From 84069799752fafaddf1e8bed523d3658dc6afe57 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20Jane=C5=BEi=C4=8D?= Date: Sat, 21 Feb 2026 20:45:24 +0100 Subject: [PATCH] feat: extract initrd-ssh module from hardware config --- hosts/matej-nixos/configuration.nix | 12 +++ hosts/matej-nixos/hardware-configuration.nix | 40 ++------- hosts/matej-tower/configuration.nix | 6 ++ hosts/matej-tower/hardware-configuration.nix | 40 +-------- modules/nixos/initrd-ssh.nix | 94 ++++++++++++++++++++ scripts/initrd-ssh-keygen.sh | 24 +++++ 6 files changed, 144 insertions(+), 72 deletions(-) create mode 100644 modules/nixos/initrd-ssh.nix create mode 100755 scripts/initrd-ssh-keygen.sh diff --git a/hosts/matej-nixos/configuration.nix b/hosts/matej-nixos/configuration.nix index 56f1cab..cd37e80 100644 --- a/hosts/matej-nixos/configuration.nix +++ b/hosts/matej-nixos/configuration.nix @@ -24,6 +24,7 @@ in inputs.self.nixosModules.tuigreet inputs.self.nixosModules.workstation inputs.self.nixosModules.nvidia + inputs.self.nixosModules.initrd-ssh ]; # Modules @@ -46,6 +47,17 @@ in nvidia.enable = true; + initrd-ssh = { + enable = true; + networkModule = "r8169"; + ip = { + enable = true; + address = "10.222.0.247"; + gateway = "10.222.0.1"; + interface = "enp5s0"; + }; + }; + # Stylix theming stylix = { enable = true; diff --git a/hosts/matej-nixos/hardware-configuration.nix b/hosts/matej-nixos/hardware-configuration.nix index ee606b2..e7b72f8 100644 --- a/hosts/matej-nixos/hardware-configuration.nix +++ b/hosts/matej-nixos/hardware-configuration.nix @@ -1,6 +1,4 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. +# autogenerated by 'nixos-generate-config' { config, lib, @@ -14,45 +12,17 @@ (modulesPath + "/installer/scan/not-detected.nix") ]; + hardware.firmware = [ pkgs.linux-firmware ]; + boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" - "usb_storage" - "sd_mod" - ]; - boot.initrd.kernelModules = [ - "dm-snapshot" - "r8169" - ]; - boot.kernelModules = [ - "kvm-amd" ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ "kvm-amd" ]; boot.extraModulePackages = [ ]; - boot.kernelParams = [ - "ip=10.222.0.247::10.222.0.1:255.255.255.0::enp5s0:none" - ]; - - boot.initrd.network = { - enable = true; - ssh = { - enable = true; - port = 22; - hostKeys = [ - "/etc/secrets/initrd/ssh_host_rsa_key" - "/etc/secrets/initrd/ssh_host_ed25519_key" - ]; - authorizedKeys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQGLdINKzs+sEy62Pefng0bcedgU396+OryFgeH99/c janezicmatej" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDk00+Km03epQXQs+xEwwH3zcurACzkEH+kDOPBw6RQe openpgp:0xB095D449" - ]; - }; - postCommands = '' - echo 'cryptsetup-askpass' >> /root/.profile - ''; - - }; boot.initrd.luks.devices."cryptlvm".device = "/dev/disk/by-uuid/af0608c0-67cd-4ae4-b12c-252fa947da40"; diff --git a/hosts/matej-tower/configuration.nix b/hosts/matej-tower/configuration.nix index 8b7b461..41d72d6 100644 --- a/hosts/matej-tower/configuration.nix +++ b/hosts/matej-tower/configuration.nix @@ -22,6 +22,7 @@ inputs.self.nixosModules.gnupg inputs.self.nixosModules.tuigreet inputs.self.nixosModules.workstation + inputs.self.nixosModules.initrd-ssh ]; # Modules @@ -38,6 +39,11 @@ }; sway.enable = true; + initrd-ssh = { + enable = true; + networkModule = "r8169"; + }; + # Stylix theming stylix = { enable = true; diff --git a/hosts/matej-tower/hardware-configuration.nix b/hosts/matej-tower/hardware-configuration.nix index c7a686b..86e8051 100644 --- a/hosts/matej-tower/hardware-configuration.nix +++ b/hosts/matej-tower/hardware-configuration.nix @@ -1,6 +1,4 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. +# autogenerated by 'nixos-generate-config' { config, lib, @@ -20,13 +18,9 @@ "nvme" "xhci_pci" "ahci" - "usb_storage" - "sd_mod" - ]; - boot.initrd.kernelModules = [ - "dm-snapshot" - "r8169" + "usbhid" ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; boot.kernelModules = [ "kvm-amd" ]; boot.extraModulePackages = [ ]; @@ -51,34 +45,6 @@ { device = "/dev/disk/by-uuid/e0952ef2-1a9a-4022-bbcf-b2f016384258"; } ]; - boot.initrd.network = { - enable = true; - ssh = { - enable = true; - port = 22; - hostKeys = [ - "/etc/secrets/initrd/ssh_host_rsa_key" - "/etc/secrets/initrd/ssh_host_ed25519_key" - ]; - authorizedKeys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQGLdINKzs+sEy62Pefng0bcedgU396+OryFgeH99/c janezicmatej" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDk00+Km03epQXQs+xEwwH3zcurACzkEH+kDOPBw6RQe openpgp:0xB095D449" - ]; - }; - postCommands = '' - echo 'cryptsetup-askpass' >> /root/.profile - ''; - - }; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.eno1.useDHCP = lib.mkDefault true; - # networking.interfaces.wlp11s0.useDHCP = lib.mkDefault true; - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; } diff --git a/modules/nixos/initrd-ssh.nix b/modules/nixos/initrd-ssh.nix new file mode 100644 index 0000000..7679b66 --- /dev/null +++ b/modules/nixos/initrd-ssh.nix @@ -0,0 +1,94 @@ +{ + lib, + config, + ... +}: +let + # TODO:(@janezicmatej) restructure keys import + keys = import ../../users/matej/keys.nix; + + cfg = config.initrd-ssh; + + # Generate keys on new machines: ./scripts/initrd-ssh-keygen.sh + keyDir = "/etc/secrets/initrd"; + + mkIpString = + { + address, + gateway, + netmask, + interface, + ... + }: + "${address}::${gateway}:${netmask}::${interface}:none"; +in +{ + options = { + initrd-ssh = { + enable = lib.mkEnableOption "SSH in initrd for remote LUKS unlock"; + + ip = { + enable = lib.mkEnableOption "static IP for initrd (otherwise DHCP)"; + + address = lib.mkOption { + type = lib.types.str; + description = "Static IP address"; + example = "10.222.0.247"; + }; + + gateway = lib.mkOption { + type = lib.types.str; + description = "Gateway address"; + example = "10.222.0.1"; + }; + + netmask = lib.mkOption { + type = lib.types.str; + default = "255.255.255.0"; + description = "Network mask"; + }; + + interface = lib.mkOption { + type = lib.types.str; + description = "Network interface"; + example = "enp5s0"; + }; + }; + + authorizedKeys = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = keys.sshAuthorizedKeys; + description = "SSH public keys authorized for initrd unlock"; + }; + + networkModule = lib.mkOption { + type = lib.types.str; + description = "Kernel module for network interface (e.g., r8169, e1000e)"; + example = "r8169"; + }; + }; + }; + + config = lib.mkIf cfg.enable { + boot.initrd.kernelModules = [ cfg.networkModule ]; + boot.kernelParams = lib.mkIf cfg.ip.enable [ + "ip=${mkIpString cfg.ip}" + ]; + + boot.initrd.network = { + enable = true; + ssh = { + enable = true; + port = 22; + hostKeys = [ + "${keyDir}/ssh_host_rsa_key" + "${keyDir}/ssh_host_ed25519_key" + ]; + authorizedKeys = cfg.authorizedKeys; + }; + postCommands = '' + echo 'cryptsetup-askpass' >> /root/.profile + ''; + }; + }; +} diff --git a/scripts/initrd-ssh-keygen.sh b/scripts/initrd-ssh-keygen.sh new file mode 100755 index 0000000..c76f9ff --- /dev/null +++ b/scripts/initrd-ssh-keygen.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash +set -euo pipefail + +KEY_DIR="/etc/secrets/initrd" + +echo "Generating initrd SSH host keys in $KEY_DIR" + +sudo mkdir -p "$KEY_DIR" + +if [[ ! -f "$KEY_DIR/ssh_host_rsa_key" ]]; then + sudo ssh-keygen -t rsa -N "" -f "$KEY_DIR/ssh_host_rsa_key" + echo "Generated: $KEY_DIR/ssh_host_rsa_key" +else + echo "Exists: $KEY_DIR/ssh_host_rsa_key" +fi + +if [[ ! -f "$KEY_DIR/ssh_host_ed25519_key" ]]; then + sudo ssh-keygen -t ed25519 -N "" -f "$KEY_DIR/ssh_host_ed25519_key" + echo "Generated: $KEY_DIR/ssh_host_ed25519_key" +else + echo "Exists: $KEY_DIR/ssh_host_ed25519_key" +fi + +echo "Done. Now run nixos-rebuild."