nix-git/modules/ssh-fde-unlock.nix

62 lines
2.4 KiB
Nix
Raw Permalink Normal View History

2023-08-31 13:15:22 +02:00
{ config, pkgs, ... }:
{
2023-09-11 18:16:05 +02:00
# Unlock encrypted root partition remotely with SSH.
2023-09-15 14:55:42 +02:00
# TODO: Some manual steps are required, see https://nixos.wiki/wiki/Remote_LUKS_Unlocking#Prepare_SSH_host_keys
2023-11-03 15:23:05 +01:00
# -> ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key
2023-09-11 18:16:05 +02:00
#
# Additional references:
# https://wiki.archlinux.org/title/Dm-crypt/Specialties#Remote_unlocking_of_root_(or_other)_partition
2023-09-07 19:07:45 +02:00
# SSH in initrd
boot.initrd.network.enable = true;
boot.initrd.network.ssh = {
enable = true;
2023-09-23 18:36:27 +02:00
port = (
2024-02-06 16:48:22 +01:00
if (config.networking.hostName == "yodaTux") || (config.networking.hostName == "yodaTab") || (config.networking.hostName == "yodaGaming")
2023-09-23 18:36:27 +02:00
then 22
2023-09-23 19:15:54 +02:00
else if (config.networking.hostName == "yodaYoga")
2023-09-23 18:36:27 +02:00
then 2225
2023-09-23 19:15:54 +02:00
else if (config.networking.hostName == "yodaNas")
2023-09-23 18:36:27 +02:00
then 2223
2023-11-03 15:23:05 +01:00
else if (config.networking.hostName == "yodaHedgehog")
then 2227
2023-09-23 18:36:27 +02:00
else throw "Please add initrd ssh port here"
);
2023-09-07 19:07:45 +02:00
shell = "/bin/cryptsetup-askpass";
2024-07-12 23:08:13 +02:00
# TODO: Use the new option authorizedKeyFiles instead
2023-09-07 19:07:45 +02:00
authorizedKeys = [
2023-10-24 10:01:59 +02:00
(builtins.readFile ../assets/ssh/nitrokey.pub)
2023-09-07 19:07:45 +02:00
];
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
};
# Network in initrd
#
# Find out which module is used for network card:
# lspci -v | grep -iA8 'network\|ethernet'
# Or check the "Network" part of:
# inxi -F
2023-08-31 13:15:22 +02:00
#
2023-09-23 18:36:27 +02:00
boot.initrd.availableKernelModules = (
2023-11-03 15:23:05 +01:00
if (config.networking.hostName == "yodaTux") || (config.networking.hostName == "yodaHedgehog")
2023-09-23 18:36:27 +02:00
then [ "r8169" ]
2023-09-26 18:29:38 +02:00
else if (config.networking.hostName == "yodaYoga") || (config.networking.hostName == "yodaNas")
2023-09-23 18:36:27 +02:00
then [ "e1000e" ]
2024-02-06 16:48:22 +01:00
else if (config.networking.hostName == "yodaGaming")
then [ "tg3" ]
2023-09-23 18:36:27 +02:00
else throw "Please add kernel module of networ card here"
);
2023-08-31 13:15:22 +02:00
#
2023-09-15 17:47:18 +02:00
# dmesg -> enp0s20f0u1u2: renamed from eth0 (yodaTux)
# dmesg -> enp0s31f6: renamed from eth0 (yodaYoga)
2023-09-07 20:27:08 +02:00
#boot.kernelParams = [ "ip=:::::eth0:dhcp" ];
2023-09-07 19:07:45 +02:00
boot.kernelParams = [ "ip=dhcp" ];
2023-09-07 20:46:09 +02:00
2023-09-15 17:47:18 +02:00
# Clear the configuration of the interfaces that were set up in the initrd right before stage 2 takes over.
# Stage 2 will do the regular network configuration based on the NixOS networking options.
# https://nixos.org/manual/nixos/stable/options#opt-boot.initrd.network.flushBeforeStage2
#boot.initrd.network.flushBeforeStage2 = true;
2023-09-07 20:46:09 +02:00
# TODO: Timeout if no Internet connection is available (to be able to enter password with a keyboard).
2023-08-31 13:15:22 +02:00
}