Remote disk unlocking: Difference between revisions

(5 intermediate revisions by 3 users not shown)

Line 26:

};

postCommands = ''

# ~~Automatically ask for the password on SSH login~~

# unlock LUKS encrypted partitions

echo 'cryptsetup-askpass || echo ~~"Unlock was successful; exiting~~ SSH ~~session" &&~~ exit 1'</nowiki> >> <nowiki>/root/.profile

echo 'cryptsetup-askpass'</nowiki> >> <nowiki>/root/.profile

# unlock ZFS encrypted partitions (NOTE: boot.initrd.supportedFilesystems.zfs must be true for zfs, zpool to be available here)

# zpool import -a;

# echo 'zfs load-key -a'</nowiki> >> <nowiki>/root/.profile

# exit SSH

echo 'exit'</nowiki> >> <nowiki>/root/.profile

'';

};

</nowiki>}}

{{Info|When using the systemd initrd (<code>boot.initrd.systemd.enable</code>, which is enabled by default starting with NixOS 26.05), <code>cryptsetup-askpass</code> is not available; use <code>systemctl default</code> instead. See the [https://nixos.org/manual/nixos/unstable/release-notes#sec-release-26.05 release notes] for more information.}}

Adapt following parts according to your setup

Line 44:

Line 51:

The <code>postCommands</code> option is necessary to get a password prompt instead of a shell.

If you omit it, you will get dropped into <code>/bin/ash</code>, and you will have to manually run <code>cryptsetup-askpass</code> to enter the password. Alternatively, the <code>boot.initrd.systemd.users.root.shell</code> option can be set to <code>/bin/conspy</code> for passwords which expect stdin. This binary included by default, and provided by busybox.

Since 26.05 release, initrd is based on systemd by default. systemd-networkd must be used instead of NetworkManager, otherwise network will fail to initialize.

{{file|/etc/nixos/configuration.nix|nix|3=boot.initrd.systemd.network = {

enable = true;

networks."eth0" = {

matchConfig.Name = "eth0";

networkConfig.DHCP = "ipv4";

};

networking.networkmanager.enable = false;

systemd.network = {

enable = true;

networks."eth0" = {

matchConfig.Name = "eth0";

networkConfig.DHCP = "ipv4";

};

};|name=/etc/nixos/configuration.nix|lang=nix}}

== Usage ==

@@ Line 26: / Line 26: @@
      };
      postCommands = ''
-       # Automatically ask for the password on SSH login
+       # unlock LUKS encrypted partitions
-       echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1'</nowiki> >> <nowiki>/root/.profile
+       echo 'cryptsetup-askpass'</nowiki> >> <nowiki>/root/.profile
+      # unlock ZFS encrypted partitions (NOTE: boot.initrd.supportedFilesystems.zfs must be true for zfs, zpool to be available here)
+      # zpool import -a;
+      # echo 'zfs load-key -a'</nowiki> >> <nowiki>/root/.profile
+      # exit SSH
+      echo 'exit'</nowiki> >> <nowiki>/root/.profile
      '';
    };
 };
 </nowiki>}}
+{{Info|When using the systemd initrd (<code>boot.initrd.systemd.enable</code>, which is enabled by default starting with NixOS 26.05), <code>cryptsetup-askpass</code> is not available; use <code>systemctl default</code> instead. See the [https://nixos.org/manual/nixos/unstable/release-notes#sec-release-26.05 release notes] for more information.}}
 Adapt following parts according to your setup
@@ Line 44: / Line 51: @@
 The <code>postCommands</code> option is necessary to get a password prompt instead of a shell.
 If you omit it, you will get dropped into <code>/bin/ash</code>, and you will have to manually run <code>cryptsetup-askpass</code> to enter the password. Alternatively, the <code>boot.initrd.systemd.users.root.shell</code> option can be set to <code>/bin/conspy</code> for passwords which expect stdin. This binary included by default, and provided by busybox.
+Since 26.05 release, initrd is based on systemd by default. systemd-networkd must be used instead of NetworkManager, otherwise network will fail to initialize.
+{{file|/etc/nixos/configuration.nix|nix|3=boot.initrd.systemd.network = {
+  enable = true;
+  networks."eth0" = {
+    matchConfig.Name = "eth0";
+    networkConfig.DHCP = "ipv4";
+  };
+};
+networking.networkmanager.enable = false;
+systemd.network = {
+  enable = true;
+  networks."eth0" = {
+    matchConfig.Name = "eth0";
+    networkConfig.DHCP = "ipv4";
+  };
+};|name=/etc/nixos/configuration.nix|lang=nix}}
 == Usage ==