From aedea1d68a8b34a249828c6eac2c016bf0a2505f Mon Sep 17 00:00:00 2001
From: Felix Buehler <account@buehler.rocks>
Date: Sun, 12 Apr 2026 23:30:27 +0200
Subject: [PATCH] service/initrd-ssh: support systemd-boot

---
 machines/newton/services.nix            |  1 +
 modules/services/initrd-ssh/default.nix | 53 +++++++++++++++++++------
 2 files changed, 42 insertions(+), 12 deletions(-)

diff --git a/machines/newton/services.nix b/machines/newton/services.nix
index ddffcd0..fdf600f 100644
--- a/machines/newton/services.nix
+++ b/machines/newton/services.nix
@@ -109,6 +109,7 @@ in
     };
     initrd-ssh = {
       enable = true;
+      mode = "grub2";
     };
     # self-hosted recipe manager
     tandoor-recipes = {
diff --git a/modules/services/initrd-ssh/default.nix b/modules/services/initrd-ssh/default.nix
index 18344ea..e295462 100644
--- a/modules/services/initrd-ssh/default.nix
+++ b/modules/services/initrd-ssh/default.nix
@@ -6,24 +6,53 @@ in
 {
   options.my.services.initrd-ssh = {
     enable = lib.mkEnableOption "Enable initrd-ssh service";
+
+    mode = lib.mkOption {
+      type = lib.types.enum [
+        "grub2"
+        "systemd"
+      ];
+      default = "systemd";
+      description = "Whether to use GRUB2 or systemd for the initrd SSH server.";
+    };
   };
 
   config = lib.mkIf cfg.enable {
-    boot.initrd.network = {
-      enable = true;
-
-      ssh = {
+    boot.initrd = {
+      secrets = {
+        "/etc/secrets/initrd/ssh_host_ed25519_key" = "/etc/secrets/initrd/ssh_host_ed25519_key";
+      };
+      network = {
         enable = true;
-        port = 2222;
-        hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
-        authorizedKeys = [
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFx6OLwL9MbkD3mnMsv+xrzZHN/rwCTgVs758SCLG0h felix@workman"
-        ];
+
+        ssh = {
+          enable = true;
+          port = 2222;
+          hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
+          authorizedKeys = [
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFx6OLwL9MbkD3mnMsv+xrzZHN/rwCTgVs758SCLG0h felix@workman"
+          ];
+        };
+
+        postCommands = lib.optionalString (cfg.mode == "grub2") ''
+          echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1' >> /root/.profile
+        '';
       };
 
-      postCommands = ''
-        echo 'cryptsetup-askpass' >> /root/.profile
-      '';
+      systemd = lib.optionalAttrs (cfg.mode == "systemd") {
+        enable = true;
+        network.enable = true;
+        services.luks-remote-unlock = {
+          description = "Prepare for LUKS remote unlock";
+          wantedBy = [ "initrd.target" ];
+          after = [ "systemd-networkd.service" ];
+          unitConfig.DefaultDependencies = "no";
+          serviceConfig.Type = "oneshot";
+          script = ''
+            echo 'systemctl default || echo "Unlock was successful; exiting SSH session" && exit 1' >> /var/empty/.profile
+          '';
+        };
+      };
     };
   };
 }