feat: add remote disk decryption over ssh

2025-12-06 09:07:21 +01:00 · 2025-11-17 22:51:14 +01:00 · 2025-11-17 22:51:14 +01:00 · 3391febda2
commit 3391febda2
parent 66a543abf7
6 changed files with 162 additions and 64 deletions
--- a/modules/nixos/common/globals.nix
+++ b/modules/nixos/common/globals.nix
@ -13,10 +13,10 @@ let
    };

    subnetMask4 = mkOption {
-      type = types.nullOr types.net.cidrv4;
+      type = types.nullOr types.net.ipv4;
      description = "The dotted decimal form of the subnet mask of this network";
      readOnly = true;
-      default = lib.swarselsystems.cidrToSubnetMask netSubmod.cidrv4;
+      default = lib.swarselsystems.cidrToSubnetMask netSubmod.config.cidrv4;
    };

    cidrv6 = mkOption {
--- a/modules/nixos/common/home-manager.nix
+++ b/modules/nixos/common/home-manager.nix
@ -7,6 +7,7 @@
      useUserPackages = true;
      verbose = true;
      backupFileExtension = "hm-bak";
+      overwriteBackup = true;
      users.${config.swarselsystems.mainUser}.imports = [
        inputs.nix-index-database.homeModules.nix-index
        inputs.sops-nix.homeManagerModules.sops
--- a/modules/nixos/server/disk-encrypt.nix
+++ b/modules/nixos/server/disk-encrypt.nix
@ -1,34 +1,80 @@
-{ self, lib, config, globals, ... }:
+{ self, pkgs, lib, config, globals, minimal, ... }:
 let
  localIp = globals.networks.home.hosts.${config.node.name}.ipv4;
  subnetMask = globals.networks.home.subnetMask4;
  gatewayIp = globals.hosts.${config.node.name}.defaultGateway4;
+
+  hostKeyPath = "/etc/secrets/initrd/ssh_host_ed25519_key";
 in
 {
  options.swarselmodules.server.diskEncryption = lib.mkEnableOption "enable disk encryption config";
+  options.swarselsystems.networkKernelModules = lib.mkOption {
+    type = lib.types.listOf lib.types.str;
+    default = [ ];
+  };
  config = lib.mkIf (config.swarselmodules.server.diskEncryption && config.swarselsystems.isCrypted) {

-    boot.kernelParams = lib.mkIf (!config.swarselsystems.isLaptop) [ "ip=${localIp}::${gatewayIp}:${subnetMask}:${config.networking.hostName}::none" ];
-    boot.initrd = {
-      availableKernelModules = [ "r8169" ];
-      network = {
-        enable = true;
-        udhcpc.enable = lib.mkIf config.swarselsystems.isLaptop true;
-        flushBeforeStage2 = true;
-        ssh = {
-          enable = true;
-          port = 22;
-          authorizedKeyFiles = [
-            (self + /secrets/keys/ssh/yubikey.pub)
-            (self + /secrets/keys/ssh/magicant.pub)
-          ];
-          hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
-        };
-        postCommands = ''
-          echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1' >> /root/.profile
-        '';
-      };
+    system.activationScripts.ensureInitrdHostkey = lib.mkIf (config.swarselprofiles.server || minimal) {
+      text = ''
+        [[ -e ${hostKeyPath} ]] || ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f ${hostKeyPath}
+      '';
+      deps = [ "users" ];
    };

+    environment.persistence."/persist" = lib.mkIf (config.swarselsystems.isImpermanence && (config.swarselprofiles.server || minimal)) {
+      files = [ hostKeyPath ];
+    };
+
+    boot = lib.mkIf (config.swarselprofiles.server || minimal) {
+      kernelParams = lib.mkIf (!config.swarselsystems.isLaptop) [
+        "ip=${localIp}::${gatewayIp}:${subnetMask}:${config.networking.hostName}::none"
+      ];
+      initrd = {
+        availableKernelModules = config.swarselsystems.networkKernelModules;
+        network = {
+          enable = true;
+          udhcpc.enable = lib.mkIf config.swarselsystems.isLaptop true;
+          flushBeforeStage2 = true;
+          ssh = {
+            enable = true;
+            port = 2222; # avoid hostkey changed nag
+            authorizedKeyFiles = [
+              (self + /secrets/keys/ssh/yubikey.pub)
+              (self + /secrets/keys/ssh/magicant.pub)
+            ];
+            hostKeys = [ hostKeyPath ];
+          };
+          # postCommands = ''
+          #   echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1' >> /root/.profile
+          # '';
+        };
+        systemd = {
+          initrdBin = with pkgs; [
+            cryptsetup
+          ];
+          services = {
+            unlock-luks = {
+              description = "Unlock LUKS encrypted root device";
+              wantedBy = [ "initrd.target" ];
+              after = [ "network-online.target" ];
+              before = [ "sysroot.mount" ];
+              path = [ "/bin" ];
+
+              # Configure how the service behaves
+              serviceConfig = {
+                Type = "oneshot";
+                RemainAfterExit = true;
+              };
+
+              # The actual commands to unlock the drive
+              script = ''
+                echo "systemctl default >> /root/.profile"
+              '';
+            };
+          };
+        };
+      };
+    };
  };
+
 }
--- a/modules/nixos/server/network.nix
+++ b/modules/nixos/server/network.nix
@ -15,7 +15,7 @@
    networking = {
      inherit (config.repo.secrets.local.networking) hostId;
      hostName = config.node.name;
-      nftables.enable = lib.mkDefault true;
+      nftables.enable = lib.mkDefault false;
      enableIPv6 = lib.mkDefault true;
      firewall = {
        enable = lib.mkDefault true;