Tim Schubert
0c12c8de35
Some checks failed
Continuous Integration / Checks (push) Has been cancelled
49 lines
1.3 KiB
Nix
49 lines
1.3 KiB
Nix
{ config, lib, ... }:
|
|
let
|
|
secretsPath = config.dadada.secrets.path;
|
|
initrdHostKey = "${config.networking.hostName}-ssh_host_ed25519_key";
|
|
in
|
|
{
|
|
boot.initrd.availableKernelModules = [ "virtio-pci" ];
|
|
|
|
boot.kernelParams = [
|
|
# Wait forever for the filesystem root to show up
|
|
"rootflags=x-systemd.device-timeout=0"
|
|
|
|
# Wait forever to enter the LUKS passphrase via SSH
|
|
"rd.luks.options=timeout=0"
|
|
];
|
|
boot.initrd.network = {
|
|
enable = true;
|
|
ssh = {
|
|
enable = true;
|
|
port = 2223;
|
|
hostKeys = [
|
|
config.age.secrets."${initrdHostKey}".path
|
|
];
|
|
authorizedKeys = with lib;
|
|
concatLists (mapAttrsToList
|
|
(name: user:
|
|
if elem "wheel" user.extraGroups then
|
|
user.openssh.authorizedKeys.keys
|
|
else
|
|
[ ])
|
|
config.users.users);
|
|
};
|
|
postCommands = ''
|
|
echo 'cryptsetup-askpass' >> /root/.profile
|
|
'';
|
|
};
|
|
|
|
assertions = lib.singleton {
|
|
assertion = (config.boot.initrd.network.ssh.hostKeys != [ ]) -> config.boot.loader.supportsInitrdSecrets == true;
|
|
message = "Refusing to store private keys in store";
|
|
};
|
|
|
|
age.secrets."${initrdHostKey}" = {
|
|
file = "${secretsPath}/initrd-${initrdHostKey}.age";
|
|
mode = "600";
|
|
path = "/etc/initrd/${initrdHostKey}";
|
|
symlink = false;
|
|
};
|
|
}
|