add fulldiskencryption

2023-12-25 04:27:28 +01:00 · 2023-12-25 04:27:28 +01:00 · 666367bb4d
commit 666367bb4d
parent e08f011d28
2 changed files with 29 additions and 1 deletions
--- a/modules/boot.nix
+++ b/modules/boot.nix
@ -13,19 +13,45 @@ in
        default = "";
        description = "The cpu-type installed on the server.";
      };
+      amdGPU = libS.mkOpinionatedOption "the system contains a AMD GPU";
    };
  };

  config.boot = lib.mkIf cfg.default {
+    initrd = {
+      # networking for netcard kernelModules = [ "e1000e" ];
+      kernelModules = lib.mkIf cfg.amdGPU [ "amdgpu" ];
+
+      network.enable = true;
+      network.ssh = {
+        enable = true;
+        hostKeys = [
+          "/root/ssh_key"
+        ];
+        port = 2222;
+      };
+      luks = {
+        devices."cryptroot" = {
+          device = "/dev/sda1";
+          preLVM = true;
+        };
+      };
+    };
+
    supportedFilesystems = [ "zfs" ];
    tmp.useTmpfs = true;
    kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
-    kernelParams = [ "nordrand" ] ++ lib.optional (cfg.cpuType == "amd") "kvm-amd";
+    kernelParams = [
+      "ip=<ip-addr>::<ip-gateway>:<netmask>"
+      "nordrand"
+    ] ++ lib.optional (cfg.cpuType == "amd") "kvm-amd";
+
    zfs = {
      enableUnstable = true;
      devNodes = "/dev/disk/by-id/";
      forceImportRoot = true;
    };
+
    loader = {
      efi = {
        canTouchEfiVariables = false;
@ -39,6 +65,7 @@ in
        efiInstallAsRemovable = true;
        fsIdentifier = "uuid";
        device = "nodev";
+        enableCryptodisk = true;
      };
    };
  };
--- a/systems/palatine-hill/configuration.nix
+++ b/systems/palatine-hill/configuration.nix
@ -3,6 +3,7 @@
  time.timeZone = "America/New_York";
  console.keyMap = "us";
  networking.hostId = "1139fa08";
+  boot.initrd.network.ssh.authorizedKeys = [ "ssh-ed25519 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" ];

  virtualisation = {
    docker = {