service/initrd-ssh: support systemd-boot

machines/newton/services.nix

@@ -109,6 +109,7 @@ in
     };
     initrd-ssh = {
       enable = true;
+      mode = "grub2";
     };
     # self-hosted recipe manager
     tandoor-recipes = {

modules/services/initrd-ssh/default.nix

@@ -6,10 +6,23 @@ in
 {
   options.my.services.initrd-ssh = {
     enable = lib.mkEnableOption "Enable initrd-ssh service";
+
+    mode = lib.mkOption {
+      type = lib.types.enum [
+        "grub2"
+        "systemd"
+      ];
+      default = "systemd";
+      description = "Whether to use GRUB2 or systemd for the initrd SSH server.";
+    };
   };
 
   config = lib.mkIf cfg.enable {
-    boot.initrd.network = {
+    boot.initrd = {
+      secrets = {
+        "/etc/secrets/initrd/ssh_host_ed25519_key" = "/etc/secrets/initrd/ssh_host_ed25519_key";
+      };
+      network = {
         enable = true;
 
         ssh = {
@@ -21,9 +34,25 @@ in
           ];
         };
 
-      postCommands = ''
+        postCommands = lib.optionalString (cfg.mode == "grub2") ''
-        echo 'cryptsetup-askpass' >> /root/.profile
+          echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1' >> /root/.profile
+        '';
+      };
+
+      systemd = lib.optionalAttrs (cfg.mode == "systemd") {
+        enable = true;
+        network.enable = true;
+        services.luks-remote-unlock = {
+          description = "Prepare for LUKS remote unlock";
+          wantedBy = [ "initrd.target" ];
+          after = [ "systemd-networkd.service" ];
+          unitConfig.DefaultDependencies = "no";
+          serviceConfig.Type = "oneshot";
+          script = ''
+            echo 'systemctl default || echo "Unlock was successful; exiting SSH session" && exit 1' >> /var/empty/.profile
           '';
         };
       };
+    };
+  };
 }