added ssh key for morpheus

nix/configuration.nix

@@ -3,16 +3,31 @@
 {
   imports = [
     ./users/users.nix
-    ./modules/ssh.nix
+    ./modules/security.nix
     ./vps/hetzner/hardware-configuration.nix
     ./modules/zsh.nix
    ];
 
   # nix settings
   nix.settings.experimental-features = [ "nix-command" "flakes" ];
+  nix.settings.download-buffer-size = 524288000; # 500MB
 
-  # Bootloader.
-  boot.loader.grub.enable = true;
+  # Bootloader to work with LUKS
+  boot.loader.grub = {
+    enable = true;
+    # https://github.com/NixOS/nixpkgs/issues/55332
+    device = "nodev";                    # Don't install to MBR
+    efiSupport = true;                   # Enable EFI support
+    enableCryptodisk = true;             # Enable LUKS support
+  };
+  
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  # LUKS configuration
+  boot.initrd.luks.devices."crypted" = {
+    device = "/dev/disk/by-partlabel/luks";
+    allowDiscards = true;
+  };
 
   
   boot.initrd.kernelModules = [ "virtio_gpu" ];
@@ -54,11 +69,16 @@
       diskSize = 5000; # 5GB, needed to prevent docker error running out of space
 
       # Networking configuration
-      #forwardPorts = [
-      #  { from = "host"; host.port = 2222; guest.port = 22; }
-      #];
+      forwardPorts = [
+        { from = "host"; host.port = 2222; guest.port = 22; }
+      ];
     };
 
+    # this is related to luks remote unlock via ssh
+    # Disable initrd secrets for VM builds to avoid secret error 
+    # Error is not present in real depolyments
+    boot.initrd.secrets = lib.mkForce {};
+
     # Add VM-specific users
     users.users.smith = {
       isNormalUser = true;
@@ -69,8 +89,6 @@
       packages = with pkgs; [  ];
     };
 
-    security.sudo.wheelNeedsPassword = false;
-
     # VM-specific packages
     environment.systemPackages = with pkgs; [
     ];

nix/disko.nix

@@ -11,6 +11,7 @@
             ESP = {
               size = "500M";
               type = "EF00";
+              label = "boot";
               content = {
                 type = "filesystem";
                 format = "vfat";
@@ -20,12 +21,11 @@
             };
             luks = {
               size = "100%";
+              label = "luks";
               content = {
                 type = "luks";
                 name = "crypted";
                 settings.allowDiscards = true; # Enable SSD TRIM support
-                passwordFile = "/tmp/secret.key"; # install time key file location
-                # additionalKeyFiles = [ "/tmp/additionalSecret.key" ];
                 content = {
                   type = "filesystem";
                   format = "ext4";

nix/modules/security.nix

@@ -0,0 +1,52 @@
+{ config, pkgs, inputs, ... }:
+
+{
+  # providing an ssh configuration
+  services.openssh = {
+    enable = true;
+    settings = {
+      PermitRootLogin = "no";                    # Disable root login
+      PasswordAuthentication = false;            # Force SSH key auth only
+      PubkeyAuthentication = true;               # Enable SSH keys
+    };
+    ports = [ 22 ];
+    # using the same key as for initrd
+    hostKeys = [
+      { path = "/etc/secrets/initrd/ssh_host_ed25519_key"; type = "ed25519"; }
+    ];
+  };
+
+  # remote unlock for luks via ssh
+  boot.kernelParams = [ "ip=dhcp" ];
+  boot.initrd = {
+    availableKernelModules = [ "virtio-pci" ];
+    network = {
+      enable = true;
+      ssh = {
+        enable = true;
+        port = 22;
+        authorizedKeys = [ 
+          (builtins.readFile ../users/keys/neo.pub) 
+        ];
+        hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
+        shell = "/bin/cryptsetup-askpass";
+      };
+    };
+  };
+
+  # Generate SSH host key for initrd
+  system.activationScripts.initrd-ssh-key = {
+    text = ''
+      mkdir -p /etc/secrets/initrd
+      if [ ! -f /etc/secrets/initrd/ssh_host_ed25519_key ]; then
+        ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f /etc/secrets/initrd/ssh_host_ed25519_key -N ""
+        chmod 600 /etc/secrets/initrd/ssh_host_ed25519_key
+        chmod 644 /etc/secrets/initrd/ssh_host_ed25519_key.pub
+      fi
+    '';
+    deps = [ ];
+  };
+
+  # other security hardening options can go here
+  security.sudo.wheelNeedsPassword = false;
+}

nix/modules/ssh.nix

@@ -1,8 +0,0 @@
-{ config, pkgs, inputs, ... }:
-
-{
-  services.openssh = {
-    enable = true;
-    # permitRootLogin = "no";
-  };
-}

nix/users/keys/morpheus.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGYkZY9rUTaN7LrmA5MVU+I+at1YV+i2e3EkGfCIt4M2 robin@thor

nix/users/keys/neo.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBtePfzkSorgiFNuol/pEYlR0HToDCy9fk8PPfZWMuf3 henrik@strange

nix/users/users.nix

@@ -5,23 +5,29 @@
   users.defaultUserShell = pkgs.zsh;
   users.users.neo = {
     isNormalUser = true;
-    description = "Matrix User 1";
+    description = "Neovim only user";
     extraGroups = [ "networkmanager" "wheel" ];
     shell = pkgs.zsh;
     packages = with pkgs; [ ];
+    openssh.authorizedKeys.keyFiles = [
+      ./keys/neo.pub
+    ];
   };
 
   users.users.morpheus = {
     isNormalUser = true;
-    description = "Matrix User 2";
+    description = "I'm colorblind";
     extraGroups = [ "networkmanager" "wheel" ];
     shell = pkgs.zsh;
     packages = with pkgs; [ ];
+    openssh.authorizedKeys.keyFiles = [
+      ./keys/morpheus.pub
+    ];
   };
 
   users.users.trinity = {
     isNormalUser = true;
-    description = "Matrix User 3";
+    description = "Named after an atom bomb test";
     extraGroups = [ "networkmanager" "wheel" ];
     shell = pkgs.zsh;
     packages = with pkgs; [ ];