ZFS: Difference between revisions
imported>Mic92 enableUnstable is also a thing on earlier releases |
imported>CptMikky update config from dropbear ssh to openssh + mention hostkeyPath format |
||
Line 416: | Line 416: | ||
=== Unlock encrypted zfs via ssh on boot === | === Unlock encrypted zfs via ssh on boot === | ||
In case you want unlock a machine remotely (after an update), having | In case you want unlock a machine remotely (after an update), having an ssh service in initrd for the password prompt is handy: | ||
<syntaxhighlight lang="nix"> | <syntaxhighlight lang="nix"> | ||
Line 429: | Line 429: | ||
ssh = { | ssh = { | ||
enable = true; | enable = true; | ||
# To prevent ssh from freaking out because a different host key is used, | # To prevent ssh clients from freaking out because a different host key is used, | ||
# a different port for | # a different port for ssh is useful (assuming the same host has also a regular sshd running) | ||
port = 2222; | port = 2222; | ||
# | # hostKeys paths must be unquoted strings, otherwise you'll run into issues with boot.initrd.secrets | ||
# | # the keys are copied to initrd from the path specified; multiple keys can be set | ||
# you can generate any number of host keys using | |||
# `ssh-keygen -t ed25519 -N "" -f /path/to/ssh_host_ed25519_key` | |||
hostKeys = [ /path/to/ssh_host_rsa_key ]; | |||
# public ssh key used for login | # public ssh key used for login | ||
authorizedKeys = [ "ssh-rsa AAAA..." ]; | authorizedKeys = [ "ssh-rsa AAAA..." ]; | ||
Line 455: | Line 457: | ||
Unfortunately having an unlock key file stored in an encrypted zfs dataset cannot be used directly, so the pool must use <code>keyformat=passphrase</code> and <code>keylocation=prompt</code>. | Unfortunately having an unlock key file stored in an encrypted zfs dataset cannot be used directly, so the pool must use <code>keyformat=passphrase</code> and <code>keylocation=prompt</code>. | ||
The following example follows the remote unlocking with | The following example follows the remote unlocking with OpenSSH, but imports another pool also and prompts for unlocking (either when at the machine itself or when logging in remotely: | ||
<syntaxhighlight lang="nix"> | <syntaxhighlight lang="nix"> | ||
Line 464: | Line 466: | ||
enable = true; | enable = true; | ||
port = 2222; | port = 2222; | ||
hostKeys = [ /path/to/ssh_host_rsa_key ]; | |||
authorizedKeys = [ "ssh-rsa AAAA..." ]; | authorizedKeys = [ "ssh-rsa AAAA..." ]; | ||
}; | }; | ||
Line 475: | Line 477: | ||
</syntaxHighlight> | </syntaxHighlight> | ||
When you login by SSH into | When you login by SSH into the box or when you have physical access to the machine itself, you will be prompted to supply the unlocking password for your zroot and tankXXX pools. | ||
== ZFS Trim Support for SSDs == | == ZFS Trim Support for SSDs == |