{ config, pkgs, lib, ... }: # TODO: use tailscale instead of tor https://gist.github.com/antifuchs/e30d58a64988907f282c82231dde2cbc let cfg = config.remoteLuksUnlock; in { options.remoteLuksUnlock = { enable = lib.mkEnableOption "enable luks root remote decrypt over ssh/tor"; enableTorUnlock = lib.mkOption { type = lib.types.bool; default = cfg.enable; description = "Make machine accessable over tor for ssh boot unlock"; }; sshHostKeys = lib.mkOption { type = lib.types.listOf (lib.types.either lib.types.str lib.types.path); default = [ "/secret/ssh_host_rsa_key" "/secret/ssh_host_ed25519_key" ]; }; sshAuthorizedKeys = lib.mkOption { type = lib.types.listOf lib.types.str; default = config.users.users.googlebot.openssh.authorizedKeys.keys; }; onionConfig = lib.mkOption { type = lib.types.path; default = /secret/onion; }; kernelModules = lib.mkOption { type = lib.types.listOf lib.types.str; default = [ "e1000" "e1000e" "virtio_pci" "r8169" ]; }; }; config = lib.mkIf cfg.enable { # Unlock LUKS disk over ssh boot.initrd.network.enable = true; boot.initrd.kernelModules = cfg.kernelModules; boot.initrd.network.ssh = { enable = true; port = 22; hostKeys = cfg.sshHostKeys; authorizedKeys = cfg.sshAuthorizedKeys; }; # Use systemd-tty-ask-password-agent for interactive LUKS passphrase entry over SSH boot.initrd.systemd.users.root.shell = "/bin/systemd-tty-ask-password-agent"; # Candidate fix: OpenSSH resets connections before key exchange if its # privilege separation directory is missing. The old scripted initrd ran # `mkdir -p /var/empty`; the systemd initrd path in nixpkgs does not. boot.initrd.systemd.services.sshd.preStart = lib.mkBefore '' /bin/mkdir -p /var/empty /bin/chmod 0755 /var/empty ''; # DEBUG: independent one-shot that records the real initrd state before # sshd starts, so we stop guessing. Never fails the boot. boot.initrd.systemd.services.luks-unlock-debug = { description = "Diagnostics for remote LUKS unlock"; wantedBy = [ "initrd.target" ]; before = [ "sshd.service" ]; unitConfig.DefaultDependencies = false; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; }; script = '' echo "===== luks-unlock-debug BEGIN =====" /bin/id 2>&1 || true echo "-- ls -la /var --"; /bin/ls -la /var 2>&1 || echo "no /var" echo "-- /var/empty (before) --"; /bin/ls -lad /var/empty 2>&1 || echo "MISSING /var/empty" echo "-- /etc/passwd --"; /bin/cat /etc/passwd 2>&1 || true echo "-- /etc/ssh --"; /bin/ls -la /etc/ssh /etc/ssh/authorized_keys.d 2>&1 || true echo "-- authorized_keys.d/root --"; /bin/cat /etc/ssh/authorized_keys.d/root 2>&1 || echo "MISSING" echo "-- host keys --" for k in ${toString cfg.sshHostKeys}; do /bin/ls -la "$k" 2>&1 || echo "MISSING host key: $k" done echo "===== luks-unlock-debug END =====" ''; }; # Tor hidden service for remote unlock over onion boot.initrd.secrets = lib.mkIf cfg.enableTorUnlock { "/etc/tor/onion/bootup" = cfg.onionConfig; }; boot.initrd.systemd.storePaths = lib.mkIf cfg.enableTorUnlock [ "${pkgs.tor}/bin/tor" "${pkgs.haveged}/bin/haveged" ]; boot.initrd.systemd.services.tor-unlock = lib.mkIf cfg.enableTorUnlock { description = "Tor Hidden Service for Boot Unlock"; wantedBy = [ "initrd.target" ]; after = [ "network.target" "sshd.service" ]; wants = [ "network.target" ]; unitConfig.DefaultDependencies = false; serviceConfig = { Type = "forking"; RemainAfterExit = true; }; script = let torRc = pkgs.writeText "tor.rc" '' DataDirectory /etc/tor SOCKSPort 127.0.0.1:9050 IsolateDestAddr SOCKSPort 127.0.0.1:9063 HiddenServiceDir /etc/tor/onion/bootup HiddenServicePort 22 127.0.0.1:22 ''; in '' # Fix permissions for tor chmod -R 700 /etc/tor # Ensure loopback is up ip a a 127.0.0.1/8 dev lo 2>/dev/null || true ip link set lo up # Start haveged for entropy ${pkgs.haveged}/bin/haveged -F & # Verify and start tor ${pkgs.tor}/bin/tor -f ${torRc} --verify-config ${pkgs.tor}/bin/tor -f ${torRc} & ''; }; }; }