Remote disk unlocking: Difference between revisions

Line 78:

Using systemd in initrd automatically continues the boot process after the target <code>/sysroot</code> is mounted.

=== Wireguard in initrd ===

Considering you've already enabled the ssh daemon, configured networking (for example with DHCP or static IP) and configured a unlocking command, following additional snippet will enable [[WireGuard]] connectivity to a remote peer.<syntaxhighlight lang="nix">

boot.initrd.availableKernelModules = [ "r8169" "wireguard" ];

boot.initrd.systemd = {

enable = true;

network = {

netdevs."30-wg-initrd" = {

netdevConfig = {

Kind = "wireguard";

Name = "wg-initrd";

};

wireguardConfig = { PrivateKeyFile = "/etc/secrets/30-wg-initrd.key"; };

wireguardPeers = [{

AllowedIPs = [ "10.250.0.1/32" ];

PublicKey = "wUE//Lwi8DZVIvAjIAtMoy+ku+hJ0w28H7ofySwAJRk=";

Endpoint = "198.51.100.1:51821";

PersistentKeepalive = 25;

}];

};

networks."30-wg-initrd" = {

name = "wg-initrd";

addresses = [{ Address = "10.250.0.2/24"; }];

};

boot.initrd.secrets."/etc/secrets/30-wg-initrd.key" = "/etc/wireguard/private-key";

</syntaxhighlight>First generate a private und public key pair as mentioned in the WireGuard article. Reference the private key in <code>boot.initrd.secrets</code>, in this exmaple <code>/etc/wireguard/private-key</code>. Put the <code>PublicKey</code> of the remote peer into the <code>wireguardPeers</code> array.

Configure the IP addresses used by your initrd peer (<code>10.250.0.2</code>) and the remote peer (<code>10.250.0.1</code>). Also specify the IP and port of the remote peer in <code>Endpoint</code>, in our example <code>198.51.100.1:51821</code>.

Last but not least add the <code>wireguard</code> kernel module to <code>boot.initrd.availableKernelModules</code> beside the module required by your network device.

=== Tor in initrd ===

@@ Line 78: / Line 78: @@
 Using systemd in initrd automatically continues the boot process after the target <code>/sysroot</code> is mounted.
+=== Wireguard in initrd ===
+Considering you've already enabled the ssh daemon, configured networking (for example with DHCP or static IP) and configured a unlocking command, following additional snippet will enable [[WireGuard]] connectivity to a remote peer.<syntaxhighlight lang="nix">
+boot.initrd.availableKernelModules = [ "r8169" "wireguard" ];
+boot.initrd.systemd = {
+  enable = true;
+  network = {
+    netdevs."30-wg-initrd" = {
+      netdevConfig = {
+        Kind = "wireguard";
+        Name = "wg-initrd";
+      };
+      wireguardConfig = { PrivateKeyFile = "/etc/secrets/30-wg-initrd.key"; };
+      wireguardPeers = [{
+        AllowedIPs = [ "10.250.0.1/32" ];
+        PublicKey = "wUE//Lwi8DZVIvAjIAtMoy+ku+hJ0w28H7ofySwAJRk=";
+        Endpoint = "198.51.100.1:51821";
+        PersistentKeepalive = 25;
+      }];
+    };
+    networks."30-wg-initrd" = {
+      name = "wg-initrd";
+      addresses = [{ Address = "10.250.0.2/24"; }];
+    };
+  };
+};
+boot.initrd.secrets."/etc/secrets/30-wg-initrd.key" = "/etc/wireguard/private-key";
+</syntaxhighlight>First generate a private und public key pair as mentioned in the WireGuard article. Reference the private key in <code>boot.initrd.secrets</code>, in this exmaple <code>/etc/wireguard/private-key</code>. Put the <code>PublicKey</code> of the remote peer into the <code>wireguardPeers</code> array.
+Configure the IP addresses used by your initrd peer (<code>10.250.0.2</code>) and the remote peer (<code>10.250.0.1</code>). Also specify the IP and port of the remote peer in <code>Endpoint</code>, in our example <code>198.51.100.1:51821</code>.
+Last but not least add the <code>wireguard</code> kernel module to <code>boot.initrd.availableKernelModules</code> beside the module required by your network device.
 === Tor in initrd ===