kyra(hardening): initrd re-init; systemd, ssh, luks, networkd in initrd

Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
2026-05-03 15:27:12 +03:00 · 2026-05-03 15:27:12 +03:00 · 6bcb4f2778
commit 6bcb4f2778
parent 99f0086358
1 changed files with 228 additions and 0 deletions
--- a/kyra/boot/initrd.nix
+++ b/kyra/boot/initrd.nix
@ -0,0 +1,228 @@
+{
+  lib,
+  name,
+  pkgs,
+  ...
+}: {
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "virtio_rng"
+        "virtio_pci"
+        "virtio_net"
+        "virtio_scsi"
+        "virtio_blk"
+        "sd_mod"
+        "sr_mod"
+        "dm_crypt"
+      ];
+
+      luks = {
+        mitigateDMAAttacks = true;
+        cryptoModules = [
+          "aesni_intel"
+          "cryptd"
+        ];
+      };
+
+      systemd = {
+        enable = true;
+        emergencyAccess = false;
+
+        extraBin = {
+          "pw" = "${lib.getExe' pkgs.systemd "systemd-tty-ask-password-agent"}";
+        };
+
+        network = {
+          networks = lib.mkMerge [
+            (
+              lib.mkIf (
+                name == "ivy"
+              )
+              {
+                "10-ens3" = {
+                  matchConfig = {
+                    Name = "ens3";
+                  };
+
+                  addresses = [
+                    {
+                      Address = "93.115.203.92/24";
+                    }
+
+                    {
+                      Address = "2001:67c:263c::8fa/64";
+                    }
+                  ];
+
+                  routes = [
+                    {
+                      Gateway = "93.115.203.1";
+                    }
+
+                    {
+                      Gateway = "2001:67c:263c::1";
+                    }
+                  ];
+                };
+              }
+            )
+
+            (
+              lib.mkIf (
+                name == "mel"
+              )
+              {
+                "10-eth0" = {
+                  matchConfig = {
+                    Name = "eth0";
+                  };
+
+                  addresses = [
+                    {
+                      Address = "45.11.229.245/24";
+                    }
+
+                    {
+                      Address = "2a0e:97c0:3e3:20a::1/64";
+                    }
+                  ];
+
+                  networkConfig = {
+                    IPv6AcceptRA = false;
+                  };
+
+                  routes = [
+                    {
+                      Gateway = "45.11.229.1";
+                    }
+
+                    {
+                      Gateway = "fe80::1";
+                      GatewayOnLink = true;
+                    }
+                  ];
+                };
+              }
+            )
+
+            (
+              lib.mkIf (
+                name == "yara"
+              )
+              {
+                "10-ens3" = {
+                  matchConfig = {
+                    Name = "ens3";
+                  };
+
+                  addresses = [
+                    {
+                      Address = "138.124.240.75/32";
+                    }
+
+                    {
+                      Address = "2a0d:d940:1a:1500::2/56";
+                    }
+                  ];
+
+                  networkConfig = {
+                    IPv6AcceptRA = false;
+                  };
+
+                  routes = [
+                    {
+                      Gateway = "10.0.0.1";
+                      GatewayOnLink = true;
+                    }
+
+                    {
+                      Gateway = "2a0d:d940:1a:1500::1";
+                      GatewayOnLink = true;
+                    }
+                  ];
+                };
+              }
+            )
+
+            (
+              lib.mkIf (
+                name == "hazel"
+              )
+              {
+                "10-ens3" = {
+                  matchConfig = {
+                    Name = "ens3";
+                  };
+
+                  addresses = [
+                    {
+                      Address = "90.156.226.152";
+                    }
+
+                    {
+                      Address = "2a03:6f01:1:2::cb1e";
+                    }
+                  ];
+
+                  routes = [
+                    {
+                      Gateway = "90.156.226.1";
+                    }
+
+                    {
+                      Gateway = "2a03:6f01:1:2::1";
+                      GatewayOnLink = true;
+                    }
+                  ];
+
+                  networkConfig = {
+                    IPv6AcceptRA = false;
+                  };
+                };
+              }
+            )
+
+            (
+              lib.mkIf (
+                name == "lynn"
+              )
+              {
+                "10-ens3" = {
+                  matchConfig = {
+                    Name = "ens3";
+                  };
+
+                  addresses = [
+                    {
+                      Address = "138.124.72.244";
+                    }
+                  ];
+
+                  routes = [
+                    {
+                      Gateway = "138.124.72.1";
+                    }
+                  ];
+                };
+              }
+            )
+          ];
+        };
+      };
+
+      network = {
+        enable = true;
+
+        ssh = {
+          enable = true;
+          port = 27485;
+
+          hostKeys = [
+            "/etc/ssh/initrd_ssh_host_ed25519_key"
+          ];
+        };
+      };
+    };
+  };
+}