Remote disk unlocking: Difference between revisions

← Older edit

Remote disk unlocking (view source)

Revision as of 13:55, 14 June 2024

1,733 bytes added , 14 June

Properly escape greater than signs

VisualWikitext

Teutat3s

3

edits

@@ Line 6: / Line 6: @@
 <syntaxhighlight lang="bash">
-# ssh-keygen -t rsa -N "" -f /etc/secrets/initrd/ssh_host_rsa_key
+# ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key
 </syntaxhighlight>
@@ Line 12: / Line 12: @@
 {{file|/etc/nixos/configuration.nix|nix|<nowiki>
-boot.kernelParams = [ "ip=dhcp" ];
 boot.initrd = {
    availableKernelModules = [ "r8169" ];
-  systemd.users.root.shell = "/bin/cryptsetup-askpass";
    network = {
      enable = true;
+    udhcpc.enable = true;
+    flushBeforeStage2 = true;
      ssh = {
        enable = true;
        port = 22;
        authorizedKeys = [ "ssh-rsa AAAAyourpublic-key-here..." ];
-       hostKeys = [ "/etc/secrets/initrd/ssh_host_rsa_key" ];
+       hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
      };
+    postCommands = ''
+      # Automatically ask for the password on SSH login
+      echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1'</nowiki> >> <nowiki>/root/.profile
+    '';
    };
 };
@@ Line 35: / Line 39: @@
-The <code>shell</code> option is necessary to get a password prompt instead of a shell.
+The <code>postCommands</code> option is necessary to get a password prompt instead of a shell.
-If you omit it, you will get dropped into <code>/bin/ash</code>, and you will have to manually run <code>cryptsetup-askpass</code> to enter the password. Alternatively, the <code>shell</code> option can be set to <code>/bin/conspy</code> for passwords which expect stdin. This binary included by default, and provided by busybox.
+If you omit it, you will get dropped into <code>/bin/ash</code>, and you will have to manually run <code>cryptsetup-askpass</code> to enter the password. Alternatively, the <code>boot.initrd.systemd.users.root.shell</code> option can be set to <code>/bin/conspy</code> for passwords which expect stdin. This binary included by default, and provided by busybox.
 == Usage ==
@@ Line 183: / Line 187: @@
 <pre>torify ssh root@<onion.id>.onion -p 22 'my-secret-password'</pre>
+=== Enable Wifi in initrd ===
+Following example configuration by [https://discourse.nixos.org/t/wireless-connection-within-initrd/38317/13 @loutr] enables wifi connections inside initrd. Replace interface name <code>wlp0s20f0u4</code> with the name of your wifi adapter. Depending on your wifi device, you might need to add different kernel modules.<syntaxhighlight lang="nix">
+boot.initrd = {
+  # crypto coprocessor and wifi modules
+  availableKernelModules = [ "ccm" "ctr" "iwlmvm" "iwlwifi" ];
+  systemd = {
+    enable = true;
+    packages = [ pkgs.wpa_supplicant ];
+    initrdBin = [ pkgs.wpa_supplicant ];
+    targets.initrd.wants = [ "wpa_supplicant@wlp0s20f0u4.service" ];
+    # prevent WPA supplicant from requiring `sysinit.target`.
+    services."wpa_supplicant@".unitConfig.DefaultDependencies = false;
+    users.root.shell = "/bin/systemd-tty-ask-password-agent";
+    network = {
+      enable = true;
+      networks."10-wlan" = {
+        matchConfig.Name = "wlp0s20f0u4";
+        networkConfig.DHCP = "yes";
+      };
+      ssh = {
+        enable = true;
+        port = 22;
+        hostKeys = [ "/etc/ssh/ssh_host_ed25519_key" ];
+        authorizedKeys = default.user.openssh.authorizedKeys.keys;
+      };
+    };
+    secrets."/etc/wpa_supplicant/wpa_supplicant-wlp0s20f0u4.conf" = /root/secrets/wpa_supplicant.conf;
+  };
+</syntaxhighlight>The file <code>wpa_supplicat-wlp0s20f0u4.conf</code> is the wireless profile used by [[wpa_supplicant]] which will get copied into the initramfs.
 [[Category:Server]]
 [[Category:Cookbook]]