initrd-ssh: Improve module documentation

2023-02-15 11:35:59 +01:00 · 2023-02-15 11:35:59 +01:00 · 42a22e89b7
parent c3d7de1d49
commit 42a22e89b7
1 changed files with 20 additions and 4 deletions
--- a/modules/initrd-ssh.nix
+++ b/modules/initrd-ssh.nix
@ -1,7 +1,23 @@
-# For network to work in initrd, either pass the `ip=` kernel parameter or
-# enable networking.useDHCP. You also have to add the required kernel modules
-# for the network card to boot.initrd.availableKernelModules. Also see the
-# instructions on how to add a host key to password-store.
+# To enable this on a host, you have to do the following:
+# For network to work in initrd,
+# either pass the `ip=` kernel parameter or enable networking.useDHCP.
+# You also have to add the required kernel modules for the network adapter to `boot.initrd.availableKernelModules`
+# (if it is not loaded by default).
+# Then, you can set `boot.initrd.network.enable=true`,
+# which enables networking in initrd.
+# SSH in the initrd is enabled by this module automatically once networking is enabled.
+# To be able to log in,
+# you have to generate an SSH host key for the system (see the comments in the module on how to)
+# and copy it to that host.
+# It is then recommended to add a new `<host>-initrd`-entry to `modules/ssh.nix`
+# to ensure the key is known and trusted by default on all other hosts.
+# The host also needs a valid entry in `machines/default.nix`
+# with `targetHost` set.
+# If necessary, also set `unlockOverV4`,
+# which forces the SSH connection to use IPv4
+# (useful if the network of the host does not do SLAAC).
+# If all that is done,
+# remote unlocking should be possible by running `nix run .#unlock/host`
 { config, lib, ... }:
 {
  boot.initrd.network = {