move grub and full-disk-encryption into seperate files

modules/luks.nix

@@ -0,0 +1,15 @@
+let
+  secretsFile = "/root.key";
+in
+{
+  boot.loader.grub.enableCryptodisk = true;
+
+  # enable passing of keyfile between grub and initrd
+  boot.initrd.luks.devices."cryptroot" = {
+    fallbackToPassword = true;
+    keyFile = secretsFile;
+  };
+
+  # copy the secret into the additional initramfs. `null` means same path
+  boot.initrd.secrets."${secretsFile}" = null;
+}