Remote disk unlocking: Difference between revisions
Add section on how to enable wifi in initrd |
Fix broken networkmanager DNS with boot.initrd.network.enable, see: https://github.com/NixOS/nixpkgs/issues/63941#issuecomment-2081126437. Use ed25519 host key. Use postCommands to directly prompt for password, shell option did not work for me. |
||
Line 6: | Line 6: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
# ssh-keygen -t | # ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Line 12: | Line 12: | ||
{{file|/etc/nixos/configuration.nix|nix|<nowiki> | {{file|/etc/nixos/configuration.nix|nix|<nowiki> | ||
boot.initrd = { | boot.initrd = { | ||
availableKernelModules = [ "r8169" ]; | availableKernelModules = [ "r8169" ]; | ||
network = { | network = { | ||
enable = true; | enable = true; | ||
udhcpc.enable = true; | |||
flushBeforeStage2 = true; | |||
ssh = { | ssh = { | ||
enable = true; | enable = true; | ||
port = 22; | port = 22; | ||
authorizedKeys = [ "ssh-rsa AAAAyourpublic-key-here..." ]; | authorizedKeys = [ "ssh-rsa AAAAyourpublic-key-here..." ]; | ||
hostKeys = [ "/etc/secrets/initrd/ | hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ]; | ||
}; | }; | ||
postCommands = '' | |||
# Automatically ask for the password on SSH login | |||
echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1' >> /root/.profile | |||
''; | |||
}; | }; | ||
}; | }; | ||
Line 35: | Line 39: | ||
The <code> | The <code>postCommands</code> option is necessary to get a password prompt instead of a shell. | ||
If you omit it, you will get dropped into <code>/bin/ash</code>, and you will have to manually run <code>cryptsetup-askpass</code> to enter the password. Alternatively, the <code>shell</code> option can be set to <code>/bin/conspy</code> for passwords which expect stdin. This binary included by default, and provided by busybox. | If you omit it, you will get dropped into <code>/bin/ash</code>, and you will have to manually run <code>cryptsetup-askpass</code> to enter the password. Alternatively, the <code>boot.initrd.systemd.users.root.shell</code> option can be set to <code>/bin/conspy</code> for passwords which expect stdin. This binary included by default, and provided by busybox. | ||
== Usage == | == Usage == |