{ config, pkgs, ... }: { # Unlock encrypted root partition remotely with SSH. # TODO: Some manual steps are required, see https://nixos.wiki/wiki/Remote_LUKS_Unlocking # # Additional references: # https://wiki.archlinux.org/title/Dm-crypt/Specialties#Remote_unlocking_of_root_(or_other)_partition # SSH in initrd boot.initrd.network.enable = true; boot.initrd.network.ssh = { enable = true; port = 22; shell = "/bin/cryptsetup-askpass"; authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCpgihAg8Qzu5q+AGXHLR7p+rrS1yB0KlZb/Y/EwZT15EhEtsUMqBMRiY0TdjKQU0broyygZnymccLmCXvihEgk3zk/hP8VEDmN5wmE2tRBPR4lSjo8E1R8N79G+gaFkwi93QYh57MsGfa9k4tvGrJy0yaD7GrPqtQf+IIuvV14WJQAqnikTdbFqRjk5JGearYLU7jSKa+9NmR7JQ9NExoyIPgmQ/pd0Xc2qt8k5UGfz3HM9MAmIVQ30whK6m1iYZ8nxEidHrfreQx8NOa7ujo4zQnV1NYvRUjObr/qyIhPU6DYLT2mVRNupQFKx6LI38O4U13heugUFqJ3zvog3aDsriFiv8jzJAJvWXx7Q3TqKhqiG9VTkwBw1NDbCAOXKiEdMfiCYbdCfpNgdepU75bMloJcSQQVUqoH2tQhSbwKLuRFgOnyaHpvWbieXBRcUnfG8gg4p4jqiwx5laweEeOIOD/i7G1Mjx7Dj2ctnT/ILat/xsf+Y0W4eJr3bc5L9ghgw6wsKbNSqwjFUCFcHcARK3gvSH+hO2/BpgMVoyvZjO5PNuUqfsZ7bIIs5cDdyB/ly3irKuaRz1+3x1x4gPgSiOcji7HxPwogzhPsyfoRLHNt9tJ5X4nF2Iz1M5RTJpbZCi6yEj+9Q85FVjD76BEWuZe18kRrwhuLf/XgKdF9tQ== openpgp:0xA8B75370" ]; hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ]; }; # Network in initrd # # Find out which module is used for network card: # lspci -v | grep -iA8 'network\|ethernet' # Or check the "Network" part of: # inxi -F # #boot.initrd.availableKernelModules = [ "r8169" ]; # TODO: This value is valid for yodaTux only boot.initrd.availableKernelModules = [ "e1000e" ]; # TODO: This value is valid for yodaYoga only # # dmesg -> enp0s20f0u1u2: renamed from eth0 #boot.kernelParams = [ "ip=:::::eth0:dhcp" ]; boot.kernelParams = [ "ip=dhcp" ]; # TODO: Timeout if no Internet connection is available (to be able to enter password with a keyboard). }