remoll/matrix
1
0
Fork 0
mirror of https://github.com/lxstinthesky/matrix.git synced 2025-11-03 17:32:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added remote unlock capabilities

Browse Source
This commit is contained in:
Henrik
2025-10-27 21:07:04 +01:00
parent 981683bf51
commit c8996554fb
2 changed files with 42 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
nix/modules/security.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, inputs, ... }:
{ config, pkgs, inputs, lib, ... }:
{
# providing an ssh configuration
@@ -10,6 +10,41 @@
PubkeyAuthentication = true; # Enable SSH keys
};
ports = [ 22 ];
# using the same key as for initrd
hostKeys = [
{ path = "/etc/secrets/initrd/ssh_host_ed25519_key"; type = "ed25519"; }
];
};
# remote unlock for luks via ssh
boot.kernelParams = [ "ip=dhcp" ];
boot.initrd = {
availableKernelModules = [ "virtio-pci" ];
network = {
enable = true;
ssh = {
enable = true;
port = 22;
authorizedKeys = [
(builtins.readFile ../users/keys/neo.pub)
];
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
shell = "/bin/cryptsetup-askpass";
};
};
};
# Generate SSH host key for initrd
system.activationScripts.initrd-ssh-key = {
text = ''
mkdir -p /etc/secrets/initrd
if [ ! -f /etc/secrets/initrd/ssh_host_ed25519_key ]; then
${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f /etc/secrets/initrd/ssh_host_ed25519_key -N ""
chmod 600 /etc/secrets/initrd/ssh_host_ed25519_key
chmod 644 /etc/secrets/initrd/ssh_host_ed25519_key.pub
fi
'';
deps = [ ];
};
# other security hardening options can go here