added hetzner profile, ssh for luks unlocking, and neededForBoot for state

2024-08-08 14:36:04 +02:00 · 2024-08-08 14:36:04 +02:00 · d980ba204a
commit d980ba204a
parent 2ca4b5440a
5 changed files with 187 additions and 4 deletions
--- a/shared/modules/default.nix
+++ b/shared/modules/default.nix
@ -1,6 +1,7 @@
 {
  imports = [
    ./state.nix
+    ./ssh-luks-zfs-on-boot.nix
    ./easy-zfs-mounts.nix
  ];
 }
--- a/shared/modules/ssh-luks-zfs-on-boot.nix
+++ b/shared/modules/ssh-luks-zfs-on-boot.nix
@ -0,0 +1,96 @@
+{ config, lib, ... }:
+
+with lib;
+
+let
+  cfg = config.mine.ssh-on-boot;
+in {
+  options.mine.ssh-on-boot = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+    };
+    
+    network = {
+      address = mkOption {
+        type = types.str;
+        example = "192.168.1.11";
+      };
+
+      gateway = mkOption {
+        type = types.str;
+        example = "192.168.1.1";
+      };
+
+      netmask = mkOption {
+        type = types.str;
+        example = "255.255.255.0";
+      };
+
+      hostname = mkOption {
+        type = types.str;
+        default = "${config.networking.hostName}-boot";
+      };
+
+      interface = mkOption {
+        type = types.str;
+        example = "eno3";
+      };
+    };
+
+    kernelModules = mkOption {
+      type = types.listOf types.str;
+      default = [
+        "ixgbe"
+        "igb"
+      ];
+    };
+
+    sshPort = mkOption {
+      type = types.int;
+      default = 2222;
+    };
+
+    sshKeyLocation = mkOption {
+      type = types.str;
+      default = "/state/root/ssh-on-boot";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    boot = {
+      kernelParams = [
+        "ip=${cfg.network.address}::${cfg.network.gateway}:${cfg.network.netmask}:${cfg.network.hostname}:${cfg.network.interface}"
+      ];
+
+      initrd.availableKernelModules = cfg.kernelModules;
+      initrd.network = {
+        enable = true;
+  
+        ssh = {
+          enable = true;
+          port = cfg.sshPort;
+          hostKeys = [
+            "${cfg.sshKeyLocation}/ssh_host_ed25519_key"
+            "${cfg.sshKeyLocation}/ssh_host_rsa_key"
+          ];
+
+          authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
+        };
+  
+        postCommands = let
+          luksCmd = builtins.concatStringsSep "; " (
+            lib.mapAttrsToList (n: v:
+              "echo Opening ${n}; cryptsetup-askpass open ${v.device} ${n}"
+            ) config.boot.initrd.luks.devices);
+        in ''
+          ip route add ${cfg.network.gateway} dev ${cfg.network.interface}
+          ip route add default via ${cfg.network.gateway} dev ${cfg.network.interface}
+          ip link set ${cfg.network.interface} up
+
+          echo "${luksCmd}; zpool import -a; zfs load-key -a; killall zfs" >> /root/.profile
+        '';
+      };
+    };
+  };
+}