love/nix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

key to unlock boot correct

Browse Source
This commit is contained in:
Love
2026-04-08 11:25:52 +02:00
parent b753e56afb
commit e739a1e954
1 changed files with 10 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/nixos/luks-initrd-ssh-unlock.nix
+10 -7
View File
@@ -1,6 +1,7 @@
{ {
config, config,
lib, lib,
pkgs,
... ...
}: }:
let let
@@ -17,8 +18,8 @@ in
}; };
hostKeyPath = lib.mkOption { hostKeyPath = lib.mkOption {
type = lib.types.path; type = lib.types.str;
default = /etc/secrets/initrd/ssh_host_ed25519_key; default = "/persist/etc/secrets/initrd/ssh_host_ed25519_key";
description = "Path to the initrd SSH host private key on the target system."; description = "Path to the initrd SSH host private key on the target system.";
}; };
@@ -31,22 +32,24 @@ in
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
boot.kernelParams = [ "ip=dhcp" ]; boot.kernelParams = [ "ip=dhcp" ];
boot.initrd.network = { boot.initrd.network = {
enable = true; enable = true;
ssh = { ssh = {
enable = true; enable = true;
port = cfg.port; port = cfg.port;
hostKeys = [ (toString cfg.hostKeyPath) ]; hostKeys = [ cfg.hostKeyPath ];
authorizedKeys = cfg.authorizedKeys; authorizedKeys = cfg.authorizedKeys;
}; };
}; };
system.activationScripts.initrdSshHostKey = { system.activationScripts.initrdSshHostKey = {
deps = [ "users" "groups" ]; deps = [ "users" "groups" ];
text = '' text = ''
install -d -m 700 "$(dirname ${toString cfg.hostKeyPath})" install -d -m 700 "$(dirname "${cfg.hostKeyPath}")"
if [ ! -f "${toString cfg.hostKeyPath}" ]; then if [ ! -f "${cfg.hostKeyPath}" ]; then
ssh-keygen -t ed25519 -N "" -f "${toString cfg.hostKeyPath}" ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f "${cfg.hostKeyPath}"
chmod 600 "${toString cfg.hostKeyPath}" chmod 600 "${cfg.hostKeyPath}"
fi fi
''; '';
}; };