ZFS: Difference between revisions
imported>Mic92 No edit summary |
imported>Mic92 initrd unlock |
||
Line 223: | Line 223: | ||
$ mount -t zfs zroot/root/tmp /mnt/tmp/ | $ mount -t zfs zroot/root/tmp /mnt/tmp/ | ||
$ nixos-generate-config --root /mnt | $ nixos-generate-config --root /mnt | ||
</syntaxHighlight> | |||
=== Unlock encrypted zfs via ssh on boot === | |||
In case you want unlock a machine remotely (after an update), | |||
having a dropbear ssh service in initrd for the password prompt | |||
is handy: | |||
<syntaxHighlight lang=nix> | |||
boot = { | |||
initrd.network = { | |||
# will use udhcp to get an ip address | |||
# static ip addresses might be configured using the ip argument in kernel command line: | |||
# https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt | |||
enable = true; | |||
ssh = { | |||
enable = true; | |||
# To prevent ssh from freaking out because a different host key is used, | |||
# a different port for dropbear is useful (assuming the same host has also a normal sshd running) | |||
port = 2222; | |||
# dropbear uses key format different from openssh; can be generated by using: | |||
# $ nix-shell -p dropbear --command "dropbearkey -t ecdsa -f /tmp/initrd-ssh-key" | |||
hostECDSAKey = "/run/keys/initrd-ssh-key"; | |||
}; | |||
# this will automatically load the zfs password prompt on login | |||
# and kill the other prompt so boot can continue | |||
postCommands = '' | |||
echo "zfs load-key -a; killall zfs" >> /root/.profile | |||
''; | |||
}; | |||
}; | |||
</syntaxHighlight> | </syntaxHighlight> | ||