From acdbd14d8e3c0df2e07a049ddea7c48c937f2b05 Mon Sep 17 00:00:00 2001
From: Andreas Zweili <andreas@zweili.ch>
Date: Tue, 9 Jan 2024 21:07:51 +0100
Subject: [PATCH] Unify the initrd ssh config

I don't know if it is a smart idea to use the same key for all initrds but I
can't be bothered to create one for each device atm.
---
 home-manager/profiles/desktop.nix             |  4 ++
 home-manager/profiles/management.nix          | 18 ++++++---
 modules/default.nix                           |  1 +
 modules/hardware/raspi4/raspi-base.nix        | 14 -------
 modules/hardware/raspi4/raspi-ethernet.nix    |  5 ++-
 modules/hardware/raspi4/raspi-usb.nix         |  5 ++-
 modules/misc/initrd-ssh/default.nix           | 13 +++++++
 modules/misc/initrd-ssh/ssh_host_ed25519_key  |  7 ++++
 .../misc/initrd-ssh/ssh_host_ed25519_key.pub  |  1 +
 modules/misc/initrd-ssh/ssh_host_rsa_key      | 38 +++++++++++++++++++
 modules/misc/initrd-ssh/ssh_host_rsa_key.pub  |  1 +
 systems/gwyn/default.nix                      |  5 ++-
 systems/staubfinger/default.nix               |  5 ++-
 13 files changed, 91 insertions(+), 26 deletions(-)
 create mode 100644 modules/misc/initrd-ssh/default.nix
 create mode 100644 modules/misc/initrd-ssh/ssh_host_ed25519_key
 create mode 100644 modules/misc/initrd-ssh/ssh_host_ed25519_key.pub
 create mode 100644 modules/misc/initrd-ssh/ssh_host_rsa_key
 create mode 100644 modules/misc/initrd-ssh/ssh_host_rsa_key.pub

diff --git a/home-manager/profiles/desktop.nix b/home-manager/profiles/desktop.nix
index e144177..0a1e45f 100644
--- a/home-manager/profiles/desktop.nix
+++ b/home-manager/profiles/desktop.nix
@@ -22,6 +22,10 @@ in {
       unstable.tagger
       az-media
     ];
+    shellAliases = {
+      unlock-luks =
+        "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o User=root";
+    };
   };
 
   programs = {
diff --git a/home-manager/profiles/management.nix b/home-manager/profiles/management.nix
index ec2593b..e65bb74 100644
--- a/home-manager/profiles/management.nix
+++ b/home-manager/profiles/management.nix
@@ -1,12 +1,18 @@
 { inputs, pkgs, ... }: {
   imports = [ "${inputs.self}/home-manager/modules" ];
 
-  home.packages = with pkgs; [
-    docker-compose
-    exercism
-    nodePackages.prettier # formatting files
-    xclip
-  ];
+  home = {
+    packages = with pkgs; [
+      docker-compose
+      exercism
+      nodePackages.prettier # formatting files
+      xclip
+    ];
+    shellAliases = {
+      unlock-luks =
+        "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o User=root";
+    };
+  };
 
   programs = {
     az-emacs.enable = true;
diff --git a/modules/default.nix b/modules/default.nix
index 54c78e6..0901956 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -5,6 +5,7 @@
     ./hardware/nvidia
     ./hardware/raspi4
     ./misc/common
+    ./misc/initrd-ssh
     ./misc/username
     ./profiles/desktop
     ./programs/distrobox
diff --git a/modules/hardware/raspi4/raspi-base.nix b/modules/hardware/raspi4/raspi-base.nix
index 9087da1..01b8635 100644
--- a/modules/hardware/raspi4/raspi-base.nix
+++ b/modules/hardware/raspi4/raspi-base.nix
@@ -89,20 +89,6 @@ in {
         device = "/dev/mmcblk1p2";
         allowDiscards = true; # required for TRIM
       };
-      initrd.network = {
-        enable = true;
-        ssh = {
-          enable = true;
-          port = 22;
-          shell = "/bin/cryptsetup-askpass";
-          authorizedKeys =
-            config.users.users.${config.az-username}.openssh.authorizedKeys.keys;
-          hostKeys = [
-            "/etc/secrets/initrd/ssh_host_rsa_key"
-            "/etc/secrets/initrd/ssh_host_ed25519_key"
-          ];
-        };
-      };
       loader = { systemd-boot.enable = true; };
     };
     boot.extraModulePackages = [ ];
diff --git a/modules/hardware/raspi4/raspi-ethernet.nix b/modules/hardware/raspi4/raspi-ethernet.nix
index 676eb90..440fb0c 100644
--- a/modules/hardware/raspi4/raspi-ethernet.nix
+++ b/modules/hardware/raspi4/raspi-ethernet.nix
@@ -16,8 +16,9 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
-    boot.kernelParams =
-      [ "ip=${cfg.ip}::10.7.89.1:255.255.255.0:${cfg.hostname}:eth0" ];
+    boot.kernelParams = [
+      "ip=${cfg.ip}::10.7.89.1:255.255.255.0:${cfg.hostname}:eth0" # required for ssh at initrd
+    ];
     hardware.az-raspi4-base.enable = true;
     networking = {
       useDHCP = false;
diff --git a/modules/hardware/raspi4/raspi-usb.nix b/modules/hardware/raspi4/raspi-usb.nix
index 7356bb4..507b95e 100644
--- a/modules/hardware/raspi4/raspi-usb.nix
+++ b/modules/hardware/raspi4/raspi-usb.nix
@@ -18,8 +18,9 @@ in {
   config = lib.mkIf cfg.enable {
     hardware.az-raspi4-base.enable = true;
 
