From ce85b0839a1a7ebd2aa53457b5e8b5cd59d65e4f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= <sandro.jaeckel@gmail.com>
Date: Tue, 9 Jan 2024 21:40:45 +0100
Subject: [PATCH] Explicitly enable initrd network, ssh to avoid initrd secrets

---
 hosts/dacbert/default.nix  | 3 ---
 hosts/server10/default.nix | 8 +++++++-
 modules/baremetal.nix      | 4 +---
 3 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/hosts/dacbert/default.nix b/hosts/dacbert/default.nix
index e563a62e..3e074fb9 100644
--- a/hosts/dacbert/default.nix
+++ b/hosts/dacbert/default.nix
@@ -100,9 +100,6 @@ in
       useTmpfs = true;
       tmpfsSize = "80%";
     };
-
-    # HACK
-    initrd.secrets = lib.mkForce {};
   };
   # hardware.raspberry-pi."4" = {
   #   fkms-3d.enable = true;
diff --git a/hosts/server10/default.nix b/hosts/server10/default.nix
index bd6e1c5c..ff6f7bef 100644
--- a/hosts/server10/default.nix
+++ b/hosts/server10/default.nix
@@ -13,7 +13,13 @@
   };
 
   boot = {
-    initrd.availableKernelModules = [ "e1000e" ];
+    initrd = {
+      availableKernelModules = [ "e1000e" ];
+      network = {
+        enable = true;
+        ssh.enable = true;
+      };
+    };
     loader.grub = lib.mkIf (!options?isoImage) {
       enable = true;
       device = "/dev/sda";
diff --git a/modules/baremetal.nix b/modules/baremetal.nix
index 9a481b2d..d59ce68f 100644
--- a/modules/baremetal.nix
+++ b/modules/baremetal.nix
@@ -20,9 +20,7 @@
         # the module can be found in a booted system by running `dmesg | rg "Link"` and looking at the first word after the date
         availableKernelModules = [ "bridge" "bonding" "8021q" ];
         network = {
-          enable = true;
           ssh = {
-            enable = true;
             authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
             hostKeys = [
               initrdEd2219Key
@@ -80,7 +78,7 @@
     # this needs to be unconditional because the keys need to be inplace when activating the feature
     system.activationScripts.generateInitrdOpensshHostKeys = let
       sshKeygen = "${config.programs.ssh.package}/bin/ssh-keygen";
-    in ''
+    in lib.mkIf config.boot.initrd.network.enable ''
       if [[ ! -e ${initrdEd2219Key} || ! -e ${initrdRsaKey} ]]; then
         echo "Generating initrd OpenSSH hostkeys..."
         mkdir -m700 -p /etc/ssh/initrd/