From a077e98cf3a718a2ae5913506495d7fedc5ef012 Mon Sep 17 00:00:00 2001
From: min <minish@riseup.net>
Date: Sat, 14 Dec 2024 21:14:37 -0500
Subject: [PATCH] Luks SSH cleanup + disable console on eidola

---
 nixos/hosts/eidola/configuration.nix |  3 +-
 nixos/hosts/silver/configuration.nix |  1 +
 nixos/modules/boot/luks-ssh.nix      | 41 ++++++++++------------------
 3 files changed, 18 insertions(+), 27 deletions(-)

diff --git a/nixos/hosts/eidola/configuration.nix b/nixos/hosts/eidola/configuration.nix
index 59ca50a..e781c8e 100644
--- a/nixos/hosts/eidola/configuration.nix
+++ b/nixos/hosts/eidola/configuration.nix
@@ -70,12 +70,13 @@
 
   # My modules
   gen.hardening.disableSack = true;
+  gen.hardening.disableConsole = true;
   gen.bootloader.luksSsh = {
     enable = true;
+    useDhcp = true;
     port = 48722;
     hostKeys = ["/persist/etc/secrets/initrd/ssh_host_ed25519_key"];
   };
-  boot.initrd.network.udhcpc.enable = true;
 
   system.stateVersion = "24.05";
 }
diff --git a/nixos/hosts/silver/configuration.nix b/nixos/hosts/silver/configuration.nix
index d55500a..c85d60c 100644
--- a/nixos/hosts/silver/configuration.nix
+++ b/nixos/hosts/silver/configuration.nix
@@ -101,6 +101,7 @@ in {
   gen.hardening.disableSack = true;
   gen.bootloader.luksSsh = {
     enable = true;
+    useDhcp = false;
     port = 48722;
     hostKeys = ["/persist/etc/secrets/initrd/ssh_host_ed25519_key"];
   };
diff --git a/nixos/modules/boot/luks-ssh.nix b/nixos/modules/boot/luks-ssh.nix
index 2f1cc83..2ba7276 100644
--- a/nixos/modules/boot/luks-ssh.nix
+++ b/nixos/modules/boot/luks-ssh.nix
@@ -8,7 +8,8 @@ with lib; let
   cfg = baseCfg.luksSsh;
 in {
   options.gen.bootloader.luksSsh = {
-    enable = mkEnableOption "use boot process with luks unlock over ssh";
+    enable = mkEnableOption "boot process with luks unlock over ssh";
+    useDhcp = mkEnableOption "dhcp";
     port = mkOption {
       type = types.port;
       description = "port for ssh server to listen on";
@@ -20,34 +21,22 @@ in {
   };
 
   config = mkIf cfg.enable {
-    # ### Use systemd-boot ###
-    # boot.loader = {
-    #   efi.canTouchEfiVariables = true;
-
-    #   timeout = 2;
-    #   systemd-boot = {
-    #     enable = true;
-    #     configurationLimit = 3;
-    #   };
-    # };
-
     ### LUKS unlock through SSH ###
-    boot.initrd = {
-      network = {
+    boot.initrd.network = {
+      enable = true;
+      flushBeforeStage2 = true;
+      udhcpc.enable = cfg.useDhcp;
+
+      ssh = {
         enable = true;
-        flushBeforeStage2 = true;
-
-        ssh = {
-          enable = true;
-          authorizedKeys = import ../../keys/ssh.nix;
-          inherit (cfg) hostKeys port;
-        };
-
-        postCommands = ''
-          # Automatically ask for the password on SSH login
-          echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1' >> /root/.profile
-        '';
+        authorizedKeys = import ../../keys/ssh.nix;
+        inherit (cfg) hostKeys port;
       };
+
+      postCommands = ''
+        # Automatically ask for the password on SSH login
+        echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1' >> /root/.profile
+      '';
     };
   };
 }