make the remote unlock bits a nix module

Move all the hardware configuration for rivendell into the default.nix.

2 files changed, 32 insertions, 0 deletions

diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
index 94348f6..47cf81e 100644
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@@ -6,6 +6,7 @@
     ./home-manager.nix
     ./nix.nix
     ./podman.nix
+    ./remote-unlock.nix
     ./ssh.nix
     ./user.nix
   ];
diff --git a/modules/nixos/remote-unlock.nix b/modules/nixos/remote-unlock.nix
new file mode 100644
index 0000000..38b023d
--- /dev/null
+++ b/modules/nixos/remote-unlock.nix
@@ -0,0 +1,31 @@
+{ lib, config, ... }:
+let
+  cfg = config.my.modules.remote-unlock;
+in
+{
+  options.my.modules.remote-unlock = with lib; {
+    enable = mkEnableOption "remote unlock";
+  };
+
+  config = lib.mkIf cfg.enable {
+    boot.kernelParams = [
+      "ip=dhcp"
+    ];
+
+    boot.initrd.network = {
+      enable = true;
+      postCommands = "echo 'cryptsetup-askpass' >> /root/.profile";
+      flushBeforeStage2 = true;
+      ssh = {
+        enable = true;
+        port = 911;
+        hostKeys = [
+          "/etc/initrd/ssh_host_ed25519_key"
+        ];
+        authorizedKeys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"
+        ];
+      };
+    };
+  };
+}