nixfiles/presets/nixos/serverEncryptedDrive.nix

{
  self,
  config,
  tree,
  lib,
  pkgs,
  ...
}: let
  inherit (lib.modules) mkForce;
  inherit (lib.lists) optionals;

  inherit (pkgs) system;

  driveData = import "${self}/data/drives/encryptedDrive.nix";
in {
  imports = with tree; [
    profiles.sshd
  ];

  boot = {
    loader.supportsInitrdSecrets = true;
    initrd = {
      availableKernelModules =
        [
          "nvme"
          "ahci"
          "ehci_pci"
          "xhci_pci"
          "sd_mod"
          "sr_mod"
          "usbhid"
          "dm_crypt"
          "dm_mod"
          "cryptd"
        ]
        ++ (optionals (system == "x86_64_linux") ["aesni_intel"]);

      secrets = {
        "/ssh_host_ed25519_key" = mkForce "/initrd_ssh_host_ed25519_key";
      };

      luks = {
        forceLuksSupportInInitrd = true;
        devices = {
          "${driveData.mapperName}" = {
            device = "${driveData.encryptedPath}";
            preLVM = false;
            allowDiscards = true;
          };
        };
      };
    };

    initrd.network = {
      enable = true;
      ssh = {
        enable = true;
        port = 22;
        authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
        hostKeys = ["/ssh_host_ed25519_key"];
      };
      postCommands = ''
        echo 'cryptsetup-askpass' >> /root/.profile
      '';
    };
  };

  fileSystems = {
    "/" = {
      device = "${driveData.decryptedPath}";
      fsType = "${driveData.unencryptedFSType}";
    };
    "/boot" = {
      device = "${driveData.bootPath}";
      fsType = "${driveData.bootFSType}";
    };
  };
}
add encrypted server profile and move vault to it 2022-12-14 12:04:21 +00:00			`{`
start work on arm for vault 2023-09-20 15:46:20 +01:00			`self,`
add encrypted server profile and move vault to it 2022-12-14 12:04:21 +00:00			`config,`
updates (untested) 2023-02-13 11:33:33 +00:00			`tree,`
start work on arm for vault 2023-09-20 15:46:20 +01:00			`lib,`
			`pkgs,`
add encrypted server profile and move vault to it 2022-12-14 12:04:21 +00:00			`...`
start work on arm for vault 2023-09-20 15:46:20 +01:00			`}: let`
			`inherit (lib.modules) mkForce;`
migrate hetzner-vm to hetzner-arm; piped currently dead 2023-09-21 05:06:27 +01:00			`inherit (lib.lists) optionals;`
start work on arm for vault 2023-09-20 15:46:20 +01:00
first pass using statix linter 2024-03-10 17:26:18 +00:00			`inherit (pkgs) system;`
start work on arm for vault 2023-09-20 15:46:20 +01:00
			`driveData = import "${self}/data/drives/encryptedDrive.nix";`
			`in {`
major tidy 2023-09-18 03:56:58 +01:00			`imports = with tree; [`
			`profiles.sshd`
			`];`
updates (untested) 2023-02-13 11:33:33 +00:00
major tidy 2023-09-18 03:56:58 +01:00			`boot = {`
start work on arm for vault 2023-09-20 15:46:20 +01:00			`loader.supportsInitrdSecrets = true;`
			`initrd = {`
			`availableKernelModules =`
			`[`
			`"nvme"`
			`"ahci"`
			`"ehci_pci"`
			`"xhci_pci"`
			`"sd_mod"`
			`"sr_mod"`
			`"usbhid"`
			`"dm_crypt"`
			`"dm_mod"`
			`"cryptd"`
			`]`
migrate hetzner-vm to hetzner-arm; piped currently dead 2023-09-21 05:06:27 +01:00			`++ (optionals (system == "x86_64_linux") ["aesni_intel"]);`
add encrypted server profile and move vault to it 2022-12-14 12:04:21 +00:00
start work on arm for vault 2023-09-20 15:46:20 +01:00			`secrets = {`
migrate hetzner-vm to hetzner-arm; piped currently dead 2023-09-21 05:06:27 +01:00			`"/ssh_host_ed25519_key" = mkForce "/initrd_ssh_host_ed25519_key";`
start work on arm for vault 2023-09-20 15:46:20 +01:00			`};`
add encrypted server profile and move vault to it 2022-12-14 12:04:21 +00:00
start work on arm for vault 2023-09-20 15:46:20 +01:00			`luks = {`
			`forceLuksSupportInInitrd = true;`
			`devices = {`
			`"${driveData.mapperName}" = {`
			`device = "${driveData.encryptedPath}";`
			`preLVM = false;`
			`allowDiscards = true;`
			`};`
			`};`
			`};`
			`};`
add encrypted server profile and move vault to it 2022-12-14 12:04:21 +00:00
			`initrd.network = {`
			`enable = true;`
			`ssh = {`
			`enable = true;`
			`port = 22;`
			`authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;`
			`hostKeys = ["/ssh_host_ed25519_key"];`
			`};`
			`postCommands = ''`
			`echo 'cryptsetup-askpass' >> /root/.profile`
			`'';`
			`};`
			`};`

major tidy 2023-09-18 03:56:58 +01:00			`fileSystems = {`
add encrypted server profile and move vault to it 2022-12-14 12:04:21 +00:00			`"/" = {`
start work on arm for vault 2023-09-20 15:46:20 +01:00			`device = "${driveData.decryptedPath}";`
			`fsType = "${driveData.unencryptedFSType}";`
add encrypted server profile and move vault to it 2022-12-14 12:04:21 +00:00			`};`
			`"/boot" = {`
start work on arm for vault 2023-09-20 15:46:20 +01:00			`device = "${driveData.bootPath}";`
			`fsType = "${driveData.bootFSType}";`
add encrypted server profile and move vault to it 2022-12-14 12:04:21 +00:00			`};`
			`};`
			`}`