Jump to content

Remote disk unlocking: Difference between revisions

Remote disk unlocking (view source)

Revision as of 13:06, 14 June 2024

214 bytes added ,  14 June
Fix broken networkmanager DNS with boot.initrd.network.enable, see: https://github.com/NixOS/nixpkgs/issues/63941#issuecomment-2081126437. Use ed25519 host key. Use postCommands to directly prompt for password, shell option did not work for me.
VisualWikitext
(Add section on how to enable wifi in initrd)
(Fix broken networkmanager DNS with boot.initrd.network.enable, see: https://github.com/NixOS/nixpkgs/issues/63941#issuecomment-2081126437. Use ed25519 host key. Use postCommands to directly prompt for password, shell option did not work for me.)
Line 6: Line 6:


<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
# ssh-keygen -t rsa -N "" -f /etc/secrets/initrd/ssh_host_rsa_key
# ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key
</syntaxhighlight>
</syntaxhighlight>


Line 12: Line 12:


{{file|/etc/nixos/configuration.nix|nix|<nowiki>
{{file|/etc/nixos/configuration.nix|nix|<nowiki>
boot.kernelParams = [ "ip=dhcp" ];
boot.initrd = {
boot.initrd = {
   availableKernelModules = [ "r8169" ];
   availableKernelModules = [ "r8169" ];
  systemd.users.root.shell = "/bin/cryptsetup-askpass";
   network = {
   network = {
     enable = true;
     enable = true;
    udhcpc.enable = true;
    flushBeforeStage2 = true;
     ssh = {
     ssh = {
       enable = true;
       enable = true;
       port = 22;
       port = 22;
       authorizedKeys = [ "ssh-rsa AAAAyourpublic-key-here..." ];
       authorizedKeys = [ "ssh-rsa AAAAyourpublic-key-here..." ];
       hostKeys = [ "/etc/secrets/initrd/ssh_host_rsa_key" ];
       hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
     };
     };
    postCommands = ''
      # Automatically ask for the password on SSH login
      echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1' >> /root/.profile
    '';
   };
   };
};
};
Line 35: Line 39:




The <code>shell</code> option is necessary to get a password prompt instead of a shell.
The <code>postCommands</code> option is necessary to get a password prompt instead of a shell.
If you omit it, you will get dropped into <code>/bin/ash</code>, and you will have to manually run <code>cryptsetup-askpass</code> to enter the password. Alternatively, the <code>shell</code> option can be set to <code>/bin/conspy</code> for passwords which expect stdin. This binary included by default, and provided by busybox.
If you omit it, you will get dropped into <code>/bin/ash</code>, and you will have to manually run <code>cryptsetup-askpass</code> to enter the password. Alternatively, the <code>boot.initrd.systemd.users.root.shell</code> option can be set to <code>/bin/conspy</code> for passwords which expect stdin. This binary included by default, and provided by busybox.


== Usage ==
== Usage ==
Teutat3s
3

edits

Retrieved from "https://wiki.nixos.org/wiki/Special:MobileDiff/13169"