79 lines
1.6 KiB
Nix
79 lines
1.6 KiB
Nix
{
|
|
self,
|
|
config,
|
|
tree,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}: let
|
|
inherit (lib.modules) mkForce;
|
|
inherit (lib.lists) optionals;
|
|
|
|
inherit (pkgs) system;
|
|
|
|
driveData = import "${self}/data/drives/encryptedDrive.nix";
|
|
in {
|
|
imports = with tree; [
|
|
profiles.sshd
|
|
];
|
|
|
|
boot = {
|
|
loader.supportsInitrdSecrets = true;
|
|
initrd = {
|
|
availableKernelModules =
|
|
[
|
|
"nvme"
|
|
"ahci"
|
|
"ehci_pci"
|
|
"xhci_pci"
|
|
"sd_mod"
|
|
"sr_mod"
|
|
"usbhid"
|
|
"dm_crypt"
|
|
"dm_mod"
|
|
"cryptd"
|
|
]
|
|
++ (optionals (system == "x86_64_linux") ["aesni_intel"]);
|
|
|
|
secrets = {
|
|
"/ssh_host_ed25519_key" = mkForce "/initrd_ssh_host_ed25519_key";
|
|
};
|
|
|
|
luks = {
|
|
forceLuksSupportInInitrd = true;
|
|
devices = {
|
|
"${driveData.mapperName}" = {
|
|
device = "${driveData.encryptedPath}";
|
|
preLVM = false;
|
|
allowDiscards = true;
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
initrd.network = {
|
|
enable = true;
|
|
ssh = {
|
|
enable = true;
|
|
port = 22;
|
|
authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
|
|
hostKeys = ["/ssh_host_ed25519_key"];
|
|
};
|
|
postCommands = ''
|
|
echo 'cryptsetup-askpass' >> /root/.profile
|
|
'';
|
|
};
|
|
};
|
|
|
|
fileSystems = {
|
|
"/" = {
|
|
device = "${driveData.decryptedPath}";
|
|
fsType = "${driveData.unencryptedFSType}";
|
|
};
|
|
"/boot" = {
|
|
device = "${driveData.bootPath}";
|
|
fsType = "${driveData.bootFSType}";
|
|
};
|
|
};
|
|
}
|