diff options
author | Franck Cuny <franck@fcuny.net> | 2022-02-13 13:56:19 -0800 |
---|---|---|
committer | Franck Cuny <franck@fcuny.net> | 2022-02-13 13:56:19 -0800 |
commit | d401d7caaaef0689abfb0dde37d422832ef6972f (patch) | |
tree | 0d572386392c8681d9e826f1ca2e0cfc2d902953 /hosts | |
parent | yt-dlp: don't install unstable (diff) | |
download | world-d401d7caaaef0689abfb0dde37d422832ef6972f.tar.gz |
hosts: unlock disks remotely on boot
Enable a SSH daemon in initrd, with our keys, so we can unlock remotely the disk on reboot.
Diffstat (limited to 'hosts')
-rw-r--r-- | hosts/carmel/default.nix | 20 | ||||
-rw-r--r-- | hosts/common/system/boot-ssh.nix | 21 | ||||
-rw-r--r-- | hosts/common/system/users.nix | 6 |
3 files changed, 28 insertions, 19 deletions
diff --git a/hosts/carmel/default.nix b/hosts/carmel/default.nix index d728d6b..1413f1f 100644 --- a/hosts/carmel/default.nix +++ b/hosts/carmel/default.nix @@ -5,6 +5,8 @@ [ # Include the results of the hardware scan. ./hardware-configuration.nix ../common/desktop + # In order to unlock the root disk remotely + ../common/system/boot-ssh.nix ]; # Use the systemd-boot EFI boot loader. @@ -13,25 +15,11 @@ boot.initrd = { luks.devices."system".allowDiscards = true; - network = { - enable = true; - postCommands = '' - echo "cryptsetup-askpass; exit" > /root/.profile - ''; - ssh = { - enable = true; - port = 2222; - hostKeys = [ - /etc/ssh/ssh_host_ed25519_key - /etc/ssh/ssh_host_rsa_key - ]; - }; - }; }; - time.timeZone = "America/Los_Angeles"; + boot.kernelParams = [ "ip=dhcp" ]; - services.xserver.dpi = 168; + time.timeZone = "America/Los_Angeles"; hardware.opengl.driSupport = true; diff --git a/hosts/common/system/boot-ssh.nix b/hosts/common/system/boot-ssh.nix new file mode 100644 index 0000000..2b865d5 --- /dev/null +++ b/hosts/common/system/boot-ssh.nix @@ -0,0 +1,21 @@ +{ config, lib, pkgs, ... }: + +{ + boot.initrd = { + network = { + enable = true; + postCommands = '' + echo "cryptsetup-askpass; exit" > /root/.profile + ''; + ssh = { + enable = true; + port = 2222; + hostKeys = [ + /etc/ssh/ssh_host_ed25519_key + /etc/ssh/ssh_host_rsa_key + ]; + authorizedKeys = config.users.users.fcuny.openssh.authorizedKeys.keys; + }; + }; + }; +} diff --git a/hosts/common/system/users.nix b/hosts/common/system/users.nix index 2b769c4..25844c2 100644 --- a/hosts/common/system/users.nix +++ b/hosts/common/system/users.nix @@ -1,6 +1,6 @@ -{ lib, pkgs, ... }: +{ config, lib, pkgs, ... }: -rec { +{ users.mutableUsers = false; users.groups.fcuny = { gid = 1000; }; @@ -20,6 +20,6 @@ rec { users.users.root = { hashedPassword = null; - openssh.authorizedKeys.keys = users.users.fcuny.openssh.authorizedKeys.keys; + openssh.authorizedKeys.keys = config.users.users.fcuny.openssh.authorizedKeys.keys; }; } |