46 lines
1.9 KiB
Nix
46 lines
1.9 KiB
Nix
# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
|
|
#
|
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
|
|
# To enable this on a host, you have to do the following:
|
|
# For network to work in initrd,
|
|
# either pass the `ip=` kernel parameter or enable networking.useDHCP.
|
|
# You also have to add the required kernel modules for the network adapter to `boot.initrd.availableKernelModules`
|
|
# (if it is not loaded by default).
|
|
# Then, you can set `boot.initrd.network.enable=true`,
|
|
# which enables networking in initrd.
|
|
# SSH in the initrd is enabled by this module automatically once networking is enabled.
|
|
# To be able to log in,
|
|
# you have to generate an SSH host key for the system (see the comments in the module on how to)
|
|
# and copy it to that host.
|
|
# It is then recommended to add a new `<host>-initrd`-entry to `modules/ssh.nix`
|
|
# to ensure the key is known and trusted by default on all other hosts.
|
|
# The host also needs a valid entry in `machines/default.nix`
|
|
# with `targetHost` set.
|
|
# If necessary, also set `unlockOverV4`,
|
|
# which forces the SSH connection to use IPv4
|
|
# (useful if the network of the host does not do SLAAC).
|
|
# If all that is done,
|
|
# remote unlocking should be possible by running `nix run .#unlock/host`
|
|
{ config, lib, ... }:
|
|
{
|
|
boot.initrd.network = {
|
|
#enable = true;
|
|
ssh = {
|
|
enable = lib.mkDefault config.boot.initrd.network.enable;
|
|
port = 2222;
|
|
# ssh-keygen -t ed25519 -N "" -f ssh_host_ed25519_key_initrd -C HOSTNAME
|
|
# scp ssh_host_ed25519_key_initrd root@machine:/etc/ssh/
|
|
hostKeys = [
|
|
"/etc/ssh/ssh_host_ed25519_key_initrd"
|
|
];
|
|
};
|
|
};
|
|
|
|
# This only works for vfat (EFI),
|
|
# for ext2 (MBR) it needs to be changed manually with chmod.
|
|
fileSystems."/boot".options = lib.mkIf
|
|
(config.boot.initrd.network.ssh.enable && config.fileSystems."/boot".fsType == "vfat")
|
|
(lib.mkDefault [ "umask=0077" ]);
|
|
}
|