feat: remote unlock

2023-09-20 21:49:49 +02:00 · 2023-09-20 21:49:49 +02:00 · 16e3fd9647
parent 285185b336
commit 16e3fd9647
8 changed files with 63 additions and 6 deletions
--- a/hosts/testienix/default.nix
+++ b/hosts/testienix/default.nix
@ -5,6 +5,7 @@

    # TODO: sollte entfernt werden für server
    ../../modules/config
+    ../../modules/optional/initrd-ssh.nix

    ../../modules/hardware/intel.nix
    ../../modules/hardware/physical.nix
--- a/hosts/testienix/net.nix
+++ b/hosts/testienix/net.nix
@ -14,4 +14,8 @@
      };
    };
  };
+  boot.initrd.systemd.network = {
+    enable = true;
+    networks = {inherit (config.systemd.network.networks) "01-lan1";};
+  };
 }
--- a/hosts/testienix/secrets/generated/initrd_host_ed25519_key.age
+++ b/hosts/testienix/secrets/generated/initrd_host_ed25519_key.age
--- a/modules/config/boot.nix
+++ b/modules/config/boot.nix
@ -1,20 +1,24 @@
 {
  config,
  lib,
+  pkgs,
  ...
 }: {
  boot = {
    initrd.systemd = {
      enable = true;
      emergencyAccess = config.secrets.secrets.global.users.root.passwordHash;
+      extraBin.ip = "${pkgs.iproute}/bin/ip";
    };

-    initrd.availableKernelModules = ["xhci_pci" "nvme" "usb_storage" "usbhid" "sd_mod" "rtsx_pci_sdmmc" "ahci" "uas"];
+    initrd.availableKernelModules = ["xhci_pci" "nvme" "r8169" "usb_storage" "usbhid" "sd_mod" "rtsx_pci_sdmmc" "ahci" "uas"];
    supportedFilesystems = ["ntfs"];
    kernelModules = ["kvm-intel"];
    kernelParams = [
      "rd.luks.options=timeout=0"
      "rootflags=x-systemd.device-timeout=0"
+      # NOTE: Add "rd.systemd.unit=rescue.target" to debug initrd
+      #"rd.systemd.unit=rescue.target"
    ];

    tmp.useTmpfs = true;
--- a/modules/config/system.nix
+++ b/modules/config/system.nix
@ -18,8 +18,15 @@
    in
      lib.mkIf (lib.pathExists pubkeyPath || lib.trace "Missing pubkey for ${config.node.name}: ${toString pubkeyPath} not found, using dummy replacement key for now." false)
      pubkeyPath;
+    generatedSecretsDir = config.node.secretsDir + "/generated/";
  };
  security.sudo.enable = false;
+  security.tpm2 = {
+    enable = true;
+    abrmd.enable = true;
+    pkcs11.enable = true;
+    tctiEnvironment.enable = true;
+  };

  time.timeZone = lib.mkDefault "Europe/Berlin";
  i18n.defaultLocale = "C.UTF-8";
--- a/modules/optional/initrd-ssh.nix
+++ b/modules/optional/initrd-ssh.nix
@ -0,0 +1,34 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  age.secrets.initrd_host_ed25519_key.generator.script = "ssh-ed25519";
+
+  boot.initrd.network.enable = true;
+  boot.initrd.network.ssh = {
+    enable = true;
+    port = 4;
+    # I think this is impure as the new initrd gets generated before
+    # agenix decrypts your secrets, meaning your initrd hostkey
+    # need two activations to change as well as that to enable this
+    # module you need to set hostKeys to a dummy value and generate
+    # and invalid initrd once
+    hostKeys = [config.age.secrets.initrd_host_ed25519_key.path];
+  };
+
+  # Make sure that there is always a valid initrd hostkey available that can be installed into
+  # the initrd. When bootstrapping a system (or re-installing), agenix cannot succeed in decrypting
+  # whatever is given, since the correct hostkey doesn't even exist yet. We still require
+  # a valid hostkey to be available so that the initrd can be generated successfully.
+  # The correct initrd host-key will be installed with the next update after the host is booted
+  # for the first time, and the secrets were rekeyed for the the new host identity.
+  system.activationScripts.agenixEnsureInitrdHostkey = {
+    text = ''
+      [[ -e ${config.age.secrets.initrd_host_ed25519_key.path} ]] \
+        || ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f ${config.age.secrets.initrd_host_ed25519_key.path}
+    '';
+    deps = ["agenixInstall"];
+  };
+  system.activationScripts.agenixChown.deps = ["agenixEnsureInitrdHostkey"];
+}
--- a/users/common/shells/pager.nix
+++ b/users/common/shells/pager.nix
@ -13,10 +13,10 @@

    vim.opt.termguicolors = false

-    vim.keymap.set('n', '<CR>', '<C-]>', {silent = true, desc = "Jump to tag under cursor})
-    vim.keymap.set('n', '<Bs>', ':pop<CR>', {silent = true, desc = "Jump to tag under cursor})
-    vim.keymap.set('n', '<C-Left>', ':pop<CR>', {silent = true, desc = "Jump to tag under cursor})
-    vim.keymap.set('n', '<C-Right>', ':tag<CR>', {silent = true, desc = "Jump to tag under cursor})
+    vim.keymap.set('n', '<CR>', '<C-]>', {silent = true, desc = "Jump to tag under cursor"})
+    vim.keymap.set('n', '<Bs>', ':pop<CR>', {silent = true, desc = "Jump to tag under cursor"})
+    vim.keymap.set('n', '<C-Left>', ':pop<CR>', {silent = true, desc = "Jump to tag under cursor"})
+    vim.keymap.set('n', '<C-Right>', ':tag<CR>', {silent = true, desc = "Jump to tag under cursor"})
  '';
  nvimPager = pkgs.wrapNeovimUnstable pkgs.neovim-unwrapped neovimConfig;
  neovimConfig =
--- a/users/patrick/default.nix
+++ b/users/patrick/default.nix
@ -15,7 +15,14 @@
    isNormalUser = true;
    uid = 1000;
    createHome = true;
-    extraGroups = ["wheel" "audio" "video" "input"];
+    extraGroups = [
+      "wheel"
+      "audio"
+      "video"
+      "input"
+      # TPM settings
+      "tss"
+    ];
    group = "patrick";
    hashedPassword = config.secrets.secrets.global.users.patrick.passwordHash;
  };