@@ -48,6 +48,41 @@ in
|
||||
# Use systemd-tty-ask-password-agent for interactive LUKS passphrase entry over SSH
|
||||
boot.initrd.systemd.users.root.shell = "/bin/systemd-tty-ask-password-agent";
|
||||
|
||||
# Candidate fix: OpenSSH resets connections before key exchange if its
|
||||
# privilege separation directory is missing. The old scripted initrd ran
|
||||
# `mkdir -p /var/empty`; the systemd initrd path in nixpkgs does not.
|
||||
boot.initrd.systemd.services.sshd.preStart = lib.mkBefore ''
|
||||
/bin/mkdir -p /var/empty
|
||||
/bin/chmod 0755 /var/empty
|
||||
'';
|
||||
|
||||
# DEBUG: independent one-shot that records the real initrd state before
|
||||
# sshd starts, so we stop guessing. Never fails the boot.
|
||||
boot.initrd.systemd.services.luks-unlock-debug = {
|
||||
description = "Diagnostics for remote LUKS unlock";
|
||||
wantedBy = [ "initrd.target" ];
|
||||
before = [ "sshd.service" ];
|
||||
unitConfig.DefaultDependencies = false;
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
};
|
||||
script = ''
|
||||
echo "===== luks-unlock-debug BEGIN ====="
|
||||
/bin/id 2>&1 || true
|
||||
echo "-- ls -la /var --"; /bin/ls -la /var 2>&1 || echo "no /var"
|
||||
echo "-- /var/empty (before) --"; /bin/ls -lad /var/empty 2>&1 || echo "MISSING /var/empty"
|
||||
echo "-- /etc/passwd --"; /bin/cat /etc/passwd 2>&1 || true
|
||||
echo "-- /etc/ssh --"; /bin/ls -la /etc/ssh /etc/ssh/authorized_keys.d 2>&1 || true
|
||||
echo "-- authorized_keys.d/root --"; /bin/cat /etc/ssh/authorized_keys.d/root 2>&1 || echo "MISSING"
|
||||
echo "-- host keys --"
|
||||
for k in ${toString cfg.sshHostKeys}; do
|
||||
/bin/ls -la "$k" 2>&1 || echo "MISSING host key: $k"
|
||||
done
|
||||
echo "===== luks-unlock-debug END ====="
|
||||
'';
|
||||
};
|
||||
|
||||
# Tor hidden service for remote unlock over onion
|
||||
boot.initrd.secrets = lib.mkIf cfg.enableTorUnlock {
|
||||
"/etc/tor/onion/bootup" = cfg.onionConfig;
|
||||
|
||||
Reference in New Issue
Block a user