ahtlon
b94574c640
All checks were successful
Check flake syntax / flake-check (push) Successful in 4m46s
80 lines
2.2 KiB
Nix
80 lines
2.2 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
let
|
|
cfg = config.malobeo.initssh;
|
|
inherit (config.networking) hostName;
|
|
|
|
in
|
|
{
|
|
options.malobeo.initssh = {
|
|
enable = lib.mkOption {
|
|
type = lib.types.bool;
|
|
default = false;
|
|
description = "Enable initrd-ssh";
|
|
};
|
|
authorizedKeys = lib.mkOption {
|
|
type = lib.types.listOf lib.types.str;
|
|
default = [ ];
|
|
description = "Authorized keys for the initrd ssh";
|
|
};
|
|
ethernetDrivers = lib.mkOption {
|
|
type = lib.types.listOf lib.types.str;
|
|
default = [ ];
|
|
description = "Ethernet drivers to load: run `lspci -k | grep -iA4 ethernet`";
|
|
example = "r8169";
|
|
};
|
|
zfsExtraPools = lib.mkOption {
|
|
type = lib.types.listOf lib.types.str;
|
|
default = [ ];
|
|
description = "Name or GUID of extra ZFS pools that you wish to import during boot.";
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf (cfg.enable && config.malobeo.disks.encryption) {
|
|
boot = {
|
|
loader.systemd-boot.enable = true;
|
|
loader.efi.canTouchEfiVariables = true;
|
|
supportedFilesystems = [ "vfat" "zfs" ];
|
|
zfs = {
|
|
forceImportAll = true;
|
|
requestEncryptionCredentials = true;
|
|
extraPools = cfg.zfsExtraPools;
|
|
};
|
|
initrd = {
|
|
availableKernelModules = cfg.ethernetDrivers;
|
|
systemd = {
|
|
initrdBin = [ pkgs.busybox pkgs.wireguard-tools pkgs.iproute2 ];
|
|
enable = true;
|
|
network.enable = true;
|
|
services."stopInitVpn" = {
|
|
description = "stop init vpn";
|
|
wantedBy = [
|
|
"initrd.target"
|
|
];
|
|
after = [
|
|
"zfs.target"
|
|
];
|
|
serviceConfig.StandardOutput = "journal+console";
|
|
script = ''
|
|
networkctl down wg-initrd
|
|
'';
|
|
serviceConfig.Type = "oneshot";
|
|
};
|
|
};
|
|
network = {
|
|
flushBeforeStage2 = true;
|
|
ssh = {
|
|
enable = true;
|
|
port = 222;
|
|
authorizedKeys = cfg.authorizedKeys;
|
|
hostKeys = [ "/etc/ssh/initrd" ];
|
|
};
|
|
};
|
|
secrets = {
|
|
"/etc/ssh/initrd" = "/etc/ssh/initrd";
|
|
};
|
|
};
|
|
kernelParams = [ "ip=::::${hostName}-initrd::dhcp" ];
|
|
};
|
|
};
|
|
}
|