add a module to remotely unlock machines

For machines with full disk encryption, we can remotely unlock them from
bree. A systemd timer will run every 10 minutes and check if we need to
unlock the host. If we need to, it will SSH and provide the passphrase
to unlock the disk(s).

3 files changed, 18 insertions, 0 deletions

diff --git a/secrets/bree/disk-passphrase.age b/secrets/bree/disk-passphrase.age
new file mode 100644
index 0000000..3811173
--- /dev/null
+++ b/secrets/bree/disk-passphrase.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 pFjJaA r/Q4nB/VcKaVXoJjDuIgnMVUr5K0rhrsVVq2lvQgQRQ
+ZmwHs0sWxVKjS9njqPQR4rEV1aXxS80wWJQrAuf47vM
+-> ssh-ed25519 OxmK1A /9e7fHg/Nh929cY7+0EagkxwME4jo0RxzBwdh8tuZnM
+9UPI8Vnwebjick9WPlcT8lvNub687qchX4D4ntbanos
+--- bwBCnL9gJhzuygCddmh0h0OXh/C6ysAgMfH9QBrQUMY
+
+�I���4ڍ��:;��X3��T�.n{A�0��^笆4F�]��P�.uΕ�ެ
\ No newline at end of file
diff --git a/secrets/bree/disk-unlock-key.age b/secrets/bree/disk-unlock-key.age
new file mode 100644
index 0000000..6d9a549
--- /dev/null
+++ b/secrets/bree/disk-unlock-key.age
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index a8f01cf..155a88b 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -67,6 +67,16 @@ in
     hosts.bree
   ];
 
+  "bree/disk-passphrase.age".publicKeys = [
+    users.fcuny
+    hosts.bree
+  ];
+
+  "bree/disk-unlock-key.age".publicKeys = [
+    users.fcuny
+    hosts.bree
+  ];
+
   "rivendell/wireguard.age".publicKeys = [
     users.fcuny
     hosts.rivendell