diff options
| author | Alex Auvolat <alex@adnab.me> | 2022-02-25 17:52:17 +0100 |
|---|---|---|
| committer | Alex Auvolat <alex@adnab.me> | 2022-02-25 17:52:17 +0100 |
| commit | 6dc92812997e99e12ae5fcab3bda65f056a74edb (patch) | |
| tree | de185f8e60062a90ac2a57243dfce2add70bd083 /nix/remote-unlock.nix | |
| parent | 20ab1f7b8a76a116644668029175100c15a615e2 (diff) | |
| download | nixcfg-6dc92812997e99e12ae5fcab3bda65f056a74edb.tar.gz nixcfg-6dc92812997e99e12ae5fcab3bda65f056a74edb.zip | |
Add remote LUKS unlocking configuration
Diffstat (limited to 'nix/remote-unlock.nix')
| -rw-r--r-- | nix/remote-unlock.nix | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/nix/remote-unlock.nix b/nix/remote-unlock.nix new file mode 100644 index 0000000..669f578 --- /dev/null +++ b/nix/remote-unlock.nix @@ -0,0 +1,26 @@ +{ config, pkgs, ... }: + + with builtins; + with pkgs.lib; +{ + config = { + boot.initrd.availableKernelModules = [ "pps_core" "ptp" "e1000e" ]; + boot.initrd.network.enable = true; + boot.initrd.network.ssh = { + enable = true; + port = 2222; + authorizedKeys = concatLists (mapAttrsToList (name: user: user) config.deuxfleurs.admin_accounts); + hostKeys = [ "/var/lib/deuxfleurs/remote-unlock/ssh_host_ed25519_key" ]; + }; + boot.initrd.network.postCommands = '' + ip addr add ${config.deuxfleurs.lan_ip}/${toString config.deuxfleurs.lan_ip_prefix_length} dev ${config.deuxfleurs.network_interface} + ip link set dev ${config.deuxfleurs.network_interface} up + ip route add default via ${config.deuxfleurs.lan_default_gateway} dev ${config.deuxfleurs.network_interface} + ip a + ip route + ping -c 4 ${config.deuxfleurs.lan_default_gateway} + echo 'echo run cryptsetup-askpass to unlock drives' >> /root/.profile + ''; + }; +} + |