Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
NixOS initrd ssh config
#!/usr/bin/env nix-shell
#!nix-shell --pure -p dropbear -p cpio -p gzip -i bash
set -e
set -o pipefail
key_location=/etc/nixos/dropbear_ecda_host_key
target_path=/etc/dropbear/dropbear_ecdsa_host_key
initrd_dest=/boot/secrets_initramfs.gz # must match nix config
if [ ! -f "$key_location" ]; then
dropbearkey -t ecdsa -f "$key_location"
fi
umask 0077
cleanup_work_dir() {
if [ -d "$work_dir" ]; then
rm -rf "$work_dir"
fi
}
trap cleanup_work_dir EXIT
work_dir=$(mktemp -d)
mkdir -p "$work_dir/$(dirname "$target_path")"
cp "$key_location" "$work_dir/$target_path"
rm -f "$initrd_dest"
cd "$work_dir"
find -print0 | cpio --null -ov --format=newc | gzip -9 > "$initrd_dest"
{ config, pkgs, lib, ... }:
let
lorneSSHKeys = lib.splitString "\n" (lib.fileContents ./lorne.keys);
in
{
boot.initrd = {
availableKernelModules = [ "e1000" ];
network.enable = true;
network.ssh = {
enable = true;
port = 2022;
authorizedKeys = lorneSSHKeys;
# hostECDSAKey = /etc/nixos/initrd_host_key; # not secret!
};
};
boot.loader.grub.extraInitrd = "/boot/secrets_initramfs.gz";
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment