From 8ede23da3537d2ef71aa54fc3bece020ac21d8c4 Mon Sep 17 00:00:00 2001
From: Love Billenius <lovebillenius@disroot.org>
Date: Tue, 7 Apr 2026 20:37:56 +0200
Subject: [PATCH] break out + ssh unlock

---
 modules/hosts/hermes/configuration.nix   | 10 +++-
 modules/hosts/kronos/configuration.nix   |  1 +
 modules/nixos/default.nix                |  2 +
 modules/nixos/luks-initrd-ssh-unlock.nix | 58 ++++++++++++++++++++++++
 modules/nixos/luks-tpm2.nix              | 13 ++++++
 modules/nixos/zfs-root.nix               | 10 ----
 6 files changed, 82 insertions(+), 12 deletions(-)
 create mode 100644 modules/nixos/luks-initrd-ssh-unlock.nix
 create mode 100644 modules/nixos/luks-tpm2.nix

diff --git a/modules/hosts/hermes/configuration.nix b/modules/hosts/hermes/configuration.nix
index 8d6efcc..0be8734 100644
--- a/modules/hosts/hermes/configuration.nix
+++ b/modules/hosts/hermes/configuration.nix
@@ -1,6 +1,5 @@
 {
   inputs,
-  config,
   pkgs,
   modules,
   ...
@@ -28,13 +27,20 @@ in
     ./disko.nix
     modules.base
     modules.zfsRoot
-    modules.desktopHyprland
+    modules.luksInitrdSshUnlock
     modules.mailServer
     modules.binBashWrapper
   ];
 
   my.binBashWrapper.enable = true;
 
+  my.initrdSshUnlock = {
+    enable = true;
+    authorizedKeys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICxY7ceahvTqe4AWGKRJNs1z4AdWT/WafkOBDaNrkB2p"
+    ];
+  };
+
   networking.hostName = hostName;
   networking.hostId = "8d49a097f2";
 
diff --git a/modules/hosts/kronos/configuration.nix b/modules/hosts/kronos/configuration.nix
index 4c2793c..6a6096c 100644
--- a/modules/hosts/kronos/configuration.nix
+++ b/modules/hosts/kronos/configuration.nix
@@ -27,6 +27,7 @@ in
     ./disko.nix
     modules.base
     modules.zfsRoot
+    modules.luksTpm2
     modules.desktopHyprland
     modules.binBashWrapper
   ];
diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
index efef5e5..ef91047 100644
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@@ -2,6 +2,8 @@
   base = import ./base.nix;
   binBashWrapper = import ./bin-bash-wrapper.nix;
   desktopHyprland = import ./desktop-hyprland.nix;
+  luksInitrdSshUnlock = import ./luks-initrd-ssh-unlock.nix;
+  luksTpm2 = import ./luks-tpm2.nix;
   mailServer = import ./mail-server;
   zfsRoot = import ./zfs-root.nix;
 }
diff --git a/modules/nixos/luks-initrd-ssh-unlock.nix b/modules/nixos/luks-initrd-ssh-unlock.nix
new file mode 100644
index 0000000..2a102b8
--- /dev/null
+++ b/modules/nixos/luks-initrd-ssh-unlock.nix
@@ -0,0 +1,58 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  cfg = config.my.initrdSshUnlock;
+in
+{
+  options.my.initrdSshUnlock = {
+    enable = lib.mkEnableOption "enable initrd SSH unlock";
+
+    authorizedKeys = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ ];
+      description = "SSH public keys allowed to connect to initrd for disk unlock.";
+    };
+
+    hostKeyPath = lib.mkOption {
+      type = lib.types.path;
+      default = /etc/secrets/initrd/ssh_host_ed25519_key;
+      description = "Path to the initrd SSH host private key on the target system.";
+    };
+
+    port = lib.mkOption {
+      type = lib.types.port;
+      default = 2222;
+      description = "Port used by the initrd SSH server.";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    boot.kernelParams = [ "ip=dhcp" ];
+    boot.initrd.network = {
+      enable = true;
+      ssh = {
+        enable = true;
+        port = cfg.port;
+        hostKeys = [ (toString cfg.hostKeyPath) ];
+        authorizedKeys = cfg.authorizedKeys;
+      };
+    };
+    boot.initrd.secrets = {
+      "${toString cfg.hostKeyPath}" = cfg.hostKeyPath;
+    };
+
+    system.activationScripts.initrdSshHostKey = {
+      deps = [ "users" "groups" ];
+      text = ''
+        install -d -m 700 "$(dirname ${toString cfg.hostKeyPath})"
+        if [ ! -f "${toString cfg.hostKeyPath}" ]; then
+          ssh-keygen -t ed25519 -N "" -f "${toString cfg.hostKeyPath}"
+          chmod 600 "${toString cfg.hostKeyPath}"
+        fi
+      '';
+    };
+  };
+}
diff --git a/modules/nixos/luks-tpm2.nix b/modules/nixos/luks-tpm2.nix
new file mode 100644
index 0000000..526afe3
--- /dev/null
+++ b/modules/nixos/luks-tpm2.nix
@@ -0,0 +1,13 @@
+{ ... }:
+{
+  boot.initrd.luks.devices.cryptroot.crypttabExtraOpts = [
+    "tpm2-device=auto"
+    "tpm2-pcrs=7"
+  ];
+
+  security.tpm2 = {
+    enable = true;
+    pkcs11.enable = true;
+    tctiEnvironment.enable = true;
+  };
+}
diff --git a/modules/nixos/zfs-root.nix b/modules/nixos/zfs-root.nix
index 3ac9349..92498d0 100644
--- a/modules/nixos/zfs-root.nix
+++ b/modules/nixos/zfs-root.nix
@@ -6,16 +6,6 @@
   boot.initrd.luks.devices.cryptroot = {
     device = "/dev/disk/by-partlabel/cryptroot";
     allowDiscards = true;
-    crypttabExtraOpts = [
-      "tpm2-device=auto"
-      "tpm2-pcrs=7"
-    ];
-  };
-
-  security.tpm2 = {
-    enable = true;
-    pkcs11.enable = true;
-    tctiEnvironment.enable = true;
   };
 
   services.zfs = {