add a module to remotely unlock machines

For machines with full disk encryption, we can remotely unlock them from bree. A systemd timer will run every 10 minutes and check if we need to unlock the host. If we need to, it will SSH and provide the passphrase to unlock the disk(s).
author: Franck Cuny <franck@fcuny.net> 2025-11-28 14:05:44 -0800
committer: Franck Cuny <franck@fcuny.net> 2025-11-28 14:05:44 -0800
commit: 2b61601dd95244e31d82613621955effb91f7222 (patch)
tree: d8101b0d9ee7d87382df4c0373c9823f26ae7d76 /profiles
parent: add a profile for wireguard configuration (diff)
download: infra-2b61601dd95244e31d82613621955effb91f7222.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/profiles/remote-unlock.nix b/profiles/remote-unlock.nix
index b0e3fe8..ea211ad 100644
--- a/profiles/remote-unlock.nix
+++ b/profiles/remote-unlock.nix
@@ -15,7 +15,10 @@
         "/etc/initrd/ssh_host_ed25519_key"
       ];
       authorizedKeys = [
+        # my personal key
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"
+        # key used to automatically unlock
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPr9Dv2MjZoRltmxi21PoS/42KnOhYxuq9r6ER62vjAx"
       ];
     };
   };
author	Franck Cuny <franck@fcuny.net>	2025-11-28 14:05:44 -0800
committer	Franck Cuny <franck@fcuny.net>	2025-11-28 14:05:44 -0800
commit	2b61601dd95244e31d82613621955effb91f7222 (patch)
tree	d8101b0d9ee7d87382df4c0373c9823f26ae7d76 /profiles
parent	add a profile for wireguard configuration (diff)
download	infra-2b61601dd95244e31d82613621955effb91f7222.tar.gz