pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / system / boot / initrd-ssh.nix
at 18.09-beta 4.0 kB view raw
1{ config, lib, pkgs, ... }: 2 3with lib; 4 5let 6 7 cfg = config.boot.initrd.network.ssh; 8 9in 10 11{ 12 13 options = { 14 15 boot.initrd.network.ssh.enable = mkOption { 16 type = types.bool; 17 default = false; 18 description = '' 19 Start SSH service during initrd boot. It can be used to debug failing 20 boot on a remote server, enter pasphrase for an encrypted partition etc. 21 Service is killed when stage-1 boot is finished. 22 ''; 23 }; 24 25 boot.initrd.network.ssh.port = mkOption { 26 type = types.int; 27 default = 22; 28 description = '' 29 Port on which SSH initrd service should listen. 30 ''; 31 }; 32 33 boot.initrd.network.ssh.shell = mkOption { 34 type = types.str; 35 default = "/bin/ash"; 36 description = '' 37 Login shell of the remote user. Can be used to limit actions user can do. 38 ''; 39 }; 40 41 boot.initrd.network.ssh.hostRSAKey = mkOption { 42 type = types.nullOr types.path; 43 default = null; 44 description = '' 45 RSA SSH private key file in the Dropbear format. 46 47 WARNING: Unless your bootloader supports initrd secrets, this key is 48 contained insecurely in the global Nix store. Do NOT use your regular 49 SSH host private keys for this purpose or you'll expose them to 50 regular users! 51 ''; 52 }; 53 54 boot.initrd.network.ssh.hostDSSKey = mkOption { 55 type = types.nullOr types.path; 56 default = null; 57 description = '' 58 DSS SSH private key file in the Dropbear format. 59 60 WARNING: Unless your bootloader supports initrd secrets, this key is 61 contained insecurely in the global Nix store. Do NOT use your regular 62 SSH host private keys for this purpose or you'll expose them to 63 regular users! 64 ''; 65 }; 66 67 boot.initrd.network.ssh.hostECDSAKey = mkOption { 68 type = types.nullOr types.path; 69 default = null; 70 description = '' 71 ECDSA SSH private key file in the Dropbear format. 72 73 WARNING: Unless your bootloader supports initrd secrets, this key is 74 contained insecurely in the global Nix store. Do NOT use your regular 75 SSH host private keys for this purpose or you'll expose them to 76 regular users! 77 ''; 78 }; 79 80 boot.initrd.network.ssh.authorizedKeys = mkOption { 81 type = types.listOf types.str; 82 default = config.users.users.root.openssh.authorizedKeys.keys; 83 description = '' 84 Authorized keys for the root user on initrd. 85 ''; 86 }; 87 88 }; 89 90 config = mkIf (config.boot.initrd.network.enable && cfg.enable) { 91 assertions = [ 92 { assertion = cfg.authorizedKeys != []; 93 message = "You should specify at least one authorized key for initrd SSH"; 94 } 95 ]; 96 97 boot.initrd.extraUtilsCommands = '' 98 copy_bin_and_libs ${pkgs.dropbear}/bin/dropbear 99 cp -pv ${pkgs.glibc.out}/lib/libnss_files.so.* $out/lib 100 ''; 101 102 boot.initrd.extraUtilsCommandsTest = '' 103 $out/bin/dropbear -V 104 ''; 105 106 boot.initrd.network.postCommands = '' 107 echo '${cfg.shell}' > /etc/shells 108 echo 'root:x:0:0:root:/root:${cfg.shell}' > /etc/passwd 109 echo 'passwd: files' > /etc/nsswitch.conf 110 111 mkdir -p /var/log 112 touch /var/log/lastlog 113 114 mkdir -p /etc/dropbear 115 116 mkdir -p /root/.ssh 117 ${concatStrings (map (key: '' 118 echo ${escapeShellArg key} >> /root/.ssh/authorized_keys 119 '') cfg.authorizedKeys)} 120 121 dropbear -s -j -k -E -p ${toString cfg.port} ${optionalString (cfg.hostRSAKey == null && cfg.hostDSSKey == null && cfg.hostECDSAKey == null) "-R"} 122 ''; 123 124 boot.initrd.secrets = 125 (optionalAttrs (cfg.hostRSAKey != null) { "/etc/dropbear/dropbear_rsa_host_key" = cfg.hostRSAKey; }) // 126 (optionalAttrs (cfg.hostDSSKey != null) { "/etc/dropbear/dropbear_dss_host_key" = cfg.hostDSSKey; }) // 127 (optionalAttrs (cfg.hostECDSAKey != null) { "/etc/dropbear/dropbear_ecdsa_host_key" = cfg.hostECDSAKey; }); 128 129 }; 130 131}