Remote disk unlocking: Difference between revisions
imported>Farcaller trace: warning: Please set 'boot.initrd.systemd.users.root.shell' instead of 'boot.initrd.network.ssh.shell' |
Properly escape greater than signs |
||
(6 intermediate revisions by 3 users not shown) | |||
Line 6: | Line 6: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
# ssh-keygen -t | # ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Line 12: | Line 12: | ||
{{file|/etc/nixos/configuration.nix|nix|<nowiki> | {{file|/etc/nixos/configuration.nix|nix|<nowiki> | ||
boot.initrd = { | boot.initrd = { | ||
availableKernelModules = [ "r8169" ]; | availableKernelModules = [ "r8169" ]; | ||
network = { | network = { | ||
enable = true; | enable = true; | ||
udhcpc.enable = true; | |||
flushBeforeStage2 = true; | |||
ssh = { | ssh = { | ||
enable = true; | enable = true; | ||
port = 22; | port = 22; | ||
authorizedKeys = [ "ssh-rsa AAAAyourpublic-key-here..." ]; | authorizedKeys = [ "ssh-rsa AAAAyourpublic-key-here..." ]; | ||
hostKeys = [ "/etc/secrets/initrd/ | hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ]; | ||
}; | }; | ||
postCommands = '' | |||
# Automatically ask for the password on SSH login | |||
echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1'</nowiki> >> <nowiki>/root/.profile | |||
''; | |||
}; | }; | ||
}; | }; | ||
Line 35: | Line 39: | ||
The <code> | The <code>postCommands</code> option is necessary to get a password prompt instead of a shell. | ||
If you omit it, you will get dropped into <code>/bin/ash</code>, and you will have to manually run <code>cryptsetup-askpass</code> to enter the password. Alternatively, the <code>shell</code> option can be set to <code>/bin/conspy</code> for passwords which expect stdin. This binary included by default, and provided by busybox. | If you omit it, you will get dropped into <code>/bin/ash</code>, and you will have to manually run <code>cryptsetup-askpass</code> to enter the password. Alternatively, the <code>boot.initrd.systemd.users.root.shell</code> option can be set to <code>/bin/conspy</code> for passwords which expect stdin. This binary included by default, and provided by busybox. | ||
== Usage == | == Usage == | ||
Line 52: | Line 56: | ||
=== Bcachefs unlocking === | === Bcachefs unlocking === | ||
Unlocking encrypted Bcachefs root filesystems is [https://github.com/NixOS/nixpkgs/issues/291529 not yet supported]. As a workaround, following script can be used as SSH shell, to unlock the disk <code>/dev/vda2</code>. | Unlocking encrypted Bcachefs root filesystems is [https://github.com/NixOS/nixpkgs/issues/291529 not yet supported]. As a workaround, following script, in combination with the setup above, can be used as SSH shell, to unlock the disk <code>/dev/vda2</code>. | ||
{{file|/etc/nixos/configuration.nix|nix|<nowiki> | {{file|/etc/nixos/configuration.nix|nix|<nowiki> | ||
Line 64: | Line 68: | ||
done | done | ||
''; | ''; | ||
in { | |||
enable = true; | |||
initrdBin = with pkgs; [ keyutils ]; | |||
storePaths = ["${askPass}/bin/bcachefs-askpass"]; | |||
users.root.shell = "${askPass}/bin/bcachefs-askpass"; | |||
}; | }; | ||
</nowiki>}} | </nowiki>}} | ||
Line 183: | Line 186: | ||
<pre>torify ssh root@<onion.id>.onion -p 22 'my-secret-password'</pre> | <pre>torify ssh root@<onion.id>.onion -p 22 'my-secret-password'</pre> | ||
=== Enable Wifi in initrd === | |||
Following example configuration by [https://discourse.nixos.org/t/wireless-connection-within-initrd/38317/13 @loutr] enables wifi connections inside initrd. Replace interface name <code>wlp0s20f0u4</code> with the name of your wifi adapter. Depending on your wifi device, you might need to add different kernel modules.<syntaxhighlight lang="nix"> | |||
boot.initrd = { | |||
# crypto coprocessor and wifi modules | |||
availableKernelModules = [ "ccm" "ctr" "iwlmvm" "iwlwifi" ]; | |||
systemd = { | |||
enable = true; | |||
packages = [ pkgs.wpa_supplicant ]; | |||
initrdBin = [ pkgs.wpa_supplicant ]; | |||
targets.initrd.wants = [ "wpa_supplicant@wlp0s20f0u4.service" ]; | |||
# prevent WPA supplicant from requiring `sysinit.target`. | |||
services."wpa_supplicant@".unitConfig.DefaultDependencies = false; | |||
users.root.shell = "/bin/systemd-tty-ask-password-agent"; | |||
network = { | |||
enable = true; | |||
networks."10-wlan" = { | |||
matchConfig.Name = "wlp0s20f0u4"; | |||
networkConfig.DHCP = "yes"; | |||
}; | |||
ssh = { | |||
enable = true; | |||
port = 22; | |||
hostKeys = [ "/etc/ssh/ssh_host_ed25519_key" ]; | |||
authorizedKeys = default.user.openssh.authorizedKeys.keys; | |||
}; | |||
}; | |||
secrets."/etc/wpa_supplicant/wpa_supplicant-wlp0s20f0u4.conf" = /root/secrets/wpa_supplicant.conf; | |||
}; | |||
</syntaxhighlight>The file <code>wpa_supplicat-wlp0s20f0u4.conf</code> is the wireless profile used by [[wpa_supplicant]] which will get copied into the initramfs. | |||
[[Category:Server]] | |||
[[Category:Cookbook]] |