diff --git a/hosts/zeta/hardware.nix b/hosts/zeta/hardware.nix index 5a6ef3f..f78ba32 100644 --- a/hosts/zeta/hardware.nix +++ b/hosts/zeta/hardware.nix @@ -17,6 +17,24 @@ boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usb_storage" "sd_mod"]; boot.initrd.kernelModules = ["dm-snapshot"]; + + # https://wiki.nixos.org/wiki/Remote_disk_unlocking + # > ssh -o HostKeyAlias=tor-initrd root@tor + boot.initrd.network = { + enable = true; + # Clear initrd network configuration before stage 2 + flushBeforeStage2 = true; + ssh = { + enable = true; + authorizedKeys = config.users.users.caspervk.openssh.authorizedKeys.keys; + # NOTE: the key is stored insecurely in the global Nix store and + # unencrypted boot partition, which is why we use a separate key. + # > sudo ssh-keygen -t ed25519 -N "" -f /nix/persist/initrd-ssh_host_ed25519_key + hostKeys = ["/nix/persist/initrd-ssh_host_ed25519_key"]; + }; + }; + boot.kernelParams = ["ip=192.168.0.95::192.168.0.1"]; + boot.kernelModules = ["kvm-intel"]; boot.extraModulePackages = []; diff --git a/modules/base/ssh.nix b/modules/base/ssh.nix index 7a48892..7134a45 100644 --- a/modules/base/ssh.nix +++ b/modules/base/ssh.nix @@ -19,10 +19,9 @@ programs.ssh.knownHosts = { "alpha".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGOpQNEmmEe6jr7Mv37ozokvtTSd1I3SmUU1tpCSNTkc"; "delta".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFe9RpnO1/QRU81kjtEsWN66xfP5Y/qf5EQZ6wdM/XCT"; - "delta-old".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB0x9oImZjIhoPEwLlHVixIh7y1Kwn+SX17xffrdRzvv"; "sigma".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC4Kvx/lcFRvl7KlxqqhrJ32h3FzuzyLA5BNB42+p92c"; - "sigma-old".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF2Qrh0tpR5YawiYvcPGC4OSnu4//ge1eVdiBDLrTbCx"; "tor".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVPxvqwS2NMqqCGBkMmExzdBY5hGLegiOuqPJAOfdKk"; + "tor-initrd".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVPxvqwS2NMqqCGBkMmExzdBY5hGLegiOuqPJAOfdKk"; "git.caspervk.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC4Kvx/lcFRvl7KlxqqhrJ32h3FzuzyLA5BNB42+p92c"; };