.encboot;
+
+in {
+  options = {
+    hacc.encboot = {
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+      };
+      networkDrivers = mkOption { type = with types; listOf str; };
+      dataset = mkOption {
+        type = types.str;
+        default = "zroot";
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    boot.initrd.kernelModules = cfg.networkDrivers;
+
+    boot.initrd.network = {
+      enable = true;
+      ssh = {
+        enable = true;
+        port = 2222;
+        authorizedKeys = with lib;
+          concatLists (mapAttrsToList (name: user:
+            if elem "wheel" user.extraGroups then
+              user.openssh.authorizedKeys.keys
+            else
+              [ ]) config.users.users);
+        hostKeys = [ /etc/ssh/encboot_host ];
+      };
+
+      postCommands = ''
+        zpool import ${cfg.dataset}
+        echo "zfs load-key -a; killall zfs && exit" >> /root/.profile
+      '';
+    };
+  };
+}
diff --git a/modules/nopersist.nix b/modules/nopersist.nix
index e598f67..e8308fc 100644
--- a/modules/nopersist.nix
+++ b/modules/nopersist.nix
@@ -8,7 +8,7 @@ with lib;
   users.mutableUsers = false;
 
   boot.initrd = mkIf (config.fileSystems."/".fsType == "zfs") {
-    network.ssh.hostKeys = mkIf config.hexchen.encboot.enable
+    network.ssh.hostKeys = mkIf config.hacc.encboot.enable
       (mkForce [ /persist/ssh/encboot_host ]);
 
     postDeviceCommands = mkIf (!config.boot.initrd.systemd.enable)
diff --git a/parsons/configuration.nix b/parsons/configuration.nix
index 690ce4e..aea3587 100644
--- a/parsons/configuration.nix
+++ b/parsons/configuration.nix
@@ -24,7 +24,7 @@
 
   hacc.bindToPersist = [ "/var/lib/acme" ];
 
-  hexchen.encboot = {
+  hacc.encboot = {
     enable = true;
     dataset = "-a";
     networkDrivers = [ "igb" ];