mirror of
https://codeberg.org/privacy1st/nix-git
synced 2024-12-05 00:05:04 +01:00
62 lines
2.4 KiB
Nix
62 lines
2.4 KiB
Nix
{ config, pkgs, ... }:
|
|
{
|
|
# Unlock encrypted root partition remotely with SSH.
|
|
# TODO: Some manual steps are required, see https://nixos.wiki/wiki/Remote_LUKS_Unlocking#Prepare_SSH_host_keys
|
|
# -> ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key
|
|
#
|
|
# Additional references:
|
|
# https://wiki.archlinux.org/title/Dm-crypt/Specialties#Remote_unlocking_of_root_(or_other)_partition
|
|
|
|
# SSH in initrd
|
|
boot.initrd.network.enable = true;
|
|
boot.initrd.network.ssh = {
|
|
enable = true;
|
|
port = (
|
|
if (config.networking.hostName == "yodaTux") || (config.networking.hostName == "yodaTab") || (config.networking.hostName == "yodaGaming")
|
|
then 22
|
|
else if (config.networking.hostName == "yodaYoga")
|
|
then 2225
|
|
else if (config.networking.hostName == "yodaNas")
|
|
then 2223
|
|
else if (config.networking.hostName == "yodaHedgehog")
|
|
then 2227
|
|
else throw "Please add initrd ssh port here"
|
|
);
|
|
shell = "/bin/cryptsetup-askpass";
|
|
# TODO: Use the new option authorizedKeyFiles instead
|
|
authorizedKeys = [
|
|
(builtins.readFile ../assets/ssh/nitrokey.pub)
|
|
];
|
|
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
|
|
};
|
|
|
|
# Network in initrd
|
|
#
|
|
# Find out which module is used for network card:
|
|
# lspci -v | grep -iA8 'network\|ethernet'
|
|
# Or check the "Network" part of:
|
|
# inxi -F
|
|
#
|
|
boot.initrd.availableKernelModules = (
|
|
if (config.networking.hostName == "yodaTux") || (config.networking.hostName == "yodaHedgehog")
|
|
then [ "r8169" ]
|
|
else if (config.networking.hostName == "yodaYoga") || (config.networking.hostName == "yodaNas")
|
|
then [ "e1000e" ]
|
|
else if (config.networking.hostName == "yodaGaming")
|
|
then [ "tg3" ]
|
|
else throw "Please add kernel module of networ card here"
|
|
);
|
|
#
|
|
# dmesg -> enp0s20f0u1u2: renamed from eth0 (yodaTux)
|
|
# dmesg -> enp0s31f6: renamed from eth0 (yodaYoga)
|
|
#boot.kernelParams = [ "ip=:::::eth0:dhcp" ];
|
|
boot.kernelParams = [ "ip=dhcp" ];
|
|
|
|
# Clear the configuration of the interfaces that were set up in the initrd right before stage 2 takes over.
|
|
# Stage 2 will do the regular network configuration based on the NixOS networking options.
|
|
# https://nixos.org/manual/nixos/stable/options#opt-boot.initrd.network.flushBeforeStage2
|
|
#boot.initrd.network.flushBeforeStage2 = true;
|
|
|
|
# TODO: Timeout if no Internet connection is available (to be able to enter password with a keyboard).
|
|
}
|