Remote disk unlocking: Difference between revisions
Add section on how to enable wifi in initrd |
Properly escape greater than signs |
||
(2 intermediate revisions by the same user not shown) | |||
Line 6: | Line 6: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
# ssh-keygen -t | # ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Line 12: | Line 12: | ||
{{file|/etc/nixos/configuration.nix|nix|<nowiki> | {{file|/etc/nixos/configuration.nix|nix|<nowiki> | ||
boot.initrd = { | boot.initrd = { | ||
availableKernelModules = [ "r8169" ]; | availableKernelModules = [ "r8169" ]; | ||
network = { | network = { | ||
enable = true; | enable = true; | ||
udhcpc.enable = true; | |||
flushBeforeStage2 = true; | |||
ssh = { | ssh = { | ||
enable = true; | enable = true; | ||
port = 22; | port = 22; | ||
authorizedKeys = [ "ssh-rsa AAAAyourpublic-key-here..." ]; | authorizedKeys = [ "ssh-rsa AAAAyourpublic-key-here..." ]; | ||
hostKeys = [ "/etc/secrets/initrd/ | hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ]; | ||
}; | }; | ||
postCommands = '' | |||
# Automatically ask for the password on SSH login | |||
echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1'</nowiki> >> <nowiki>/root/.profile | |||
''; | |||
}; | }; | ||
}; | }; | ||
Line 35: | Line 39: | ||
The <code> | The <code>postCommands</code> option is necessary to get a password prompt instead of a shell. | ||
If you omit it, you will get dropped into <code>/bin/ash</code>, and you will have to manually run <code>cryptsetup-askpass</code> to enter the password. Alternatively, the <code>shell</code> option can be set to <code>/bin/conspy</code> for passwords which expect stdin. This binary included by default, and provided by busybox. | If you omit it, you will get dropped into <code>/bin/ash</code>, and you will have to manually run <code>cryptsetup-askpass</code> to enter the password. Alternatively, the <code>boot.initrd.systemd.users.root.shell</code> option can be set to <code>/bin/conspy</code> for passwords which expect stdin. This binary included by default, and provided by busybox. | ||
== Usage == | == Usage == |