Jump to content

Remote disk unlocking: Difference between revisions

Remote disk unlocking (view source)

Revision as of 13:55, 14 June 2024

231 bytes added ,  14 June
Properly escape greater than signs
VisualWikitext
(Add section on how to enable wifi in initrd)
(Properly escape greater than signs)
 
(2 intermediate revisions by the same user not shown)
Line 6: Line 6:


<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
# ssh-keygen -t rsa -N "" -f /etc/secrets/initrd/ssh_host_rsa_key
# ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key
</syntaxhighlight>
</syntaxhighlight>


Line 12: Line 12:


{{file|/etc/nixos/configuration.nix|nix|<nowiki>
{{file|/etc/nixos/configuration.nix|nix|<nowiki>
boot.kernelParams = [ "ip=dhcp" ];
boot.initrd = {
boot.initrd = {
   availableKernelModules = [ "r8169" ];
   availableKernelModules = [ "r8169" ];
  systemd.users.root.shell = "/bin/cryptsetup-askpass";
   network = {
   network = {
     enable = true;
     enable = true;
    udhcpc.enable = true;
    flushBeforeStage2 = true;
     ssh = {
     ssh = {
       enable = true;
       enable = true;
       port = 22;
       port = 22;
       authorizedKeys = [ "ssh-rsa AAAAyourpublic-key-here..." ];
       authorizedKeys = [ "ssh-rsa AAAAyourpublic-key-here..." ];
       hostKeys = [ "/etc/secrets/initrd/ssh_host_rsa_key" ];
       hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
     };
     };
    postCommands = ''
      # Automatically ask for the password on SSH login
      echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1'</nowiki> >> <nowiki>/root/.profile
    '';
   };
   };
};
};
Line 35: Line 39:




The <code>shell</code> option is necessary to get a password prompt instead of a shell.
The <code>postCommands</code> option is necessary to get a password prompt instead of a shell.
If you omit it, you will get dropped into <code>/bin/ash</code>, and you will have to manually run <code>cryptsetup-askpass</code> to enter the password. Alternatively, the <code>shell</code> option can be set to <code>/bin/conspy</code> for passwords which expect stdin. This binary included by default, and provided by busybox.
If you omit it, you will get dropped into <code>/bin/ash</code>, and you will have to manually run <code>cryptsetup-askpass</code> to enter the password. Alternatively, the <code>boot.initrd.systemd.users.root.shell</code> option can be set to <code>/bin/conspy</code> for passwords which expect stdin. This binary included by default, and provided by busybox.


== Usage ==
== Usage ==
Teutat3s
3

edits

Retrieved from "https://wiki.nixos.org/wiki/Special:MobileDiff/12780...13172"