feat: extract initrd-ssh module from hardware config

hosts/matej-nixos/configuration.nix

@@ -24,6 +24,7 @@ in
     inputs.self.nixosModules.tuigreet
     inputs.self.nixosModules.workstation
     inputs.self.nixosModules.nvidia
+    inputs.self.nixosModules.initrd-ssh
   ];
 
   # Modules
@@ -46,6 +47,17 @@ in
 
   nvidia.enable = true;
 
+  initrd-ssh = {
+    enable = true;
+    networkModule = "r8169";
+    ip = {
+      enable = true;
+      address = "10.222.0.247";
+      gateway = "10.222.0.1";
+      interface = "enp5s0";
+    };
+  };
+
   # Stylix theming
   stylix = {
     enable = true;

hosts/matej-nixos/hardware-configuration.nix

@@ -1,6 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# autogenerated by 'nixos-generate-config'
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
 {
   config,
   lib,
@@ -14,45 +12,17 @@
     (modulesPath + "/installer/scan/not-detected.nix")
   ];
 
+  hardware.firmware = [ pkgs.linux-firmware ];
+
   boot.initrd.availableKernelModules = [
     "nvme"
     "xhci_pci"
     "ahci"
     "usbhid"
-    "usb_storage"
-    "sd_mod"
-  ];
-  boot.initrd.kernelModules = [
-    "dm-snapshot"
-    "r8169"
-  ];
-  boot.kernelModules = [
-    "kvm-amd"
   ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ "kvm-amd" ];
   boot.extraModulePackages = [ ];
-  boot.kernelParams = [
-    "ip=10.222.0.247::10.222.0.1:255.255.255.0::enp5s0:none"
-  ];
-
-  boot.initrd.network = {
-    enable = true;
-    ssh = {
-      enable = true;
-      port = 22;
-      hostKeys = [
-        "/etc/secrets/initrd/ssh_host_rsa_key"
-        "/etc/secrets/initrd/ssh_host_ed25519_key"
-      ];
-      authorizedKeys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQGLdINKzs+sEy62Pefng0bcedgU396+OryFgeH99/c janezicmatej"
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDk00+Km03epQXQs+xEwwH3zcurACzkEH+kDOPBw6RQe openpgp:0xB095D449"
-      ];
-    };
-    postCommands = ''
-      echo 'cryptsetup-askpass' >> /root/.profile
-    '';
-
-  };
 
   boot.initrd.luks.devices."cryptlvm".device =
     "/dev/disk/by-uuid/af0608c0-67cd-4ae4-b12c-252fa947da40";

hosts/matej-tower/configuration.nix

@@ -22,6 +22,7 @@
     inputs.self.nixosModules.gnupg
     inputs.self.nixosModules.tuigreet
     inputs.self.nixosModules.workstation
+    inputs.self.nixosModules.initrd-ssh
   ];
 
   # Modules
@@ -38,6 +39,11 @@
   };
   sway.enable = true;
 
+  initrd-ssh = {
+    enable = true;
+    networkModule = "r8169";
+  };
+
   # Stylix theming
   stylix = {
     enable = true;
@@ -69,7 +75,7 @@
   services.pipewire.extraConfig.pipewire.adjust-sample-rate = {
     "context.properties" = {
       "default.clock.rate" = 192000;
-      "defautlt.allowed-rates" = [ 192000 ];
+      "default.allowed-rates" = [ 192000 ];
     };
   };
 

hosts/matej-tower/hardware-configuration.nix

@@ -1,6 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# autogenerated by 'nixos-generate-config'
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
 {
   config,
   lib,
@@ -20,13 +18,9 @@
     "nvme"
     "xhci_pci"
     "ahci"
-    "usb_storage"
+    "usbhid"
-    "sd_mod"
-  ];
-  boot.initrd.kernelModules = [
-    "dm-snapshot"
-    "r8169"
   ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
   boot.kernelModules = [ "kvm-amd" ];
   boot.extraModulePackages = [ ];
 
@@ -51,34 +45,6 @@
     { device = "/dev/disk/by-uuid/e0952ef2-1a9a-4022-bbcf-b2f016384258"; }
   ];
 
