Remote disk unlocking: Difference between revisions

(2 intermediate revisions by 2 users not shown)

Line 113:

=== Tor in initrd ===

An example with an ssh server listening at a tor hidden service address can be found at [https://cgit.euer.krebsco.de/stockholm/~~tree~~/krebs/2configs/tor/initrd.nix~~?id=9919cb25912dfcc50881239f95494dd2f8e7b858~~ krebs/2configs/tor/initrd.nix in stockholm]

An example with an ssh server listening at a tor hidden service address can be found at [https://cgit.euer.krebsco.de/makefu/stockholm/src/commit/9b1008814e981dc01afe9ee7446322ad512c1d72/krebs/2configs/tor/initrd.nix krebs/2configs/tor/initrd.nix in stockholm]

==== Prepare the Onion ID ====

Line 222:

=== Enable Wifi in initrd ===

Following example configuration by [https://discourse.nixos.org/t/wireless-connection-within-initrd/38317/13 @loutr] enables wifi connections inside initrd. Replace interface name <code>wlp0s20f0u4</code> with the name of your wifi adapter. Depending on your wifi device, you might need to add different kernel modules.<syntaxhighlight lang="nix">

boot.initrd = {

{

# crypto coprocessor and wifi modules

boot.initrd = {

availableKernelModules = [ "ccm" "ctr" "iwlmvm" "iwlwifi" ];

# crypto coprocessor and wifi modules

availableKernelModules = [

"ccm"

"ctr"

"iwlmvm"

"iwlwifi"

];

systemd = {

enable = true;

packages = [ pkgs.wpa_supplicant ];

initrdBin = [ pkgs.wpa_supplicant ];

targets.initrd.wants = [ "wpa_supplicant@wlp0s20f0u4.service" ];

# prevent WPA supplicant from requiring `sysinit.target`.

services."wpa_supplicant@".unitConfig.DefaultDependencies = false;

users.root.shell = "/bin/systemd-tty-ask-password-agent";

network ~~= {~~

network = {

~~enable = true;~~

~~networks."10-wlan" = {~~

~~matchConfig.Name = "wlp0s20f0u4";~~

~~networkConfig.DHCP = "yes";~~

};

~~ssh~~ = {

enable = true;

~~port~~ = 22;

networks."10-wlan" = {

~~hostKeys~~ = [ "~~/etc/ssh/ssh_host_ed25519_key~~" ];

matchConfig.Name = "wlp0s20f0u4";

~~authorizedKeys = default.user.openssh.authorizedKeys.keys~~;

DHCP = "yes";

};

network.ssh = {

enable = true;

port = 22;

hostKeys = [ "/etc/ssh/ssh_host_ed25519_key" ];

authorizedKeys = default.user.openssh.authorizedKeys.keys;

};

secrets."/etc/wpa_supplicant/wpa_supplicant-wlp0s20f0u4.conf" = /root/secrets/wpa_supplicant.conf;

};

</syntaxhighlight>The file <code>~~wpa_supplicat~~-wlp0s20f0u4.conf</code> is the wireless profile used by [[wpa_supplicant]] which will get copied into the initramfs.

}

</syntaxhighlight>The file <code>wpa_supplicant-wlp0s20f0u4.conf</code> is the wireless profile used by [[wpa_supplicant]] which will get copied into the initramfs.

[[Category:Server]]

[[Category:Cookbook]]

@@ Line 113: / Line 113: @@
 === Tor in initrd ===
-An example with an ssh server listening at a tor hidden service address can be found at [https://cgit.euer.krebsco.de/stockholm/tree/krebs/2configs/tor/initrd.nix?id=9919cb25912dfcc50881239f95494dd2f8e7b858 krebs/2configs/tor/initrd.nix in stockholm]
+An example with an ssh server listening at a tor hidden service address can be found at [https://cgit.euer.krebsco.de/makefu/stockholm/src/commit/9b1008814e981dc01afe9ee7446322ad512c1d72/krebs/2configs/tor/initrd.nix krebs/2configs/tor/initrd.nix in stockholm]
 ==== Prepare the Onion ID ====
@@ Line 222: / Line 222: @@
 === Enable Wifi in initrd ===
 Following example configuration by [https://discourse.nixos.org/t/wireless-connection-within-initrd/38317/13 @loutr] enables wifi connections inside initrd. Replace interface name <code>wlp0s20f0u4</code> with the name of your wifi adapter. Depending on your wifi device, you might need to add different kernel modules.<syntaxhighlight lang="nix">
-boot.initrd = {
+{
-  # crypto coprocessor and wifi modules
+  boot.initrd = {
-  availableKernelModules = [ "ccm" "ctr" "iwlmvm" "iwlwifi" ];
+    # crypto coprocessor and wifi modules
+    availableKernelModules = [
+      "ccm"
+      "ctr"
+      "iwlmvm"
+      "iwlwifi"
+    ];
-  systemd = {
+    systemd = {
-    enable = true;
+      enable = true;
-    packages = [ pkgs.wpa_supplicant ];
+      packages = [ pkgs.wpa_supplicant ];
-    initrdBin = [ pkgs.wpa_supplicant ];
+      initrdBin = [ pkgs.wpa_supplicant ];
-    targets.initrd.wants = [ "wpa_supplicant@wlp0s20f0u4.service" ];
+      targets.initrd.wants = [ "wpa_supplicant@wlp0s20f0u4.service" ];
-    # prevent WPA supplicant from requiring `sysinit.target`.
+      # prevent WPA supplicant from requiring `sysinit.target`.
-    services."wpa_supplicant@".unitConfig.DefaultDependencies = false;
+      services."wpa_supplicant@".unitConfig.DefaultDependencies = false;
-    users.root.shell = "/bin/systemd-tty-ask-password-agent";
+      users.root.shell = "/bin/systemd-tty-ask-password-agent";
-    network = {
+      network = {
-      enable = true;
-      networks."10-wlan" = {
-        matchConfig.Name = "wlp0s20f0u4";
-        networkConfig.DHCP = "yes";
-      };
-      ssh = {
          enable = true;
-         port = 22;
+         networks."10-wlan" = {
-        hostKeys = [ "/etc/ssh/ssh_host_ed25519_key" ];
+          matchConfig.Name = "wlp0s20f0u4";
-         authorizedKeys = default.user.openssh.authorizedKeys.keys;
+          DHCP = "yes";
+         };
        };
+    };
+    network.ssh = {
+      enable = true;
+      port = 22;
+      hostKeys = [ "/etc/ssh/ssh_host_ed25519_key" ];
+      authorizedKeys = default.user.openssh.authorizedKeys.keys;
      };
      secrets."/etc/wpa_supplicant/wpa_supplicant-wlp0s20f0u4.conf" = /root/secrets/wpa_supplicant.conf;
    };
-</syntaxhighlight>The file <code>wpa_supplicat-wlp0s20f0u4.conf</code> is the wireless profile used by [[wpa_supplicant]] which will get copied into the initramfs.
+}
+</syntaxhighlight>The file <code>wpa_supplicant-wlp0s20f0u4.conf</code> is the wireless profile used by [[wpa_supplicant]] which will get copied into the initramfs.
 [[Category:Server]]
 [[Category:Cookbook]]