{ config, lib, pkgs, ... }: let cfg = config.malobeo.initssh; inherit (config.networking) hostName; in { options.malobeo.initssh = { enable = lib.mkOption { type = lib.types.bool; default = false; description = "Enable initrd-ssh"; }; authorizedKeys = lib.mkOption { type = lib.types.listOf lib.types.str; default = [ ]; description = "Authorized keys for the initrd ssh"; }; ethernetDrivers = lib.mkOption { type = lib.types.listOf lib.types.str; default = [ ]; description = "Ethernet drivers to load: run `lspci -k | grep -iA4 ethernet`"; example = "r8169"; }; zfsExtraPools = lib.mkOption { type = lib.types.listOf lib.types.str; default = [ ]; description = "Name or GUID of extra ZFS pools that you wish to import during boot."; }; }; config = lib.mkIf (cfg.enable && config.malobeo.disks.encryption) { boot = { loader.systemd-boot.enable = true; loader.efi.canTouchEfiVariables = true; supportedFilesystems = [ "vfat" "zfs" ]; zfs = { forceImportAll = true; requestEncryptionCredentials = true; extraPools = cfg.zfsExtraPools; }; initrd = { availableKernelModules = cfg.ethernetDrivers; systemd = { initrdBin = [ pkgs.busybox pkgs.wireguard-tools pkgs.iproute2 ]; enable = true; network.enable = true; services."stopInitVpn" = { description = "stop init vpn"; wantedBy = [ "initrd.target" ]; after = [ "zfs.target" ]; serviceConfig.StandardOutput = "journal+console"; script = '' networkctl down wg-initrd ''; serviceConfig.Type = "oneshot"; }; }; network = { flushBeforeStage2 = true; ssh = { enable = true; port = 222; authorizedKeys = cfg.authorizedKeys; hostKeys = [ "/etc/ssh/initrd" ]; }; }; secrets = { "/etc/ssh/initrd" = "/etc/ssh/initrd"; }; }; kernelParams = [ "ip=::::${hostName}-initrd::dhcp" ]; }; }; }