diff --git a/README.md b/README.md
index 63ee401..dccd3a7 100644
--- a/README.md
+++ b/README.md
@@ -71,6 +71,11 @@ This is my personal nix config.
 - Rekey the secrets for the new identity `nix run .#rekey`
 - Deploy again remotely via colmena
 
+#### Remote encrypted unlock
+
+If a host uses encrypted root together with the `common/initrd-ssh.nix` module,
+it can be unlocked remotely by connecting via ssh on port 4 and executing `systemd-tty-ask-password-agent`.
+
 #### Show QR for external wireguard client
 
 nix run show-wireguard-qr
diff --git a/flake.lock b/flake.lock
index de31bf7..cda39a3 100644
--- a/flake.lock
+++ b/flake.lock
@@ -53,11 +53,11 @@
         "stable": "stable"
       },
       "locked": {
-        "lastModified": 1682202576,
-        "narHash": "sha256-vcTEEEHKx4PTfY80bUmZMwXRy0cTDJCkULHhqe1HJS8=",
+        "lastModified": 1682737380,
+        "narHash": "sha256-n3rZkHZls9BNr35o3veK00UsM1KSh/oNTJjLkFbEOY8=",
         "owner": "zhaofengli",
         "repo": "colmena",
-        "rev": "089431737e283ed3e402a7dff578cb442444c431",
+        "rev": "be837ee341b6508c355035973d5f7c7e88d7c64f",
         "type": "github"
       },
       "original": {
@@ -116,15 +116,15 @@
         ]
       },
       "locked": {
-        "lastModified": 1682299489,
-        "narHash": "sha256-bqHo0/82KB+IyBMyjBd6QdyZWJl/YZeGggjBsAgRFlY=",
-        "owner": "nix-community",
+        "lastModified": 1682795657,
+        "narHash": "sha256-tLZV918KDU8GrucWqliAwO87mqWJhIrvaF17LU51UjE=",
+        "owner": "oddlama",
         "repo": "disko",
-        "rev": "8ab9e5609929379ab15f03fd3bdc1f85419e5a3a",
+        "rev": "3a952244d422ea0e25b0e53c1fe2798605a59434",
         "type": "github"
       },
       "original": {
-        "owner": "nix-community",
+        "owner": "oddlama",
         "repo": "disko",
         "type": "github"
       }
@@ -207,11 +207,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1682419509,
-        "narHash": "sha256-+/HI3RbJcEKQ5+55dECzh8geginsbabsA0R3ORKi2Us=",
+        "lastModified": 1682779989,
+        "narHash": "sha256-H8AjcIBYFYrlRobYJ+n1B+ZJ6TsaaeZpuLn4iRqVvr4=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "6142193635ecdafb9a231bd7d1880b9b7b210d19",
+        "rev": "3144311f31194b537808ae6848f86f3dbf977d59",
         "type": "github"
       },
       "original": {
@@ -344,11 +344,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1682453498,
-        "narHash": "sha256-WoWiAd7KZt5Eh6n+qojcivaVpnXKqBsVgpixpV2L9CE=",
+        "lastModified": 1682692304,
+        "narHash": "sha256-9/lyXN2BpHw+1xE+D2ySBSLMCHWqiWu5tPHBMRDib8M=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c8018361fa1d1650ee8d4b96294783cf564e8a7f",
+        "rev": "937a9d1ee7b1351d8c55fff6611a8edf6e7c1c37",
         "type": "github"
       },
       "original": {
@@ -387,11 +387,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1682326782,
-        "narHash": "sha256-wj7p7iEwQXAfTZ6QokAe0dMbpQk5u7ympDnaiPvbv1w=",
+        "lastModified": 1682596858,
+        "narHash": "sha256-Hf9XVpqaGqe/4oDGr30W8HlsWvJXtMsEPHDqHZA6dDg=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "56cd2d47a9c937be98ab225cf014b450f1533cdb",
+        "rev": "fb58866e20af98779017134319b5663b8215d912",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index c1cfd0e..07c11aa 100644
--- a/flake.nix
+++ b/flake.nix
@@ -9,7 +9,9 @@
     };
 
     disko = {
-      url = "github:nix-community/disko";
+      # TODO temporary until reimport PR merged
+      #url = "github:nix-community/disko";
+      url = "github:oddlama/disko";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
diff --git a/hosts/common/initrd-ssh.nix b/hosts/common/initrd-ssh.nix
index 3e9d62c..49389dc 100644
--- a/hosts/common/initrd-ssh.nix
+++ b/hosts/common/initrd-ssh.nix
@@ -1,6 +1,7 @@
 {
   config,
   name,
+  pkgs,
   ...
 }: {
   rekey.secrets.initrd_host_ed25519_key.file = ../${name}/secrets/initrd_host_ed25519_key.age;
@@ -20,8 +21,8 @@
   # for the first time, and the secrets were rekeyed for the the new host identity.
   system.activationScripts.agenixEnsureInitrdHostkey = {
     text = ''
-      [[ -e ${rekey.secrets.initrd_host_ed25519_key.path} ]] \
-        || ssh-keygen -t ed25519 -N "" -f ${rekey.secrets.initrd_host_ed25519_key.path}
+      [[ -e ${config.rekey.secrets.initrd_host_ed25519_key.path} ]] \
+        || ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f ${config.rekey.secrets.initrd_host_ed25519_key.path}
     '';
     deps = ["agenixInstall"];
   };
diff --git a/hosts/ward/fs.nix b/hosts/ward/fs.nix
index ebfd95c..0ea96fd 100644
--- a/hosts/ward/fs.nix
+++ b/hosts/ward/fs.nix
@@ -14,7 +14,7 @@
           partitions = [
             {
               name = "efi";
-              start = "2048";
+              start = "0%";
               end = "1GiB";
               fs-type = "fat32";
               bootable = true;
diff --git a/nix/lib.nix b/nix/lib.nix
index d7db3f8..e1b3a2c 100644
--- a/nix/lib.nix
+++ b/nix/lib.nix
@@ -54,6 +54,7 @@ in rec {
     recursiveUpdate {
       ${name} = {
         type = "zpool";
+        mountRoot = "/mnt";
         rootFsOptions = {
           compression = "zstd";
           acltype = "posix";
@@ -77,6 +78,7 @@ in rec {
               canmount = "on";
               mountpoint = "/";
             };
+            mountpoint = "/";
           };
           "local/nix" = {
             type = "zfs_fs";
@@ -84,6 +86,7 @@ in rec {
               canmount = "on";
               mountpoint = "/nix";
             };
+            mountpoint = "/nix";
           };
           "safe".type = "zfs_fs";
           "safe/persist" = {
@@ -92,6 +95,7 @@ in rec {
               canmount = "on";
               mountpoint = "/persist";
             };
+            mountpoint = "/persist";
           };
         };
       };