zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity
Files
76eb2bc59640c924e913611c6b49e3c3b66ca356
nix-config/common/boot/remote-luks-unlock.nix
T
zuckerberg 76eb2bc596
Check Flake / check-flake (push) Has been cancelled
Details
debug
2026-05-15 14:28:37 -07:00

137 lines
4.6 KiB
Nix
Raw Blame History

{ config, pkgs, lib, ... }:
# TODO: use tailscale instead of tor https://gist.github.com/antifuchs/e30d58a64988907f282c82231dde2cbc
let
cfg = config.remoteLuksUnlock;
in
{
options.remoteLuksUnlock = {
enable = lib.mkEnableOption "enable luks root remote decrypt over ssh/tor";
enableTorUnlock = lib.mkOption {
type = lib.types.bool;
default = cfg.enable;
description = "Make machine accessable over tor for ssh boot unlock";
};
sshHostKeys = lib.mkOption {
type = lib.types.listOf (lib.types.either lib.types.str lib.types.path);
default = [
"/secret/ssh_host_rsa_key"
"/secret/ssh_host_ed25519_key"
];
};
sshAuthorizedKeys = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = config.users.users.googlebot.openssh.authorizedKeys.keys;
};
onionConfig = lib.mkOption {
type = lib.types.path;
default = /secret/onion;
};
kernelModules = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ "e1000" "e1000e" "virtio_pci" "r8169" ];
};
};
config = lib.mkIf cfg.enable {
# Unlock LUKS disk over ssh
boot.initrd.network.enable = true;
boot.initrd.kernelModules = cfg.kernelModules;
boot.initrd.network.ssh = {
enable = true;
port = 22;
hostKeys = cfg.sshHostKeys;
authorizedKeys = cfg.sshAuthorizedKeys;
};
# Use systemd-tty-ask-password-agent for interactive LUKS passphrase entry over SSH
boot.initrd.systemd.users.root.shell = "/bin/systemd-tty-ask-password-agent";
# Candidate fix: OpenSSH resets connections before key exchange if its
# privilege separation directory is missing. The old scripted initrd ran
# `mkdir -p /var/empty`; the systemd initrd path in nixpkgs does not.
boot.initrd.systemd.services.sshd.preStart = lib.mkBefore ''
/bin/mkdir -p /var/empty
/bin/chmod 0755 /var/empty
'';
# DEBUG: independent one-shot that records the real initrd state before
# sshd starts, so we stop guessing. Never fails the boot.
boot.initrd.systemd.services.luks-unlock-debug = {
description = "Diagnostics for remote LUKS unlock";
wantedBy = [ "initrd.target" ];
before = [ "sshd.service" ];
unitConfig.DefaultDependencies = false;
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
echo "===== luks-unlock-debug BEGIN ====="
/bin/id 2>&1 || true
echo "-- ls -la /var --"; /bin/ls -la /var 2>&1 || echo "no /var"
echo "-- /var/empty (before) --"; /bin/ls -lad /var/empty 2>&1 || echo "MISSING /var/empty"
echo "-- /etc/passwd --"; /bin/cat /etc/passwd 2>&1 || true
echo "-- /etc/ssh --"; /bin/ls -la /etc/ssh /etc/ssh/authorized_keys.d 2>&1 || true
echo "-- authorized_keys.d/root --"; /bin/cat /etc/ssh/authorized_keys.d/root 2>&1 || echo "MISSING"
echo "-- host keys --"
for k in ${toString cfg.sshHostKeys}; do
/bin/ls -la "$k" 2>&1 || echo "MISSING host key: $k"
done
echo "===== luks-unlock-debug END ====="
'';
};
# Tor hidden service for remote unlock over onion
boot.initrd.secrets = lib.mkIf cfg.enableTorUnlock {
"/etc/tor/onion/bootup" = cfg.onionConfig;
};
boot.initrd.systemd.storePaths = lib.mkIf cfg.enableTorUnlock [
"${pkgs.tor}/bin/tor"
"${pkgs.haveged}/bin/haveged"
];
boot.initrd.systemd.services.tor-unlock = lib.mkIf cfg.enableTorUnlock {
description = "Tor Hidden Service for Boot Unlock";
wantedBy = [ "initrd.target" ];
after = [ "network.target" "sshd.service" ];
wants = [ "network.target" ];
unitConfig.DefaultDependencies = false;
serviceConfig = {
Type = "forking";
RemainAfterExit = true;
};
script =
let
torRc = pkgs.writeText "tor.rc" ''
DataDirectory /etc/tor
SOCKSPort 127.0.0.1:9050 IsolateDestAddr
SOCKSPort 127.0.0.1:9063
HiddenServiceDir /etc/tor/onion/bootup
HiddenServicePort 22 127.0.0.1:22
'';
in
''
# Fix permissions for tor
chmod -R 700 /etc/tor
# Ensure loopback is up
ip a a 127.0.0.1/8 dev lo 2>/dev/null || true
ip link set lo up
# Start haveged for entropy
${pkgs.haveged}/bin/haveged -F &
# Verify and start tor
${pkgs.tor}/bin/tor -f ${torRc} --verify-config
${pkgs.tor}/bin/tor -f ${torRc} &
'';
};
};
}
Reference in New Issue View Git Blame Copy Permalink