infra/modules/unlock-luks-on-boot/default.nix
b12f eb63779bb6
All checks were successful
Flake checks / Check (pull_request) Successful in 28m11s
auth: use all sshPubKeys for disk unlock, fix tests, fix hm config
2024-11-20 16:49:39 +01:00

21 lines
694 B
Nix

{ flake, config, ... }:
{
boot.initrd.network = {
enable = true;
ssh = {
enable = true;
# To prevent ssh clients from freaking out because a different host key is used,
# a different port for ssh is useful (assuming the same host has also a regular sshd running)
port = 2222;
# Please create this manually the first time.
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
authorizedKeys = flake.self.logins.sshPubKeys;
};
postCommands = ''
# Automatically ask for the password on SSH login
echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1' >> /root/.profile
'';
};
}