nix/remote-unlock.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

{ config, pkgs, ... }:

  with builtins;
  with pkgs.lib;
{
  config = {
    boot.initrd.availableKernelModules = [ "pps_core" "ptp" "e1000e" ];
    boot.initrd.network.enable = true;
    boot.initrd.network.ssh = {
      enable = true;
      port = 222;
      authorizedKeys = concatLists (mapAttrsToList (name: user: user) config.deuxfleurs.admin_accounts);
      hostKeys = [ "/var/lib/deuxfleurs/remote-unlock/ssh_host_ed25519_key" ];
    };
    boot.initrd.network.postCommands = ''
      ip addr add ${config.deuxfleurs.lan_ip}/${toString config.deuxfleurs.lan_ip_prefix_length} dev ${config.deuxfleurs.network_interface}
      ip link set dev ${config.deuxfleurs.network_interface} up
      ip route add default via ${config.deuxfleurs.lan_default_gateway} dev ${config.deuxfleurs.network_interface}
      ip a
      ip route
      ping -c 4 ${config.deuxfleurs.lan_default_gateway}
      echo 'echo run cryptsetup-askpass to unlock drives' >> /root/.profile
    '';
  };
}