-    boot.kernelParams =
-      [ "ip=10.7.89.159::10.7.89.1:255.255.255.0:mobile:enabcm6e4ei0" ];
+    boot.kernelParams = [
+      "ip=10.7.89.159::10.7.89.1:255.255.255.0:mobile:enabcm6e4ei0" # required for ssh at initrd
+    ];
     boot = {
       kernelModules = [ "libcomposite" ];
       loader.raspberryPi.firmwareConfig = "dtoverlay=dwc2";
diff --git a/modules/misc/initrd-ssh/default.nix b/modules/misc/initrd-ssh/default.nix
new file mode 100644
index 0000000..1b4122b
--- /dev/null
+++ b/modules/misc/initrd-ssh/default.nix
@@ -0,0 +1,13 @@
+{ config, inputs, ... }: {
+  boot.initrd.network = {
+    enable = true;
+    ssh = {
+      enable = true;
+      port = 22;
+      shell = "/bin/cryptsetup-askpass";
+      authorizedKeys =
+        config.users.users.${config.az-username}.openssh.authorizedKeys.keys;
+      hostKeys = [ ./ssh_host_rsa_key ./ssh_host_ed25519_key ];
+    };
+  };
+}
diff --git a/modules/misc/initrd-ssh/ssh_host_ed25519_key b/modules/misc/initrd-ssh/ssh_host_ed25519_key
new file mode 100644
index 0000000..f6c0dce
--- /dev/null
+++ b/modules/misc/initrd-ssh/ssh_host_ed25519_key
@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACCHLxzMWIM4QVnpjgDkkqaiy7sNSIsOLYxwvrIPFLrWIgAAAJC+S5DyvkuQ
+8gAAAAtzc2gtZWQyNTUxOQAAACCHLxzMWIM4QVnpjgDkkqaiy7sNSIsOLYxwvrIPFLrWIg
+AAAEDouhwxa1VdUpzJY9WqQWoW8WjdqX/7AeSxBiyNdTwA6IcvHMxYgzhBWemOAOSSpqLL
+uw1Iiw4tjHC+sg8UutYiAAAADGFuZHJlYXNAZ3d5bgE=
+-----END OPENSSH PRIVATE KEY-----
diff --git a/modules/misc/initrd-ssh/ssh_host_ed25519_key.pub b/modules/misc/initrd-ssh/ssh_host_ed25519_key.pub
new file mode 100644
index 0000000..b6e2da7
--- /dev/null
+++ b/modules/misc/initrd-ssh/ssh_host_ed25519_key.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcvHMxYgzhBWemOAOSSpqLLuw1Iiw4tjHC+sg8UutYi andreas@gwyn
diff --git a/modules/misc/initrd-ssh/ssh_host_rsa_key b/modules/misc/initrd-ssh/ssh_host_rsa_key
new file mode 100644
index 0000000..7729279
--- /dev/null
+++ b/modules/misc/initrd-ssh/ssh_host_rsa_key
@@ -0,0 +1,38 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
+NhAAAAAwEAAQAAAYEAyL5M0fLnAgKzG0UisiLQ/MR4PHyE1QSZ0WlFuu+y0ITf5IC08hy8
+Cl7Sj/eUkG/H4ffgpaqOIUmQ2/59R2wYGMV9rULtKDluVrAARTZ7687CU8E4IMOXb1JwAv
