From 23a1aecaf50f44e352fa6df8534cc46c0ffbd636 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= <sandro.jaeckel@gmail.com>
Date: Sat, 20 May 2023 04:37:21 +0200
Subject: [PATCH] baremetal: add untested ssh unlock in initrd

---
 modules/baremetal.nix | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/modules/baremetal.nix b/modules/baremetal.nix
index 77effeb3..27029025 100644
--- a/modules/baremetal.nix
+++ b/modules/baremetal.nix
@@ -4,6 +4,24 @@
   options.c3d2.baremetal = lib.mkEnableOption "baremetal";
 
   config = lib.mkIf config.c3d2.baremetal {
+    boot.initrd.network = {
+      enable = true;
+      ssh = {
+        enable = true;
+        authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
+        hostKeys = [
+          "/etc/ssh/initrd/ssh_host_ed25519_key"
+          "/etc/ssh/initrd/ssh_host_rsa_key"
+        ];
+        port = 4748;
+      };
+      postCommands = ''
+        cat <<EOF > /root/.profile
+        cryptsetup-askpass
+        EOF
+      '';
+    };
+
     environment.systemPackages = with pkgs; [
       lshw
       pciutils # lscpi