{ config, lib, pkgs, ... }: let cfg = config.malobeo.initssh; inherit (config.networking) hostName; in { options.malobeo.initssh = { enable = lib.mkOption { type = lib.types.bool; default = false; description = "Enable initrd-ssh"; }; authorizedKeys = lib.mkOption { type = lib.types.listOf lib.types.str; default = [ ]; description = "Authorized keys for the initrd ssh"; }; ethernetDrivers = lib.mkOption { type = lib.types.listOf lib.types.str; default = [ ]; description = "Ethernet drivers to load: run `lspci -k | grep -iA4 ethernet`"; example = "r8169"; }; zfsExtraPools = lib.mkOption { type = lib.types.listOf lib.types.str; default = [ ]; description = "Name or GUID of extra ZFS pools that you wish to import during boot."; }; }; config = lib.mkIf (cfg.enable && config.malobeo.disks.encryption) { boot = { loader.systemd-boot.enable = true; loader.efi.canTouchEfiVariables = true; supportedFilesystems = [ "vfat" "zfs" ]; zfs = { forceImportAll = true; requestEncryptionCredentials = true; extraPools = cfg.zfsExtraPools; }; initrd = { availableKernelModules = cfg.ethernetDrivers; systemd = { enable = true; network.enable = true; }; network.ssh = { enable = true; port = 222; authorizedKeys = cfg.authorizedKeys; hostKeys = [ "/etc/ssh/initrd" ]; }; secrets = { "/etc/ssh/initrd" = "/etc/ssh/initrd"; }; systemd.services.zfs-remote-unlock = { description = "Prepare for ZFS remote unlock"; wantedBy = ["initrd.target"]; after = ["systemd-networkd.service"]; path = with pkgs; [ zfs ]; serviceConfig.Type = "oneshot"; script = '' echo "zfs load-key -a; killall zfs; systemctl default" >> /var/empty/.profile ''; }; }; kernelParams = [ "ip=::::${hostName}-initrd::dhcp" ]; }; }; }