search

zhaofengli / colmena

A simple, stateless NixOS deployment tool
https://colmena.cli.rs
MIT License
1.14k stars 64 forks source link

Unlock initrd cryptsetup during reboot #102

Open mweinelt opened 2 years ago

mweinelt commented 2 years ago

It would be cool to be able to extend colmena with remote luks unlock via initrd SSH support. Then in the cycle of colmena apply hive.nix boot --reboot we would not need external interaction to unlock the host.

The script, that I currently rely on, boils down to:

echo "secret" | ssh root@unlock.this.example-host.com cryptsetup-askpass
fooker commented 2 years ago

Idea on how this could look like:

{ node-a.deployment.hooks = {
    post-reboot = ./path/to/script;
    post-activation = pkgs.writeShellScript "post-activation" ''
       # ...
    ''
}}

This implies that this can be either a path or a derivation which is build using meta.nixpkgs.

Also, would be awesome to have access to the deployment data like IPs and such inside these scripts.