From 16e3fd9647082214d5a26ca1563d90a9ce3040dd Mon Sep 17 00:00:00 2001
From: Patrick <patrickdgro@gmail.com>
Date: Wed, 20 Sep 2023 21:49:49 +0200
Subject: [PATCH] feat: remote unlock

---
 hosts/testienix/default.nix                   |   1 +
 hosts/testienix/net.nix                       |   4 +++
 .../generated/initrd_host_ed25519_key.age     | Bin 0 -> 974 bytes
 modules/config/boot.nix                       |   6 +++-
 modules/config/system.nix                     |   7 ++++
 modules/optional/initrd-ssh.nix               |  34 ++++++++++++++++++
 users/common/shells/pager.nix                 |   8 ++---
 users/patrick/default.nix                     |   9 ++++-
 8 files changed, 63 insertions(+), 6 deletions(-)
 create mode 100644 hosts/testienix/secrets/generated/initrd_host_ed25519_key.age
 create mode 100644 modules/optional/initrd-ssh.nix

diff --git a/hosts/testienix/default.nix b/hosts/testienix/default.nix
index 2b2629c..b43de75 100644
--- a/hosts/testienix/default.nix
+++ b/hosts/testienix/default.nix
@@ -5,6 +5,7 @@
 
     # TODO: sollte entfernt werden für server
     ../../modules/config
+    ../../modules/optional/initrd-ssh.nix
 
     ../../modules/hardware/intel.nix
     ../../modules/hardware/physical.nix
diff --git a/hosts/testienix/net.nix b/hosts/testienix/net.nix
index 17da322..509be8c 100644
--- a/hosts/testienix/net.nix
+++ b/hosts/testienix/net.nix
@@ -14,4 +14,8 @@
       };
     };
   };
+  boot.initrd.systemd.network = {
+    enable = true;
+    networks = {inherit (config.systemd.network.networks) "01-lan1";};
+  };
 }
diff --git a/hosts/testienix/secrets/generated/initrd_host_ed25519_key.age b/hosts/testienix/secrets/generated/initrd_host_ed25519_key.age
new file mode 100644
index 0000000000000000000000000000000000000000..1f07923db6da4fae79c20551df5dd3e9b6e89497
GIT binary patch
literal 974
zcmZwA`)?Bk007{{Z87a2TYOM33WbcQE#39{xb?azULWh*UQ4f!b0K!^?b=><ZLil}
zuMVag2t!dbWiBvWV!%dY#ujjcj0_)aFl1{CJ|~djNDM53dm#d%@}r60Kkx-fLPpRb
zhEKB51YMJ0NFWOeWzUQK3bh)9#X)Nzhl1%^G?mDwjED*hV~jy%X=*^Np&UrbvF5N1
zvKpL#A|&)RgI>2k<l(rMEp`PNS0>G*o(wY?zujcZ_|@qM0s~wylwq+4Lo%9`B^7E&
z?Dx1R3=t!7h}HX=1H3Vi_tBsw?xa0|oSx5R{%s?e$w<gO>Lil)B~=k&0&a#?l)FU^
z8REDrT^sfLIB6t78+05L0gP!yFyTwVUb_?w{pZ3P$f$)ABQY3tXDpy8pD=kc2o}o{
zI@sKxVsK^JV3g+MUO&TUNpFfy=7d=j;$)pE8pZ5B2k&yFoFL>;T3`r|M(|*W^F*9h
zO`NtyNbY~Hj5?sf15^&lA-Kb$mum7slxlK-4pzxqS(B#)4e9hWX0vmCVZzP(5y)U*
ztsKaOYrPIDZ->KXhly9^jEb}zjqB7ZvyHdF<b!KFyxyS1pOKLa5lj=}dRz>cjq(iy
zsTM|!0K=F~DWOaz6BF`)oMF|N4k9T#4<zJv%EP+(ypG^l#2TdB0IQEfWEzTM!pbvi
zX7-Jgb*%Ii?tZdywM;rGnIbp#xu30D2$V0LIKOwf#<_z!^c~mB-r2TldFqMk`MYZZ
zzibss(94GxM>lr?D$$|dTFsd4y>lP664K=_6-Rf8j=$p)k7{?`Y%e@lQO@uF@cYy{
z=c&R>@b``b4|Tp0NWsYBXVWi0l0Dthk55t4_{z_J8X4^uDCR#k&J8Y9ztLFKXTKPF
z?eUImTh0E3lP{N-Mk_DfWG0J`beEZb6g@RCPfM!i!(-YvW5ur1C*IAxcx3<Cf_n0v
zcH~>xHwQbYuLepw|5(p-DaR3|z<mtZb8$AgX{PR6Xt2Fq@pA#}?`fSFZajYG{MPvO
zYSH)*6k8&C+a?bGQ1xUfS5~n!H}+QB>$d5az!KMmO-~<NCt9)k*3rhtw%?dS>m2t6
z$_u~g`)<E|RnV#V04I+?k2Vcn**m<gMBCk%zfJ%8HGcW}eVwAs(OSQG$Jw=a1lPP<
z`s;nO_Ns}8W5cB-&Ru^pE4;`7!Q9D%SFUAu-bc;F4T%=%EiJI%8Ry5BO0i;J#owog
i*1q3K?=HKsio9^K=T-Y`&tDU9TZwnyrAk(Eb^0Gl9fk-1

literal 0
HcmV?d00001

diff --git a/modules/config/boot.nix b/modules/config/boot.nix
index 9e147f4..d65d871 100644
--- a/modules/config/boot.nix
+++ b/modules/config/boot.nix
@@ -1,20 +1,24 @@
 {
   config,
   lib,
+  pkgs,
   ...
 }: {
   boot = {
     initrd.systemd = {
       enable = true;
       emergencyAccess = config.secrets.secrets.global.users.root.passwordHash;
+      extraBin.ip = "${pkgs.iproute}/bin/ip";
     };
 