+n8je57f+TOafHnjEvKxO50X6UJ3dBbOD50VNvh7FKHeWdueXi//T3s6aT8k82FRUyHm9UO
+sL5iJCVs3ikX530AmnVW2/hxSBZ3JSTnxwKIP/De4CzmjGpLcwgqu7EOtpTs2zcKEwqkHl
+M3bXRAh9PbVBqsnR2LVXDqneTkTSXBTNj/UNlK1Ynex6LaNnGWaEgi//vZEiaZ56e0ksEi
+O5IMzNxJnjqhRWnrhrbvrxnT4aWxwbcwewF+GEC18CF+MZlajMLh2eD3tJyu/3xdUmNT2P
+HBapgHYLB84exP1+5SjZY6Z77EANnNRBb7pSQZilyzSJzULrzXDMhCzB2T0m3uqVDM6FV+
+NN6l1JzScJLUhT0ZCdZBViz/8CbIvzc1O6f0BUGbAAAFiJLRJVaS0SVWAAAAB3NzaC1yc2
+EAAAGBAMi+TNHy5wICsxtFIrIi0PzEeDx8hNUEmdFpRbrvstCE3+SAtPIcvApe0o/3lJBv
+x+H34KWqjiFJkNv+fUdsGBjFfa1C7Sg5blawAEU2e+vOwlPBOCDDl29ScAL5/I3ue3/kzm
+nx54xLysTudF+lCd3QWzg+dFTb4exSh3lnbnl4v/097Omk/JPNhUVMh5vVDrC+YiQlbN4p
+F+d9AJp1Vtv4cUgWdyUk58cCiD/w3uAs5oxqS3MIKruxDraU7Ns3ChMKpB5TN210QIfT21
+QarJ0di1Vw6p3k5E0lwUzY/1DZStWJ3sei2jZxlmhIIv/72RImmeentJLBIjuSDMzcSZ46
+oUVp64a2768Z0+GlscG3MHsBfhhAtfAhfjGZWozC4dng97Scrv98XVJjU9jxwWqYB2CwfO
+HsT9fuUo2WOme+xADZzUQW+6UkGYpcs0ic1C681wzIQswdk9Jt7qlQzOhVfjTepdSc0nCS
+1IU9GQnWQVYs//AmyL83NTun9AVBmwAAAAMBAAEAAAGAK1IeA+TWg3GPs1/dF/I5hYLkq7
+D3fXzrsOx19tyJi0RRiN9ZrTIURmymJhl4vx7QVOyIV1gSKg7VKxSldodWP+pGr+BUi6yx
+KhX7SPR0E7Rf7XEyKqfrA0QYFhxaq0p+7l+zR9vDa1xj2tHW3VkhYvP265FWy4VUIQrCX6
+m5ho9PZ1g4y0cmlsLwcr8MOM3myK+dQE2vS9Y0aWlpeuu9neTklXj7p1Fqj2D1hE732gr2
+ifDabW2iwzR3h2FmJ/ydVs9RgJH000L+gN7y45ShA+cEqfb0vX0MaMhaPLsxl0k84kusK9
+OigMm1wZLlft8V6nJMxumAcOZYJhc55dyLN+ffSma4Rm0PWVhde7CrZn6JzX07rDBPssJ+
+Bg37hN589aZ89XsaIUUgqauSHY5DhVW8qXMYrBR/Evsw4femRBwCEMBguK+99xV67cOV5B
+zUqGvSjyR02qJa5Lkx0WPiRj1eg06op51e1DxiEu6awa80/C5eJrXOerrg/4oILeaZAAAA
+wQDJpJhUfS2Xk47b7MHfoWWYc7c9UOe+hZWNNnO+rU8ISIQUwAT6NHYOLeW+w9ahu9Ytll
+VUNqOke/o4isk3ypN5oYlWajtk5IEpZoJWSqDD+wjHa6KuMMVvDouoa2tDuyLNOmgsXQ0E
+1SQGIsZTF9iqE5FvEpn8rdlP7rjuTl1OUT5ahpmsgn6QcCzxWHFaSHBYX6lQtmQT6/UFmO
+uEkZisBYaiW68P7HvdODhfdVHHfJW/oxvxWh7ICcm+Fay2Uz8AAADBAPU5y8biDo/K/kyF
+KTfTleIN2HcnjdSCto3Fy0v75DfXJSNSYZaQDC5WOtQZAXqJc2ucJTUWaJVDBUhpO0sRzF
+oZb58G42m/2JS2nKI1xynRUVTjbjA/B08o/g5X3V3p7yneCguaZXAb0EieICc4LFeGcjxC
+Q1mOKCRqFYylXatfSISgjlp0JuruKIBPOjOod5YMSP0QAYxTtFKV5q+OhHVsqO/HATECYP
+koneBLEGjbNWwYhDQ+J1vfyx1/7Ds7lwAAAMEA0ZAu63r7MYst7MvCOo0OST4imuLO+grY
+FFOLHdE1ML3eK438A+ETbC63PH3sLq3YEwiGKTakOXbtGfqbcDBgn1sveQ/rJjDIGo4+nS
+Rz0BDftaNj0GdEGqi77tXxDJB5svjMiUbuxxY66xpxTqJW58jxq5ymshGtIcOOtTvLoonD
