42 lines
1 KiB
Nix
42 lines
1 KiB
Nix
|
{
|
||
|
|
config,
|
||
|
|
lib,
|
||
|
|
self,
|
||
|
|
tree,
|
||
|
|
...
|
||
|
|
}: let
|
||
|
|
inherit (lib.modules) mkIf mkBefore mkDefault mkOverride mkForce;
|
||
|
|
inherit (lib.options) mkOption mkEnableOption;
|
||
|
|
inherit (lib.lists) optionals;
|
||
|
|
inherit (lib) types;
|
||
|
|
|
||
|
|
encryptedUSB = import "${self}/data/drives/encryptedUSB.nix";
|
||
|
|
driveData = import "${self}/data/drives/encryptedDrive.nix";
|
||
|
|
|
||
|
|
cfg = config.boot.encryptedDrive;
|
||
|
|
in {
|
||
|
|
config = mkIf (cfg.enable && cfg.mode == "ssh") {
|
||
|
|
boot.loader.supportsInitrdSecrets = true;
|
||
|
|
|
||
|
|
boot.initrd.secrets = {
|
||
|
|
# we only support ed25519 for now
|
||
|
|
"/ssh_host_ed25519_key" = mkForce "/initrd_ssh_host_ed25519_key";
|
||
|
|
};
|
||
|
|
|
||
|
|
boot.initrd.luks.forceLuksSupportInInitrd = true;
|
||
|
|
|
||
|
|
boot.initrd.network = {
|
||
|
|
enable = true;
|
||
|
|
ssh = {
|
||
|
|
enable = true;
|
||
|
|
port = 22;
|
||
|
|
authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
|
||
|
|
hostKeys = ["/ssh_host_ed25519_key"];
|
||
|
|
};
|
||
|
|
postCommands = ''
|
||
|
|
echo 'cryptsetup-askpass' >> /root/.profile
|
||
|
|
'';
|
||
|
|
};
|
||
|
|
};
|
||
|
|
}
|