{ config, lib, pkgs, ... }: with lib; let cfg = config.configuration.init-ssh; in { options.configuration.init-ssh = { enable = mkOption { default = "disable"; type = with types; enum [ "disable" "prepare" "enabled" ]; }; kernelModules = mkOption { type = with types; listOf str; description = "lspci -v will tell you which kernel module is used for the ethernet interface"; }; port = mkOption { default = 2222; type = with types; int; }; authorizedKeys = mkOption { type = with types; listOf str; default = config.users.users.root.openssh.authorizedKeys.keys ++ (map (keyFile: lib.fileContents keyFile) config.users.users.root.openssh.authorizedKeys.keyFiles); }; hostKey = mkOption { default = "/etc/secrets/initrd/ssh_host_ed25519_key"; type = with types; path; description = '' To generate keys, use ssh-keygen(1): # ssh-keygen -t rsa -N "" -f /etc/secrets/initrd/ssh_host_rsa_key # ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key ''; }; }; config = mkMerge [ (mkIf (cfg.enable != "disable") { services.tor = { enable = true; client.enable = true; relay.onionServices.bootup.map = [{ port = 22; }]; }; }) (mkIf (cfg.enable == "enabled") { # tor setup boot.initrd.secrets = { "/etc/tor/onion/bootup" = /var/lib/tor/onion/bootup; }; boot.initrd.extraUtilsCommands = '' copy_bin_and_libs ${pkgs.tor}/bin/tor ''; boot.initrd.network.postCommands = let torRc = (pkgs.writeText "tor.rc" '' DataDirectory /etc/tor SOCKSPort 127.0.0.1:9050 IsolateDestAddr SOCKSPort 127.0.0.1:9063 HiddenServiceDir /etc/tor/onion/bootup HiddenServicePort ${toString cfg.port} 127.0.0.1:${toString cfg.port} ''); in '' echo "tor: preparing onion folder" # have to do this otherwise tor does not want to start chmod -R 700 /etc/tor echo "make sure localhost is up" ip a a 127.0.0.1/8 dev lo # ifconfig lo up ip link set lo up echo "tor: starting tor" tor -f ${torRc} --verify-config tor -f ${torRc} & ''; # ssh setup # todo add the ssh host fingerprint to your trusted stuff # todo set ssh host key here boot.initrd.network.enable = true; boot.initrd.network.ssh = { enable = true; authorizedKeys = cfg.authorizedKeys; port = cfg.port; hostKeys = [ cfg.hostKey ]; }; boot.initrd.availableKernelModules = cfg.kernelModules; }) ]; }