surgat: add sshd to initrd

nixos/modules/profiles/cloud.nix

@@ -0,0 +1,34 @@
+{ config, lib, ... }:
+let
+  secretsPath = config.dadada.secrets.path;
+  initrdHostKey = "${config.networking.hostName}-ssh_host_ed25519_key";
+in
+{
+  boot.initrd.availableKernelModules = [ "virtio-pci" ];
+  boot.initrd.network = {
+    enable = true;
+    ssh = {
+      enable = true;
+      port = 43235;
+      hostKeys = [
+        age.secrets."${initrdHostKey}"
+      ];
+      authorizedKeys = with lib;
+        concatLists (mapAttrsToList
+          (name: user:
+            if elem "wheel" user.extraGroups then
+              user.openssh.authorizedKeys.keys
+            else
+              [ ])
+          config.users.users);
+    };
+    postCommands = ''
+      echo 'cryptsetup-askpass' >> /root/.profile
+    '';
+  };
+
+  age.secrets."${initrdHostKey}" = {
+    file = "${secretsPath}/${initrdHostKey}";
+    mode = "600";
+  };
+}

nixos/modules/profiles/server.nix

@@ -26,7 +26,7 @@ with lib; {
   system.autoUpgrade = {
     enable = true;
     flake = "github:dadada/nix-config#${config.networking.hostName}";
-    allowReboot = true;
+    allowReboot = mkDefault true;
     randomizedDelaySec = "45min";
   };
 

nixos/surgat/configuration.nix

@@ -113,5 +113,7 @@ in
     ];
   };
 
+  system.autoUpgrade.allowReboot = false;
+
   system.stateVersion = "20.09";
 }

secrets/secrets.nix

@@ -19,6 +19,7 @@ in
   "hydra-github-authorization.age".publicKeys = [ systems.pruflas dadada ];
   "miniflux-admin-credentials.age".publicKeys = [ systems.surgat dadada ];
   "gorgon-backup-passphrase-gs.age".publicKeys = [ systems.gorgon dadada ];
+  "surgat-ssh_host_ed25519_key.age".publicKeys = [ systems.surgat dadada ];
 } //
 backupSecrets "gorgon" //
 backupSecrets "ifrit" //