feat(ev): unlock disk encryption via SSHHEAD master

author: Martin Fischer <martin@push-f.com> 2025-09-02 11:47:00 +0200
committer: Martin Fischer <martin@push-f.com> 2025-09-02 11:47:00 +0200
commit: 4af4fad9c06c077679b556e6e6d7641b7bd5b654 (patch)
tree: f745b2d775bc32b125b26be7f078e7ff2d2462a5 /nixos
parent: eb42ff611dfe3e310a0cac0fc493083a635debcb (diff)
1 files changed, 20 insertions, 0 deletions
diff --git a/nixos/hosts/ev/default.nix b/nixos/hosts/ev/default.nix
index e7ec8d5..c797d29 100644
--- a/nixos/hosts/ev/default.nix
+++ b/nixos/hosts/ev/default.nix
@@ -18,6 +18,26 @@
     ./hosehawk.nix
   ];
 
+  # enable unlocking full disk encryption via SSH
+  boot.kernelParams = ["ip=dhcp"];
+  boot.initrd = {
+    availableKernelModules = ["r8169"]; # for Ethernet
+    network = {
+      enable = true;
+      ssh = {
+        enable = true;
+        port = 2222;
+        hostKeys = ["/etc/secrets/initrd/ssh_host_ed25519_key"];
+        authorizedKeys = [
+          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDo/Y7w3hQgUIOQi63e8+L7eTMsVWl1vqY+Bd4tvwShdAj8ECU6JnD6gkCVzqXfUNdpA0Csd9PZlGAbXU+0kxudryFV6mxbXvYf+z70vcF02L5lDJ1tzCV7t7SwXnoenSNBIra/M2zDFgGM4oUkl9iZ2wxn/X/mvFzopJsM3xe2YNtJhXzCyaQTakKRDdHMyj9E867Ko03H6ZD2PI+9G+S39tk5ZLIcG9qhLTfDPziiZj7AIeTYVoxQycajwSlvp8BLzxxCKH8Mq7qW86jfT4lYvUuL5ItQ1cdFbmvJNKpgGXBzgBU+6kWf5c7P2aajhE3otgpfBXWBZRA3hKk+E+xX martin@hamac"
+        ];
+        shell = "/bin/cryptsetup-askpass";
+      };
+    };
+  };
+  # unsure why this is necessary
+  networking.interfaces.enp3s0.useDHCP = true;
+
   home-automation.zigbee2mqttPort = 8080;
   torrent.qbittorrentWebUiPort = 7777;
   torrent.networkNamespace = "se";
author	Martin Fischer <martin@push-f.com>	2025-09-02 11:47:00 +0200
committer	Martin Fischer <martin@push-f.com>	2025-09-02 11:47:00 +0200
commit	4af4fad9c06c077679b556e6e6d7641b7bd5b654 (patch)
tree	f745b2d775bc32b125b26be7f078e7ff2d2462a5 /nixos
parent	eb42ff611dfe3e310a0cac0fc493083a635debcb (diff)