felix/nixos
1
0
Fork 0
mirror of https://github.com/Stunkymonkey/nixos.git synced 2026-04-27 07:48:44 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

service/initrd-ssh: support systemd-boot
Some checks failed
/ Build Nix targets (push) Has been cancelled
Details

Browse source
This commit is contained in:
Felix Buehler 2026-04-12 23:30:27 +02:00
parent 7909067dc7
commit aedea1d68a
2 changed files with 42 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

53
modules/services/initrd-ssh/default.nix
View file

@ -6,24 +6,53 @@ in
{
options.my.services.initrd-ssh = {
enable = lib.mkEnableOption "Enable initrd-ssh service";
mode = lib.mkOption {
type = lib.types.enum [
"grub2"
"systemd"
];
default = "systemd";
description = "Whether to use GRUB2 or systemd for the initrd SSH server.";
};
};
config = lib.mkIf cfg.enable {
boot.initrd.network = {
enable = true;
ssh = {
boot.initrd = {
secrets = {
"/etc/secrets/initrd/ssh_host_ed25519_key" = "/etc/secrets/initrd/ssh_host_ed25519_key";
};
network = {
enable = true;
port = 2222;
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
authorizedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFx6OLwL9MbkD3mnMsv+xrzZHN/rwCTgVs758SCLG0h felix@workman"
];
ssh = {
enable = true;
port = 2222;
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
authorizedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFx6OLwL9MbkD3mnMsv+xrzZHN/rwCTgVs758SCLG0h felix@workman"
];
};
postCommands = lib.optionalString (cfg.mode == "grub2") ''
echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1' >> /root/.profile
'';
};
postCommands = ''
echo 'cryptsetup-askpass' >> /root/.profile
'';
systemd = lib.optionalAttrs (cfg.mode == "systemd") {
enable = true;
network.enable = true;
services.luks-remote-unlock = {
description = "Prepare for LUKS remote unlock";
wantedBy = [ "initrd.target" ];
after = [ "systemd-networkd.service" ];
unitConfig.DefaultDependencies = "no";
serviceConfig.Type = "oneshot";
script = ''
echo 'systemctl default || echo "Unlock was successful; exiting SSH session" && exit 1' >> /var/empty/.profile
'';
};
};
};
};
}