ZFS: Difference between revisions
imported>Winny rewrite confusing paragraph |
imported>Sjau No edit summary |
||
| Line 90: | Line 90: | ||
You can tweak the interval (defaults to once a week) and which pools should be scrubbed (defaults to all). | You can tweak the interval (defaults to once a week) and which pools should be scrubbed (defaults to all). | ||
== Remote unlock == | |||
=== Unlock encrypted zfs via ssh on boot === | |||
{{note|As of 22.05, rebuilding your config with the below directions may result in a situation where, if you want to revert the changes, you may need to do some pretty hairy nix-store manipulation to be able to successfully rebuild, see https://github.com/NixOS/nixpkgs/issues/101462#issuecomment-1172926129}} | |||
In case you want unlock a machine remotely (after an update), having an ssh service in initrd for the password prompt is handy: | |||
<syntaxhighlight lang="nix"> | |||
boot = { | |||
initrd.network = { | |||
# This will use udhcp to get an ip address. | |||
# Make sure you have added the kernel module for your network driver to `boot.initrd.availableKernelModules`, | |||
# so your initrd can load it! | |||
# Static ip addresses might be configured using the ip argument in kernel command line: | |||
# https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt | |||
enable = true; | |||
ssh = { | |||
enable = true; | |||
# To prevent ssh clients from freaking out because a different host key is used, | |||
# a different port for ssh is useful (assuming the same host has also a regular sshd running) | |||
port = 2222; | |||
# hostKeys paths must be unquoted strings, otherwise you'll run into issues with boot.initrd.secrets | |||
# the keys are copied to initrd from the path specified; multiple keys can be set | |||
# you can generate any number of host keys using | |||
# `ssh-keygen -t ed25519 -N "" -f /path/to/ssh_host_ed25519_key` | |||
hostKeys = [ /path/to/ssh_host_rsa_key ]; | |||
# public ssh key used for login | |||
authorizedKeys = [ "ssh-rsa AAAA..." ]; | |||
}; | |||
}; | |||
}; | |||
</syntaxhighlight> | |||
* In order to use DHCP in the initrd, network manager must not be enabled and <syntaxhighlight lang="nix" inline>networking.useDHCP = true;</syntaxhighlight> must be set. | |||
* If your network card isn't started, you'll need to add the according kernel module to the kernel and initrd as well, e.g. <syntaxhighlight lang="nix"> | |||
boot.kernelModules = [ "r8169" ]; | |||
boot.initrd.kernelModules = [ "r8169" ];</syntaxhighlight> | |||
After that you can unlock your datasets using the following ssh command: | |||
<syntaxhighlight> | |||
ssh -p 2222 root@host "zpool import -a; zfs load-key -a && killall zfs" | |||
</syntaxhighlight> | |||
Alternatively you could also add the commands as postCommands to your configuration.nix, then you just have to ssh into the initrd: | |||
<syntaxhighlight> | |||
boot = { | |||
initrd.network = { | |||
postCommands = '' | |||
# Import all pools | |||
zpool import -a | |||
# Or import selected pools | |||
zpool import pool2 | |||
zpool import pool3 | |||
zpool import pool4 | |||
# Add the load-key command to the .profile | |||
echo "zfs load-key -a; killall zfs" >> /root/.profile | |||
}; | |||
}; | |||
}; | |||
</syntaxhighlight> | |||
After that you can unlock your datasets using the following ssh command: | |||
<syntaxhighlight> | |||
ssh -p 2222 root@host | |||
</syntaxhighlight> | |||
== Reservations == | == Reservations == | ||