nixos-config/modules/initrd-ssh.nix

# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later

# To enable this on a host, you have to do the following:
# For network to work in initrd,
# either pass the `ip=` kernel parameter or enable networking.useDHCP.
# You also have to add the required kernel modules for the network adapter to `boot.initrd.availableKernelModules`
# (if it is not loaded by default).
# Then, you can set `boot.initrd.network.enable=true`,
# which enables networking in initrd.
# SSH in the initrd is enabled by this module automatically once networking is enabled.
# To be able to log in,
# you have to generate an SSH host key for the system (see the comments in the module on how to)
# and copy it to that host.
# It is then recommended to add a new `<host>-initrd`-entry to `modules/ssh.nix`
# to ensure the key is known and trusted by default on all other hosts.
# The host also needs a valid entry in `machines/default.nix`
# with `targetHost` set.
# If necessary, also set `unlockOverV4`,
# which forces the SSH connection to use IPv4
# (useful if the network of the host does not do SLAAC).
# If all that is done,
# remote unlocking should be possible by running `nix run .#unlock/host`
{ config, lib, ... }:
{
  boot.initrd.network = {
    #enable = true;
    ssh = {
      enable = lib.mkDefault config.boot.initrd.network.enable;
      port = 2222;
      # ssh-keygen -t ed25519 -N "" -f ssh_host_ed25519_key_initrd -C HOSTNAME
      # scp ssh_host_ed25519_key_initrd root@machine:/etc/ssh/
      hostKeys = [
        "/etc/ssh/ssh_host_ed25519_key_initrd"
      ];
    };
  };

  # This only works for vfat (EFI),
  # for ext2 (MBR) it needs to be changed manually with chmod.
  fileSystems."/boot".options = lib.mkIf
    (config.boot.initrd.network.ssh.enable && config.fileSystems."/boot".fsType == "vfat")
    (lib.mkDefault [ "umask=0077" ]);
}