-    initrd.availableKernelModules = ["xhci_pci" "nvme" "usb_storage" "usbhid" "sd_mod" "rtsx_pci_sdmmc" "ahci" "uas"];
+    initrd.availableKernelModules = ["xhci_pci" "nvme" "r8169" "usb_storage" "usbhid" "sd_mod" "rtsx_pci_sdmmc" "ahci" "uas"];
     supportedFilesystems = ["ntfs"];
     kernelModules = ["kvm-intel"];
     kernelParams = [
       "rd.luks.options=timeout=0"
       "rootflags=x-systemd.device-timeout=0"
+      # NOTE: Add "rd.systemd.unit=rescue.target" to debug initrd
+      #"rd.systemd.unit=rescue.target"
     ];
 
     tmp.useTmpfs = true;
diff --git a/modules/config/system.nix b/modules/config/system.nix
index a6c6dc7..0a72e83 100644
--- a/modules/config/system.nix
+++ b/modules/config/system.nix
@@ -18,8 +18,15 @@
     in
       lib.mkIf (lib.pathExists pubkeyPath || lib.trace "Missing pubkey for ${config.node.name}: ${toString pubkeyPath} not found, using dummy replacement key for now." false)
       pubkeyPath;
+    generatedSecretsDir = config.node.secretsDir + "/generated/";
   };
   security.sudo.enable = false;
+  security.tpm2 = {
+    enable = true;
+    abrmd.enable = true;
+    pkcs11.enable = true;
+    tctiEnvironment.enable = true;
+  };
 
   time.timeZone = lib.mkDefault "Europe/Berlin";
   i18n.defaultLocale = "C.UTF-8";
diff --git a/modules/optional/initrd-ssh.nix b/modules/optional/initrd-ssh.nix
new file mode 100644
index 0000000..f7cb407
--- /dev/null
+++ b/modules/optional/initrd-ssh.nix
@@ -0,0 +1,34 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  age.secrets.initrd_host_ed25519_key.generator.script = "ssh-ed25519";
+
+  boot.initrd.network.enable = true;
+  boot.initrd.network.ssh = {
+    enable = true;
+    port = 4;
+    # I think this is impure as the new initrd gets generated before
+    # agenix decrypts your secrets, meaning your initrd hostkey
+    # need two activations to change as well as that to enable this
+    # module you need to set hostKeys to a dummy value and generate
+    # and invalid initrd once
+    hostKeys = [config.age.secrets.initrd_host_ed25519_key.path];
+  };
+
+  # Make sure that there is always a valid initrd hostkey available that can be installed into
+  # the initrd. When bootstrapping a system (or re-installing), agenix cannot succeed in decrypting
+  # whatever is given, since the correct hostkey doesn't even exist yet. We still require
+  # a valid hostkey to be available so that the initrd can be generated successfully.
+  # The correct initrd host-key will be installed with the next update after the host is booted
+  # for the first time, and the secrets were rekeyed for the the new host identity.
+  system.activationScripts.agenixEnsureInitrdHostkey = {
+    text = ''
+      [[ -e ${config.age.secrets.initrd_host_ed25519_key.path} ]] \
+        || ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f ${config.age.secrets.initrd_host_ed25519_key.path}
+    '';
+    deps = ["agenixInstall"];
+  };
+  system.activationScripts.agenixChown.deps = ["agenixEnsureInitrdHostkey"];
+}
diff --git a/users/common/shells/pager.nix b/users/common/shells/pager.nix
index d32300e..bd8f2ac 100644
--- a/users/common/shells/pager.nix
+++ b/users/common/shells/pager.nix
@@ -13,10 +13,10 @@
 
     vim.opt.termguicolors = false
 
-    vim.keymap.set('n', '<CR>', '<C-]>', {silent = true, desc = "Jump to tag under cursor})
-    vim.keymap.set('n', '<Bs>', ':pop<CR>', {silent = true, desc = "Jump to tag under cursor})
-    vim.keymap.set('n', '<C-Left>', ':pop<CR>', {silent = true, desc = "Jump to tag under cursor})
-    vim.keymap.set('n', '<C-Right>', ':tag<CR>', {silent = true, desc = "Jump to tag under cursor})
+    vim.keymap.set('n', '<CR>', '<C-]>', {silent = true, desc = "Jump to tag under cursor"})
+    vim.keymap.set('n', '<Bs>', ':pop<CR>', {silent = true, desc = "Jump to tag under cursor"})
+    vim.keymap.set('n', '<C-Left>', ':pop<CR>', {silent = true, desc = "Jump to tag under cursor"})
+    vim.keymap.set('n', '<C-Right>', ':tag<CR>', {silent = true, desc = "Jump to tag under cursor"})
   '';
   nvimPager = pkgs.wrapNeovimUnstable pkgs.neovim-unwrapped neovimConfig;
   neovimConfig =
diff --git a/users/patrick/default.nix b/users/patrick/default.nix
index 7088782..0bcda57 100644
--- a/users/patrick/default.nix
+++ b/users/patrick/default.nix
@@ -15,7 +15,14 @@
     isNormalUser = true;
     uid = 1000;
     createHome = true;
-    extraGroups = ["wheel" "audio" "video" "input"];
+    extraGroups = [
+      "wheel"
+      "audio"
+      "video"
+      "input"
+      # TPM settings
+      "tss"
+    ];
     group = "patrick";
     hashedPassword = config.secrets.secrets.global.users.patrick.passwordHash;
   };