added hetzner profile, ssh for luks unlocking, and neededForBoot for state

machines/gerd.nix

@@ -8,6 +8,7 @@ in {
     (modulesPath + "/profiles/qemu-guest.nix")
     (sources.disko + "/module.nix")
     ./../shared/modules
+    ./../shared/platforms/hetzner.nix
 
     ./gerd/disk-zfs.nix
 
@@ -19,8 +20,6 @@ in {
 
   networking.hostName = "gerd";
   networking.hostId = "e1166ac9";
-  networking.interfaces.enp1s0.ipv6.addresses = [ { address = "2a01:4f9:c012:743e::1"; prefixLength = 64; }];
-  networking.defaultGateway6 = { address = "fe80::1"; interface = "enp1s0"; };
   boot.loader.grub = {
     # no need to set devices, disko will add all devices that have a EF02 partition to the list already
     # devices = [ ];
@@ -29,10 +28,18 @@ in {
   };
   services.openssh.enable = true;
 
-  mine.state.enable = true;
+  mine = {
+    state.enable = true;
+    ssh-on-boot.enable = true;
+
+    platforms.hetzner.network.address = [
+     "65.108.221.240/32"
+     "2a01:4f9:c012:743e::1/64"
+    ];
+  };
 
   boot.initrd.postDeviceCommands = lib.mkAfter ''
-    zfs rollback -r rpool/local/root@blank
+    zfs rollback -r rpool/root@blank
   '';
 
   environment.systemPackages = with pkgs; [

machines/gerd/disk-zfs.nix

@@ -78,4 +78,8 @@ in {
       };
     };
   };
+
+  fileSystems."/state/root".neededForBoot = true;
+  fileSystems."/state/home".neededForBoot = true;
+  fileSystems."/state/stash".neededForBoot = true;
 }

shared/modules/default.nix

@@ -1,6 +1,7 @@
 {
   imports = [
     ./state.nix
+    ./ssh-luks-zfs-on-boot.nix
     ./easy-zfs-mounts.nix
   ];
 }

shared/modules/ssh-luks-zfs-on-boot.nix

@@ -0,0 +1,96 @@
+{ config, lib, ... }:
+
+with lib;
+
+let
+  cfg = config.mine.ssh-on-boot;
+in {
+  options.mine.ssh-on-boot = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+    };
+    
+    network = {
+      address = mkOption {
+        type = types.str;
+        example = "192.168.1.11";
+      };
+
+      gateway = mkOption {
+        type = types.str;
+        example = "192.168.1.1";
+      };
+
+      netmask = mkOption {
+        type = types.str;
+        example = "255.255.255.0";
+      };
+
+      hostname = mkOption {
+        type = types.str;
+        default = "${config.networking.hostName}-boot";
+      };
+
+      interface = mkOption {
+        type = types.str;
+        example = "eno3";
+      };
+    };
+
+    kernelModules = mkOption {
+      type = types.listOf types.str;
+      default = [
+        "ixgbe"
+        "igb"
+      ];
+    };
+
+    sshPort = mkOption {
+      type = types.int;
+      default = 2222;
+    };
+
+    sshKeyLocation = mkOption {
+      type = types.str;
+      default = "/state/root/ssh-on-boot";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    boot = {
+      kernelParams = [
+        "ip=${cfg.network.address}::${cfg.network.gateway}:${cfg.network.netmask}:${cfg.network.hostname}:${cfg.network.interface}"
+      ];
+
+      initrd.availableKernelModules = cfg.kernelModules;
+      initrd.network = {
+        enable = true;
+  
+        ssh = {
+          enable = true;
+          port = cfg.sshPort;
+          hostKeys = [
+            "${cfg.sshKeyLocation}/ssh_host_ed25519_key"
+            "${cfg.sshKeyLocation}/ssh_host_rsa_key"
+          ];
+
+          authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
+        };
+  
+        postCommands = let
+          luksCmd = builtins.concatStringsSep "; " (
+            lib.mapAttrsToList (n: v:
+              "echo Opening ${n}; cryptsetup-askpass open ${v.device} ${n}"
+            ) config.boot.initrd.luks.devices);
+        in ''
+          ip route add ${cfg.network.gateway} dev ${cfg.network.interface}
+          ip route add default via ${cfg.network.gateway} dev ${cfg.network.interface}
+          ip link set ${cfg.network.interface} up
+
+          echo "${luksCmd}; zpool import -a; zfs load-key -a; killall zfs" >> /root/.profile
+        '';
+      };
+    };
+  };
+}

shared/platforms/hetzner.nix

@@ -0,0 +1,75 @@
+{ config, lib, modulesPath, ... }:
+
+with lib;
+
+let
+  cfg = config.mine.platforms.hetzner;
+
+  mkIfOption = name: attrset: lib.optionalAttrs (
+    builtins.hasAttr name config.mine
+  ) attrset;
+in {
+  options.mine.platforms.hetzner= {
+    enable = mkOption {
+      type = types.bool;
+      default = true;
+    };
+    
+    network = {
+      address = mkOption {
+        type = types.listOf types.str;
+        example = "[\"55.72.39.76/32\"";
+      };
+    };
+  };
+
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  config = mkIf cfg.enable ({
+    boot = {
+      loader = {
+        grub.enable = true;
+        grub.device = "/dev/sda";
+      };
+  
+      initrd = {
+        availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sd_mod" "sr_mod" ];
+      };
+    };
+
+    networking.useDHCP = false;
+    systemd.network = {
+      enable = true;
+
+      networks.hetzner = {
+        name = "enp1s0";
+
+        address = cfg.network.address;
+
+        gateway = [
+          "fe80::1"
+          "172.31.1.1"
+        ];
+
+        routes = [
+          {routeConfig = {Destination = "172.31.1.1";};}
+          {routeConfig = {Destination = "fe80::1";};}
+        ];
+        
+      };
+    };
+
+    # ssh on boot
+    mine.ssh-on-boot.network = let
+      netmaskAddressList = (lib.take 3 (lib.splitString "." "135.181.98.1")) ++ ["255"];
+      netmaskAddress = lib.concatStringsSep "." netmaskAddressList;
+    in {
+      address = lib.mkDefault (lib.elemAt cfg.network.address 0);
+      gateway = lib.mkDefault "172.31.1.1";
+      netmask = lib.mkDefault netmaskAddress;
+      interface = lib.mkDefault "enp1s0";
+    };
+  });
+}