Cleanup, ready for review #6

nix/configuration.nix

@@ -10,6 +10,7 @@
 
   # nix settings
   nix.settings.experimental-features = [ "nix-command" "flakes" ];
+  nix.settings.download-buffer-size = 524288000; # 500MB
 
   # Bootloader to work with LUKS
   boot.loader.grub = {
@@ -73,6 +74,11 @@
       ];
     };
 
+    # this is related to luks remote unlock via ssh
+    # Disable initrd secrets for VM builds to avoid secret error 
+    # Error is not present in real depolyments
+    boot.initrd.secrets = lib.mkForce {};
+
     # Add VM-specific users
     users.users.smith = {
       isNormalUser = true;

nix/modules/security.nix

@@ -10,6 +10,41 @@
       PubkeyAuthentication = true;               # Enable SSH keys
     };
     ports = [ 22 ];
+    # using the same key as for initrd
+    hostKeys = [
+      { path = "/etc/secrets/initrd/ssh_host_ed25519_key"; type = "ed25519"; }
+    ];
+  };
+
+  # remote unlock for luks via ssh
+  boot.kernelParams = [ "ip=dhcp" ];
+  boot.initrd = {
+    availableKernelModules = [ "virtio-pci" ];
+    network = {
+      enable = true;
+      ssh = {
+        enable = true;
+        port = 22;
+        authorizedKeys = [ 
+          (builtins.readFile ../users/keys/neo.pub) 
+        ];
+        hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
+        shell = "/bin/cryptsetup-askpass";
+      };
+    };
+  };
+
+  # Generate SSH host key for initrd
+  system.activationScripts.initrd-ssh-key = {
+    text = ''
+      mkdir -p /etc/secrets/initrd
+      if [ ! -f /etc/secrets/initrd/ssh_host_ed25519_key ]; then
+        ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f /etc/secrets/initrd/ssh_host_ed25519_key -N ""
+        chmod 600 /etc/secrets/initrd/ssh_host_ed25519_key
+        chmod 644 /etc/secrets/initrd/ssh_host_ed25519_key.pub
+      fi
+    '';
+    deps = [ ];
   };
 
   # other security hardening options can go here