+QmbMBojhdJY82/VnteTfHfBzghSa+SxnhpNmr8lGp5bghDBQs1m+KrMi1hhSlWWTbaFkaz
+KozLfObM3NirqdAAAADGFuZHJlYXNAZ3d5bgECAwQFBg==
+-----END OPENSSH PRIVATE KEY-----
diff --git a/modules/misc/initrd-ssh/ssh_host_rsa_key.pub b/modules/misc/initrd-ssh/ssh_host_rsa_key.pub
new file mode 100644
index 0000000..90b6a42
--- /dev/null
+++ b/modules/misc/initrd-ssh/ssh_host_rsa_key.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIvkzR8ucCArMbRSKyItD8xHg8fITVBJnRaUW677LQhN/kgLTyHLwKXtKP95SQb8fh9+Clqo4hSZDb/n1HbBgYxX2tQu0oOW5WsABFNnvrzsJTwTggw5dvUnAC+fyN7nt/5M5p8eeMS8rE7nRfpQnd0Fs4PnRU2+HsUod5Z255eL/9PezppPyTzYVFTIeb1Q6wvmIkJWzeKRfnfQCadVbb+HFIFnclJOfHAog/8N7gLOaMaktzCCq7sQ62lOzbNwoTCqQeUzdtdECH09tUGqydHYtVcOqd5ORNJcFM2P9Q2UrVid7Hoto2cZZoSCL/+9kSJpnnp7SSwSI7kgzM3EmeOqFFaeuGtu+vGdPhpbHBtzB7AX4YQLXwIX4xmVqMwuHZ4Pe0nK7/fF1SY1PY8cFqmAdgsHzh7E/X7lKNljpnvsQA2c1EFvulJBmKXLNInNQuvNcMyELMHZPSbe6pUMzoVX403qXUnNJwktSFPRkJ1kFWLP/wJsi/NzU7p/QFQZs= andreas@gwyn
diff --git a/systems/gwyn/default.nix b/systems/gwyn/default.nix
index 3300d2d..846f27b 100644
--- a/systems/gwyn/default.nix
+++ b/systems/gwyn/default.nix
@@ -17,10 +17,13 @@
     "usb_storage"
     "xhci_pci"
   ];
+
   boot.initrd.kernelModules = [ "dm-snapshot" ];
   boot.kernelModules = [ "kvm-intel" "sg" ];
   boot.extraModulePackages = [ ];
-  boot.kernelParams = [ ];
+  boot.kernelParams = [
+    "ip=dhcp" # required for ssh at initrd
+  ];
 
   boot.initrd.luks.devices."cryptlvm" = {
     allowDiscards = true;
diff --git a/systems/staubfinger/default.nix b/systems/staubfinger/default.nix
index 05642c3..581a213 100644
--- a/systems/staubfinger/default.nix
+++ b/systems/staubfinger/default.nix
@@ -10,7 +10,6 @@
   boot.initrd.kernelModules = [ "dm-snapshot" ];
   boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
-  boot.kernelParams = [ "acpi_osi=" ];
   boot.initrd.luks.devices."cryptlvm" = {
     allowDiscards = true;
     device = "/dev/sda2";
@@ -19,6 +18,10 @@
     allowDiscards = true;
     device = "/dev/sda3";
   };
+  boot.kernelParams = [
+    "acpi_osi=" # required for hardware support
+    "ip=dhcp" # required for ssh at initrd
+  ];
 
   boot.loader.efi.efiSysMountPoint = "/boot/efi";