-  boot.initrd.network = {
-    enable = true;
-    ssh = {
-      enable = true;
-      port = 22;
-      hostKeys = [
-        "/etc/secrets/initrd/ssh_host_rsa_key"
-        "/etc/secrets/initrd/ssh_host_ed25519_key"
-      ];
-      authorizedKeys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQGLdINKzs+sEy62Pefng0bcedgU396+OryFgeH99/c janezicmatej"
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDk00+Km03epQXQs+xEwwH3zcurACzkEH+kDOPBw6RQe openpgp:0xB095D449"
-      ];
-    };
-    postCommands = ''
-      echo 'cryptsetup-askpass' >> /root/.profile
-    '';
-
-  };
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
-  # networking.interfaces.wlp11s0.useDHCP = lib.mkDefault true;
-
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }

modules/nixos/initrd-ssh.nix

@@ -0,0 +1,94 @@
+{
+  lib,
+  config,
+  ...
+}:
+let
+  # TODO:(@janezicmatej) restructure keys import
+  keys = import ../../users/matej/keys.nix;
+
+  cfg = config.initrd-ssh;
+
+  # Generate keys on new machines: ./scripts/initrd-ssh-keygen.sh
+  keyDir = "/etc/secrets/initrd";
+
+  mkIpString =
+    {
+      address,
+      gateway,
+      netmask,
+      interface,
+      ...
+    }:
+    "${address}::${gateway}:${netmask}::${interface}:none";
+in
+{
+  options = {
+    initrd-ssh = {
+      enable = lib.mkEnableOption "SSH in initrd for remote LUKS unlock";
+
+      ip = {
+        enable = lib.mkEnableOption "static IP for initrd (otherwise DHCP)";
+
+        address = lib.mkOption {
+          type = lib.types.str;
+          description = "Static IP address";
+          example = "10.222.0.247";
+        };
+
+        gateway = lib.mkOption {
+          type = lib.types.str;
+          description = "Gateway address";
+          example = "10.222.0.1";
+        };
+
+        netmask = lib.mkOption {
+          type = lib.types.str;
+          default = "255.255.255.0";
+          description = "Network mask";
+        };
+
+        interface = lib.mkOption {
+          type = lib.types.str;
+          description = "Network interface";
+          example = "enp5s0";
+        };
+      };
+
+      authorizedKeys = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        default = keys.sshAuthorizedKeys;
+        description = "SSH public keys authorized for initrd unlock";
+      };
+
+      networkModule = lib.mkOption {
+        type = lib.types.str;
+        description = "Kernel module for network interface (e.g., r8169, e1000e)";
+        example = "r8169";
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    boot.initrd.kernelModules = [ cfg.networkModule ];
+    boot.kernelParams = lib.mkIf cfg.ip.enable [
+      "ip=${mkIpString cfg.ip}"
+    ];
+
+    boot.initrd.network = {
+      enable = true;
+      ssh = {
+        enable = true;
+        port = 22;
+        hostKeys = [
+          "${keyDir}/ssh_host_rsa_key"
+          "${keyDir}/ssh_host_ed25519_key"
+        ];
+        authorizedKeys = cfg.authorizedKeys;
+      };
+      postCommands = ''
+        echo 'cryptsetup-askpass' >> /root/.profile
+      '';
+    };
+  };
+}

scripts/initrd-ssh-keygen.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+KEY_DIR="/etc/secrets/initrd"
+
+echo "Generating initrd SSH host keys in $KEY_DIR"
+
+sudo mkdir -p "$KEY_DIR"
+
+if [[ ! -f "$KEY_DIR/ssh_host_rsa_key" ]]; then
+  sudo ssh-keygen -t rsa -N "" -f "$KEY_DIR/ssh_host_rsa_key"
+  echo "Generated: $KEY_DIR/ssh_host_rsa_key"
+else
+  echo "Exists: $KEY_DIR/ssh_host_rsa_key"
+fi
+
+if [[ ! -f "$KEY_DIR/ssh_host_ed25519_key" ]]; then
+  sudo ssh-keygen -t ed25519 -N "" -f "$KEY_DIR/ssh_host_ed25519_key"
+  echo "Generated: $KEY_DIR/ssh_host_ed25519_key"
+else
+  echo "Exists: $KEY_DIR/ssh_host_ed25519_key"
+fi
+
+echo "Done. Now run nixos-rebuild."