wip

hosts/zeta/hardware.nix

@@ -17,6 +17,24 @@
 
   boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usb_storage" "sd_mod"];
   boot.initrd.kernelModules = ["dm-snapshot"];
+
+  # https://wiki.nixos.org/wiki/Remote_disk_unlocking
+  # > ssh -o HostKeyAlias=tor-initrd root@tor
+  boot.initrd.network = {
+    enable = true;
+    # Clear initrd network configuration before stage 2
+    flushBeforeStage2 = true;
+    ssh = {
+      enable = true;
+      authorizedKeys = config.users.users.caspervk.openssh.authorizedKeys.keys;
+      # NOTE: the key is stored insecurely in the global Nix store and
+      # unencrypted boot partition, which is why we use a separate key.
+      # > sudo ssh-keygen -t ed25519 -N "" -f /nix/persist/initrd-ssh_host_ed25519_key
+      hostKeys = ["/nix/persist/initrd-ssh_host_ed25519_key"];
+    };
+  };
+  boot.kernelParams = ["ip=192.168.0.95::192.168.0.1"];
+
   boot.kernelModules = ["kvm-intel"];
   boot.extraModulePackages = [];
 

modules/base/ssh.nix

@@ -19,10 +19,9 @@
   programs.ssh.knownHosts = {
     "alpha".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGOpQNEmmEe6jr7Mv37ozokvtTSd1I3SmUU1tpCSNTkc";
     "delta".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFe9RpnO1/QRU81kjtEsWN66xfP5Y/qf5EQZ6wdM/XCT";
-    "delta-old".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB0x9oImZjIhoPEwLlHVixIh7y1Kwn+SX17xffrdRzvv";
     "sigma".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC4Kvx/lcFRvl7KlxqqhrJ32h3FzuzyLA5BNB42+p92c";
-    "sigma-old".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF2Qrh0tpR5YawiYvcPGC4OSnu4//ge1eVdiBDLrTbCx";
     "tor".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVPxvqwS2NMqqCGBkMmExzdBY5hGLegiOuqPJAOfdKk";
+    "tor-initrd".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVPxvqwS2NMqqCGBkMmExzdBY5hGLegiOuqPJAOfdKk";
     "git.caspervk.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC4Kvx/lcFRvl7KlxqqhrJ32h3FzuzyLA5BNB42+p92c";
   };