nixos-anywhere-example/template/ssh-fde-unlock.nix

{ config, pkgs, ... }:
{
  # Unlock encrypted root partition remotely with SSH.
  # https://nixos.wiki/wiki/Remote_LUKS_Unlocking#Prepare_SSH_host_keys

  # SSH in initrd
  boot.initrd.network.enable = true;
  boot.initrd.network.ssh = {
    enable = true;
    shell = "/bin/cryptsetup-askpass";
    authorizedKeys = [
      (builtins.readFile ./nitrokey.pub)
    ];
    hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
  };

  # Network in initrd
  #
  # Find out which module is used for network card:
  #   lspci -v | grep -iA8 'network\|ethernet'
  # Or check the "Network" part of:
  #   inxi -F
  #
  boot.initrd.availableKernelModules = [ "r8169" ];
  boot.kernelParams = [ "ip=dhcp" ];
}
initrd ssh 2023-11-03 13:42:11 +01:00			`{ config, pkgs, ... }:`
			`{`
			`# Unlock encrypted root partition remotely with SSH.`
			`# https://nixos.wiki/wiki/Remote_LUKS_Unlocking#Prepare_SSH_host_keys`

			`# SSH in initrd`
			`boot.initrd.network.enable = true;`
			`boot.initrd.network.ssh = {`
			`enable = true;`
			`shell = "/bin/cryptsetup-askpass";`
			`authorizedKeys = [`
			`(builtins.readFile ./nitrokey.pub)`
			`];`
			`hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];`
			`};`

			`# Network in initrd`
			`#`
			`# Find out which module is used for network card:`
			`# lspci -v \| grep -iA8 'network\\|ethernet'`
			`# Or check the "Network" part of:`
			`# inxi -F`
			`#`
			`boot.initrd.availableKernelModules = [ "r8169" ];`
			`boot.kernelParams = [ "ip=dhcp" ];`
			`}`