{ config, lib, pkgs, ... }: with lib; let cfg = config.configuration.init-ssh; in { options.configuration.init-ssh = { enable = mkOption { default = "disable"; type = with types; enum [ "disable" "prepare" "enabled" ]; }; kernelModules = mkOption { type = with types; listOf str; }; port = mkOption { default = 23; type = with types; int; }; authorizedKeys = mkOption { type = with types; listOf str; default = config.users.users.root.openssh.authorizedKeys.keys ++ ( map (keyFile: lib.fileContents keyFile) config.users.users.root.openssh.authorizedKeys.keyFiles ); }; hostDSSKey = mkOption { default = null; type = with types; nullOr path; description = '' you only need one host key nix-shell -p dropbear --run "dropbearkey -t dss -f ./host_dss_key" ''; }; hostECDSAKey = mkOption { default = null; type = with types; nullOr path; description = '' you only need one host key nix-shell -p dropbear --run "dropbearkey -t ecdsa -f ./host_ecdsa_key" ''; }; hostRSAKey = mkOption { default = null; type = with types; nullOr path; description = '' you only need one host key nix-shell -p dropbear --run "dropbearkey -t rsa -f ./host_rsa_key" ''; }; }; config = mkMerge [ (mkIf (cfg.enable != "disable") { services.tor = { enable = true; client.enable = true; hiddenServices.bootup.map = [ { port = 23; } ]; }; }) (mkIf (cfg.enable == "enabled") { # tor setup boot.initrd.secrets = { "/etc/tor/onion/bootup" = /var/lib/tor/onion/bootup; "/etc/tor/tor.rc" = (pkgs.writeText "tor.rc" '' DataDirectory /etc/tor SOCKSPort 127.0.0.1:9050 IsolateDestAddr SOCKSPort 127.0.0.1:9063 HiddenServiceDir /etc/tor/onion/bootup HiddenServicePort ${toString cfg.port} 127.0.0.1:${toString cfg.port} ''); }; boot.initrd.extraUtilsCommands = '' copy_bin_and_libs ${pkgs.tor}/bin/tor ''; boot.initrd.network.postCommands = '' echo "tor: preparing onion folder" # have to do this otherwise tor does not want to start chmod -R 700 /etc/tor echo "tor: starting tor" tor -f /etc/tor/tor.rc --verify-config tor -f /etc/tor/tor.rc & ''; # ssh setup # todo add the ssh host fingerprint to your trusted stuff # todo set ssh host key here boot.initrd.network.enable = true; boot.initrd.network.ssh = { enable = true; authorizedKeys = cfg.authorizedKeys; port = cfg.port; }; boot.initrd.availableKernelModules = cfg.kernelModules; boot.initrd.network.ssh.hostDSSKey = cfg.hostDSSKey; boot.initrd.network.ssh.hostECDSAKey = cfg.hostECDSAKey; boot.initrd.network.ssh.hostRSAKey = cfg.hostRSAKey; }) ]; }