Explicitly enable initrd network, ssh to avoid initrd secrets

2024-01-09 21:40:45 +01:00 · 2024-01-09 21:40:45 +01:00 · ce85b0839a
parent 943deed7d1
commit ce85b0839a
3 changed files with 8 additions and 7 deletions
--- a/hosts/dacbert/default.nix
+++ b/hosts/dacbert/default.nix
@ -100,9 +100,6 @@ in
      useTmpfs = true;
      tmpfsSize = "80%";
    };
-
-    # HACK
-    initrd.secrets = lib.mkForce {};
  };
  # hardware.raspberry-pi."4" = {
  #   fkms-3d.enable = true;
--- a/hosts/server10/default.nix
+++ b/hosts/server10/default.nix
@ -13,7 +13,13 @@
  };

  boot = {
-    initrd.availableKernelModules = [ "e1000e" ];
+    initrd = {
+      availableKernelModules = [ "e1000e" ];
+      network = {
+        enable = true;
+        ssh.enable = true;
+      };
+    };
    loader.grub = lib.mkIf (!options?isoImage) {
      enable = true;
      device = "/dev/sda";
--- a/modules/baremetal.nix
+++ b/modules/baremetal.nix
@ -20,9 +20,7 @@
        # the module can be found in a booted system by running `dmesg | rg "Link"` and looking at the first word after the date
        availableKernelModules = [ "bridge" "bonding" "8021q" ];
        network = {
-          enable = true;
          ssh = {
-            enable = true;
            authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
            hostKeys = [
              initrdEd2219Key
@ -80,7 +78,7 @@
    # this needs to be unconditional because the keys need to be inplace when activating the feature
    system.activationScripts.generateInitrdOpensshHostKeys = let
      sshKeygen = "${config.programs.ssh.package}/bin/ssh-keygen";
-    in ''
+    in lib.mkIf config.boot.initrd.network.enable ''
      if [[ ! -e ${initrdEd2219Key} || ! -e ${initrdRsaKey} ]]; then
        echo "Generating initrd OpenSSH hostkeys..."
        mkdir -m700 -p /etc/ssh/initrd/