initrd ssh

template/README.md

@@ -41,6 +41,10 @@ Furthermore, in [./flake.nix](./flake.nix) replace `disko.devices.disk.disk1.dev
 
 Lastly, in [./flake.nix](./flake.nix) replace `pbkdf-memory` with your amount of RAM - 500 MB.
 
+---
+
+Optionally, if `ssh-fde-unlock.nix` is imported in [./flake.nix](./flake.nix), replace the kernel network driver with the correct one there. 
+
 ## Installation
 
 To run the interactive vm test run:
@@ -53,7 +57,6 @@ nix --extra-experimental-features nix-command --extra-experimental-features flak
 To install on remote target machine:
 
 ```shell
-# yodaHP
 nix --extra-experimental-features nix-command --extra-experimental-features flakes \
   run github:numtide/nixos-anywhere -- --flake '.#mysystem' -p 22 root@192.168.178.106
 ```
@@ -61,7 +64,6 @@ nix --extra-experimental-features nix-command --extra-experimental-features flak
 To install on remote target machine **and** print the SSH fingerprint of the new system. If no encrypted disks are set up, the disk password can be left empty:
 
 ```shell
-# yodaHP
 ./install-helper.sh 22 root@192.168.178.106
 ```
 

template/flake.nix

@@ -45,6 +45,10 @@
         # Examples: "/dev/nvme0n1", "/dev/sda", "/dev/vda"
         { disko.devices.disk.disk1.device = "/dev/disk/by-id/nvme-SAMSUNG_MZVLW128HEGR-000H1_S33ZNX0J129742"; }
 
+        # If a disk layout with full disk encryption (FDE) has been selected,
+        # optionally enable SSH during boot to remotely unlock the disk.
+        ./ssh-fde-unlock.nix
+
         {
           # The host yodaHP did not boot after installation when using grub.
           #boot.loader.grub = {

template/install-helper.sh

@@ -16,21 +16,35 @@ cleanup() {
     rm -rf "${pwd_temp}"
   fi
 }
-
-gen_ssh_key() {
+temp_dir(){
+  # Cleanup temporary directories on exit.
+  trap cleanup EXIT
   # Create a temporary directory.
   temp="$(mktemp -d)"
+}
 
-  # Create the directory where sshd expects to find the host keys.
+gen_ssh_key() {
+  # Create parent directories.
   install -d -m755 "${temp}/etc/ssh"
-  # Generate host key.
+  # Generate SSH host key.
   ssh-keygen -t ed25519 -f "${temp}/etc/ssh/ssh_host_ed25519_key" -q -N ""
 }
 ssh_fingerprint() {
-  printf '%s\n' 'SSH ed25519 fingerprint:'
+  printf '%s\n' 'host SSH ed25519 fingerprint:'
   ssh-keygen -lf "${temp}/etc/ssh/ssh_host_ed25519_key"
 }
 
+gen_initrd_ssh_key() {
+  # Create parent directories.
+  install -d -m755 "${temp}/etc/secrets/initrd"
+  # Generate initrd SSH key.
+  ssh-keygen -t ed25519 -f "${temp}/etc/secrets/initrd/ssh_host_ed25519_key" -q -N ""
+}
+initrd_ssh_fingerprint() {
+  printf '%s\n' 'initrd SSH ed25519 fingerprint:'
+  ssh-keygen -lf "${temp}/etc/secrets/initrd/ssh_host_ed25519_key"
+}
+
 save_pwd() {
   # Create a temporary directory.
   pwd_temp="$(mktemp -d)"
@@ -75,10 +89,9 @@ main(){
   ssh_port="${1}"
   ssh_target="${2}"
 
-  # Cleanup temporary directories on exit.
-  trap cleanup EXIT
-
+  temp_dir
   gen_ssh_key
+  gen_initrd_ssh_key
   save_pwd
 
 #  echo "$temp"
@@ -93,5 +106,6 @@ main(){
     -p "${ssh_port}" "${ssh_target}"
 
   ssh_fingerprint
+  initrd_ssh_fingerprint
 }
 main "$@"

template/ssh-fde-unlock.nix

@@ -0,0 +1,26 @@
+{ config, pkgs, ... }:
+{
+  # Unlock encrypted root partition remotely with SSH.
+  # https://nixos.wiki/wiki/Remote_LUKS_Unlocking#Prepare_SSH_host_keys
+
+  # SSH in initrd
+  boot.initrd.network.enable = true;
+  boot.initrd.network.ssh = {
+    enable = true;
+    shell = "/bin/cryptsetup-askpass";
+    authorizedKeys = [
+      (builtins.readFile ./nitrokey.pub)
+    ];
+    hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
+  };
+
+  # Network in initrd
+  #
+  # Find out which module is used for network card:
+  #   lspci -v | grep -iA8 'network\|ethernet'
+  # Or check the "Network" part of:
+  #   inxi -F
+  #
+  boot.initrd.availableKernelModules = [ "r8169" ];
+  boot.kernelParams = [ "ip=dhcp" ];
+}