From c8996554fb7cd096abbcc5c17f3d32fc559db91a Mon Sep 17 00:00:00 2001
From: Henrik <h.jentgens@web.de>
Date: Mon, 27 Oct 2025 21:07:04 +0100
Subject: [PATCH] Added remote unlock capabilities

---
 nix/configuration.nix    |  6 ++++++
 nix/modules/security.nix | 37 ++++++++++++++++++++++++++++++++++++-
 2 files changed, 42 insertions(+), 1 deletion(-)

diff --git a/nix/configuration.nix b/nix/configuration.nix
index 183ae28..ade9866 100644
--- a/nix/configuration.nix
+++ b/nix/configuration.nix
@@ -10,6 +10,7 @@
 
   # nix settings
   nix.settings.experimental-features = [ "nix-command" "flakes" ];
+  nix.settings.download-buffer-size = 524288000; # 500MB
 
   # Bootloader to work with LUKS
   boot.loader.grub = {
@@ -73,6 +74,11 @@
       ];
     };
 
+    # this is related to luks remote unlock via ssh
+    # Disable initrd secrets for VM builds to avoid secret error 
+    # Error is not present in real depolyments
+    boot.initrd.secrets = lib.mkForce {};
+
     # Add VM-specific users
     users.users.smith = {
       isNormalUser = true;
diff --git a/nix/modules/security.nix b/nix/modules/security.nix
index 9b5d71e..e7097d6 100644
--- a/nix/modules/security.nix
+++ b/nix/modules/security.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, inputs, ... }:
+{ config, pkgs, inputs, lib, ... }:
 
 {
   # providing an ssh configuration
@@ -10,6 +10,41 @@
       PubkeyAuthentication = true;               # Enable SSH keys
     };
     ports = [ 22 ];
+    # using the same key as for initrd
+    hostKeys = [
+      { path = "/etc/secrets/initrd/ssh_host_ed25519_key"; type = "ed25519"; }
+    ];
+  };
+
+  # remote unlock for luks via ssh
+  boot.kernelParams = [ "ip=dhcp" ];
+  boot.initrd = {
+    availableKernelModules = [ "virtio-pci" ];
+    network = {
+      enable = true;
+      ssh = {
+        enable = true;
+        port = 22;
+        authorizedKeys = [ 
+          (builtins.readFile ../users/keys/neo.pub) 
+        ];
+        hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
+        shell = "/bin/cryptsetup-askpass";
+      };
+    };
+  };
+
+  # Generate SSH host key for initrd
+  system.activationScripts.initrd-ssh-key = {
+    text = ''
+      mkdir -p /etc/secrets/initrd
+      if [ ! -f /etc/secrets/initrd/ssh_host_ed25519_key ]; then
+        ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f /etc/secrets/initrd/ssh_host_ed25519_key -N ""
+        chmod 600 /etc/secrets/initrd/ssh_host_ed25519_key
+        chmod 644 /etc/secrets/initrd/ssh_host_ed25519_key.pub
+      fi
+    '';
+    deps = [ ];
   };
 
   # other security hardening options can go here