machines/ullr/initrd-ssh-luks.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

{ config, pkgs, ... }:

{
  imports =
    [
      ./initrd-wireguard.nix
    ];

  boot.initrd = {
    kernelModules = [ "r8169" ];
    network = {
     enable = true;
     ssh = {
        enable = true;
        # Efforts are made to keep key secret (initrd-secrets) but best
        # to keep it different from hostkey ; thus different port too.
        port = 222;
        hostKeys = [ "/etc/nixos/secrets/initrd_ssh_host_ed25519_key" ];
        authorizedKeys = config.users.extraUsers.asmadeus.openssh.authorizedKeys.keys ++
          [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHtS5YD+isGRgIOjVzMbXVQyD/44ZOFn6nvPbEAuAKoD asmadeus@jormungand-ullr" ];
     };
     # automatically prompt on login
     postCommands = ''
       echo "cryptsetup-askpass" >> /root/.profile
     '';
    };
  };
}