From 4d4c4fa6fa8bb7754acb8d4171bd94ea965b81c3 Mon Sep 17 00:00:00 2001
From: ahtlon <atlan@ahtlon.de>
Date: Mon, 30 Dec 2024 22:23:50 +0100
Subject: [PATCH] add init ssh modul

---
 machines/modules/malobeo/initssh.nix | 65 ++++++++++++++++++++++++++++
 outputs.nix                          |  1 +
 2 files changed, 66 insertions(+)
 create mode 100644 machines/modules/malobeo/initssh.nix

diff --git a/machines/modules/malobeo/initssh.nix b/machines/modules/malobeo/initssh.nix
new file mode 100644
index 00000000..b5a5587f
--- /dev/null
+++ b/machines/modules/malobeo/initssh.nix
@@ -0,0 +1,65 @@
+{ config, lib, pkgs, ... }:
+let 
+  cfg = config.malobeo.initssh;
+  inherit (config.networking) hostName;
+
+in
+{
+  options.malobeo.initssh = {
+    enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "Enable initrd-ssh";
+    };
+    authorizedKeys = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ ];
+      description = "Authorized keys for the initrd ssh";
+    };
+    ethernetDrivers = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ ];
+      description = "Ethernet drivers to load: run `lspci -k | grep -iA4 ethernet`";
+      example = "r8169";
+    };
+  };
+  
+  config = lib.mkIf cfg.enable {
+    boot = {
+      loader.systemd-boot.enable = true;
+      loader.efi.canTouchEfiVariables = true;
+      supportedFilesystems = [ "vfat" "zfs" ];
+      zfs = {
+        forceImportAll = true;
+        requestEncryptionCredentials = true;
+      };
+      initrd = {
+        availableKernelModules = cfg.ethernetDrivers;
+        systemd = {
+          enable = true;
+          network.enable = true;
+        };
+        network.ssh = {
+          enable = true;
+          port = 222;
+          authorizedKeys = cfg.authorizedKeys;
+          hostKeys = [ "/etc/ssh/initrd" ];
+        };
+        secrets = {
+          "/etc/ssh/initrd" = "/etc/ssh/initrd";
+        };
+      };
+      kernelParams = [ "ip=::::${hostName}-initrd::dhcp" ];
+      systemd.services.zfs-remote-unlock = {
+        description = "Prepare for ZFS remote unlock";
+        wantedBy = ["initrd.target"];
+        after = ["systemd-networkd.service"];
+        path = with pkgs; [ zfs ];
+        serviceConfig.Type = "oneshot";
+        script = ''
+          echo "systemctl default" >> /var/empty/.profile
+        '';
+      };
+    };
+  };
+}
\ No newline at end of file
diff --git a/outputs.nix b/outputs.nix
index bd44a0be..634d548b 100644
--- a/outputs.nix
+++ b/outputs.nix
@@ -116,6 +116,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
       host.imports = [ ./machines/durruti/host_config.nix ];
       microvm.imports = [ ./machines/modules/malobeo/microvm_host.nix ];
       vpn.imports = [ ./machines/modules/malobeo/wireguard.nix ];
+      initssh.imports = [ ./machines/modules/malobeo/initssh.nix ];
     };
 
     hydraJobs = nixpkgs.lib.mapAttrs (_: nixpkgs.lib.hydraJob) (