hosts: unlock disks remotely on boot

Enable a SSH daemon in initrd, with our keys, so we can unlock remotely the disk on reboot.
author: Franck Cuny <franck@fcuny.net> 2022-02-13 13:56:19 -0800
committer: Franck Cuny <franck@fcuny.net> 2022-02-13 13:56:19 -0800
commit: d401d7caaaef0689abfb0dde37d422832ef6972f (patch)
tree: 0d572386392c8681d9e826f1ca2e0cfc2d902953
parent: yt-dlp: don't install unstable (diff)
download: world-d401d7caaaef0689abfb0dde37d422832ef6972f.tar.gz
3 files changed, 28 insertions, 19 deletions
diff --git a/hosts/carmel/default.nix b/hosts/carmel/default.nix
index d728d6b..1413f1f 100644
--- a/hosts/carmel/default.nix
+++ b/hosts/carmel/default.nix
@@ -5,6 +5,8 @@
     [ # Include the results of the hardware scan.
       ./hardware-configuration.nix
       ../common/desktop
+      # In order to unlock the root disk remotely
+      ../common/system/boot-ssh.nix
     ];
 
   # Use the systemd-boot EFI boot loader.
@@ -13,25 +15,11 @@
 
   boot.initrd = {
     luks.devices."system".allowDiscards = true;
-    network = {
-      enable = true;
-      postCommands = ''
-        echo "cryptsetup-askpass; exit" > /root/.profile
-      '';
-      ssh = {
-        enable = true;
-        port = 2222;
-        hostKeys = [
-          /etc/ssh/ssh_host_ed25519_key
-          /etc/ssh/ssh_host_rsa_key
-        ];
-      };
-    };
   };
 
-  time.timeZone = "America/Los_Angeles";
+  boot.kernelParams = [ "ip=dhcp" ];
 
-  services.xserver.dpi = 168;
+  time.timeZone = "America/Los_Angeles";
 
   hardware.opengl.driSupport = true;
 
diff --git a/hosts/common/system/boot-ssh.nix b/hosts/common/system/boot-ssh.nix
new file mode 100644
index 0000000..2b865d5
--- /dev/null
+++ b/hosts/common/system/boot-ssh.nix
@@ -0,0 +1,21 @@
+{ config, lib, pkgs, ... }:
+
+{
+  boot.initrd = {
+    network = {
+      enable = true;
+      postCommands = ''
+        echo "cryptsetup-askpass; exit" > /root/.profile
+      '';
+      ssh = {
+        enable = true;
+        port = 2222;
+        hostKeys = [
+          /etc/ssh/ssh_host_ed25519_key
+          /etc/ssh/ssh_host_rsa_key
+        ];
+        authorizedKeys = config.users.users.fcuny.openssh.authorizedKeys.keys;
+      };
+    };
+  };
+}
diff --git a/hosts/common/system/users.nix b/hosts/common/system/users.nix
index 2b769c4..25844c2 100644
--- a/hosts/common/system/users.nix
+++ b/hosts/common/system/users.nix
@@ -1,6 +1,6 @@
-{ lib, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 
-rec {
+{
   users.mutableUsers = false;
 
   users.groups.fcuny = { gid = 1000; };
@@ -20,6 +20,6 @@ rec {
 
   users.users.root = {
     hashedPassword = null;
-    openssh.authorizedKeys.keys = users.users.fcuny.openssh.authorizedKeys.keys;
+    openssh.authorizedKeys.keys = config.users.users.fcuny.openssh.authorizedKeys.keys;
   };
 }
author	Franck Cuny <franck@fcuny.net>	2022-02-13 13:56:19 -0800
committer	Franck Cuny <franck@fcuny.net>	2022-02-13 13:56:19 -0800
commit	d401d7caaaef0689abfb0dde37d422832ef6972f (patch)
tree	0d572386392c8681d9e826f1ca2e0cfc2d902953
parent	yt-dlp: don't install unstable (diff)
download	world-d401d7caaaef0689abfb0dde37d422832ef6972f.tar.gz