From a572c0ab37193dfb485cfa215c3a61211a6ec444 Mon Sep 17 00:00:00 2001
From: "qo.is sysadmin" <sysadmin@qo.is>
Date: Sat, 10 Apr 2021 18:37:07 +0200
Subject: [PATCH] Add luks-ssh to lindberg

---
 host/lindberg/networking.nix |  6 ++++++
 modules/luks-ssh/default.nix | 31 +++++++++++++++++++++++++------
 2 files changed, 31 insertions(+), 6 deletions(-)

diff --git a/host/lindberg/networking.nix b/host/lindberg/networking.nix
index 77fce96..6cb2370 100644
--- a/host/lindberg/networking.nix
+++ b/host/lindberg/networking.nix
@@ -6,4 +6,10 @@ in {
 
   networking.useDHCP = false;
   networking.interfaces.enp5s0.useDHCP = true;
+
+  services.qois.luks-ssh = {
+    enable = true;
+    interface = "enp5s0";
+    sshPort = 2222;
+  };
 }
diff --git a/modules/luks-ssh/default.nix b/modules/luks-ssh/default.nix
index 12b3885..9e736fc 100644
--- a/modules/luks-ssh/default.nix
+++ b/modules/luks-ssh/default.nix
@@ -18,24 +18,41 @@ in {
     ip = mkOption {
       type = types.str;
       example = "192.168.0.1";
+      default = "dhcp";
       description = ''
-        Host IP Address.
+        Host IP Address or "dhcp" (default).
       '';
     };
 
     gateway = mkOption {
       type = types.str;
+      default = null;
       example = "192.168.0.1";
       description = ''
-        IP of gateway.
+        IP of gateway. May be null if ip is aquired by dhcp.
       '';
     };
 
     netmask = mkOption {
       type = types.str;
+      default = null;
       example = "192.168.0.1";
       description = ''
-        Netmask of internal network.
+        Netmask of internal network. May be null if ip is aquired by dhcp.
+      '';
+    };
+
+    sshHostKey = mkOption {
+      type = types.str;
+      default = "/secrets/initrd_ssh_key_ed25519";
+      description = ''
+        Hostkey for ssh connection.
+        The key is stored in an unencrypted form,
+        so it is strongly advised against using the normal host key.
+
+        You can generate a host key with:
+
+        ssh-keygen -t ed25519 -N "" -f /secrets/initrd_ssh_key_ed25519
       '';
     };
 
@@ -61,8 +78,7 @@ in {
               user.openssh.authorizedKeys.keys
             else
               [ ]) config.users.users);
-        # Generate hostkey with ssh-keygen -t ed25519 -N "" -f /secrets/initrd_ssh_key_ed25519
-        hostKeys = [ "/secrets/initrd_ssh_key_ed25519" ];
+        hostKeys = [ cfg.sshHostKey ];
       };
       postCommands = ''
         echo 'cryptsetup-askpass' >> /root/.profile
@@ -70,7 +86,10 @@ in {
     };
 
     boot.kernelParams = [
-      "ip=${cfg.ip}::${cfg.gateway}:${cfg.netmask}:${config.networking.hostName}:${cfg.interface}:none"
+      (if cfg.ip == "dhcp" then
+        "ip=::::${config.networking.hostName}:${cfg.interface}:dhcp"
+      else
+        "ip=${cfg.ip}::${cfg.gateway}:${cfg.netmask}:${config.networking.hostName}:${cfg.interface}:none")
     ]; # see https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt
 
     boot.initrd.postMountCommands = ''