felix/nixos
1
0
Fork 0
mirror of https://github.com/Stunkymonkey/nixos.git synced 2026-04-27 07:48:44 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

service/initrd-ssh: support systemd-boot
Some checks failed
/ Build Nix targets (push) Has been cancelled
Details

Browse source
This commit is contained in:
Felix Buehler 2026-04-12 23:30:27 +02:00
parent 7909067dc7
commit aedea1d68a
2 changed files with 42 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

1
machines/newton/services.nix
View file

@ -109,6 +109,7 @@ in
}; };
initrd-ssh = { initrd-ssh = {
enable = true; enable = true;
mode = "grub2";
}; };
# self-hosted recipe manager # self-hosted recipe manager
tandoor-recipes = { tandoor-recipes = {

53
modules/services/initrd-ssh/default.nix
View file

@ -6,24 +6,53 @@ in
{ {
options.my.services.initrd-ssh = { options.my.services.initrd-ssh = {
enable = lib.mkEnableOption "Enable initrd-ssh service"; enable = lib.mkEnableOption "Enable initrd-ssh service";
mode = lib.mkOption {
type = lib.types.enum [
"grub2"
"systemd"
];
default = "systemd";
description = "Whether to use GRUB2 or systemd for the initrd SSH server.";
};
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
boot.initrd.network = { boot.initrd = {
enable = true; secrets = {
"/etc/secrets/initrd/ssh_host_ed25519_key" = "/etc/secrets/initrd/ssh_host_ed25519_key";
ssh = { };
network = {
enable = true; enable = true;
port = 2222;
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ]; ssh = {
authorizedKeys = [ enable = true;
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFx6OLwL9MbkD3mnMsv+xrzZHN/rwCTgVs758SCLG0h felix@workman" port = 2222;
]; hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
authorizedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFx6OLwL9MbkD3mnMsv+xrzZHN/rwCTgVs758SCLG0h felix@workman"
];
};
postCommands = lib.optionalString (cfg.mode == "grub2") ''
echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1' >> /root/.profile
'';
}; };
postCommands = '' systemd = lib.optionalAttrs (cfg.mode == "systemd") {
echo 'cryptsetup-askpass' >> /root/.profile enable = true;
''; network.enable = true;
services.luks-remote-unlock = {
description = "Prepare for LUKS remote unlock";
wantedBy = [ "initrd.target" ];
after = [ "systemd-networkd.service" ];
unitConfig.DefaultDependencies = "no";
serviceConfig.Type = "oneshot";
script = ''
echo 'systemctl default || echo "Unlock was successful; exiting SSH session" && exit 1' >> /var/empty/.profile
'';
};
};
}; };
}; };
} }