pacman -S mkinitcpio-systemd-toolmkdir ~/.ssh && touch ~/.ssh/authorized_keysssh-copy-id user@server_ip
-
-
Save mallendeo/fee61eac7ff854c63dfeeba161933d5d to your computer and use it in GitHub Desktop.
Remote unlock encrypted LUKS disk using Tailscale on Archlinux (mkinitcpio hook)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## /home/YOUR_HOME_DIRECTORY/.initramfs_profile | |
| ## ssh root@TAILSCALE_IP | |
| ## ~ # unlock | |
| alias unlock="systemctl start cryptsetup.target" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## /etc/systemd/network/20-wired.network | |
| ## If your network interfaces does not have the same name on init and after boot, you can match all interfaces | |
| ## You may have network conectivity issues inside Docker containers if you use this approach. | |
| [Match] | |
| Name=* | |
| # [Match] | |
| # Name=eth0 | |
| [Network] | |
| DHCP=yes |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # GRUB boot loader configuration | |
| ## /etc/default/grub | |
| GRUB_DEFAULT=0 | |
| GRUB_TIMEOUT=1 | |
| GRUB_DISTRIBUTOR="Arch" | |
| GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet" | |
| GRUB_CMDLINE_LINUX="rd.luks.name=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx=root rd.luks.options=discard,password-echo=no,tries=3" | |
| GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX rd.luks.options=timeout=0 rootflags=x-systemd.device-timeout=0" | |
| ## Replace rd.luks.name=xxxx... with your partition UUID | |
| # ... rest of grub config |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## /etc/mkinitcpio.conf | |
| MODULES=() | |
| BINARIES=() | |
| FILES=() | |
| HOOKS=(base systemd autodetect modconf kms keyboard sd-vconsole remote block sd-encrypt filesystems btrfs fsck systemd-tool) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| ## Hook file path | |
| ## /etc/initcpio/install/remote | |
| ## Search this file for YOUR_HOME_DIRECTORY and replace it accordingly. | |
| add_user() { | |
| getent passwd "$1" >>"$BUILDROOT/etc/passwd" | |
| getent shadow "$1" >>"$BUILDROOT/etc/shadow" | |
| getent group "$(id -Gn "$1")" >>"$BUILDROOT/etc/group" | |
| } | |
| build() { | |
| add_systemd_unit cryptsetup-pre.target | |
| # Add systemd-networkd.service and enable it | |
| add_systemd_unit systemd-networkd.service | |
| add_symlink /etc/systemd/system/sysinit.target.wants/systemd-networkd.service \ | |
| /usr/lib/systemd/system/systemd-networkd.service | |
| # Copy the host configuration | |
| add_full_dir /etc/systemd/network | |
| # Add the necessary modules | |
| add_checked_modules /drivers/net | |
| add_module bridge | |
| # Add the networking user | |
| add_user systemd-network | |
| # Add tailscaled.service and enable it | |
| add_systemd_unit tailscaled.service | |
| add_systemd_unit tailscaled.socket | |
| add_symlink /etc/systemd/system/sysinit.target.wants/tailscaled.service \ | |
| /usr/lib/systemd/system/tailscaled.service | |
| # Force tailscale to start early | |
| add_systemd_drop_in tailscaled.service order <<EOF | |
| [Unit] | |
| Wants=cryptsetup-pre.target | |
| Before=cryptsetup-pre.target | |
| DefaultDependencies=no | |
| EOF | |
| # Add tun | |
| add_module tun | |
| # Add iptables | |
| map add_binary ip{,6}tables | |
| add_full_dir /usr/lib/xtables | |
| add_all_modules netfilter | |
| # Add the tailscale CLI tool | |
| add_binary tailscale | |
| # Add tailscale configuration | |
| add_file /var/lib/tailscale/tailscaled.state | |
| add_file /etc/default/tailscaled | |
| # Add sshd.service and enable it | |
| add_systemd_unit sshd.service | |
| add_symlink /etc/systemd/system/sysinit.target.wants/sshd.service \ | |
| /usr/lib/systemd/system/sshd.service | |
| # Force sshd to start early | |
| add_systemd_drop_in sshd.service order <<EOF | |
| [Unit] | |
| Wants=cryptsetup-pre.target | |
| Before=cryptsetup-pre.target | |
| DefaultDependencies=no | |
| EOF | |
| # Required for sshd isolation | |
| add_user nobody | |
| add_dir /var/empty | |
| # Add ssh host keys and configuration | |
| add_full_dir /etc/ssh | |
| # Permit root logins in the initrd | |
| sed -Ei 's/^#?AllowUsers.*/AllowUsers root/' "$BUILDROOT/etc/ssh/sshd_config" | |
| sed -Ei 's/^#?PermitRootLogin.*/PermitRootLogin yes/' "$BUILDROOT/etc/ssh/sshd_config" | |
| # No PAM in the initrd | |
| sed -Ei 's/^#?UsePAM.*/UsePAM no/' "$BUILDROOT/etc/ssh/sshd_config" | |
| # Share authorized_keys with my normal user | |
| add_file /home/YOUR_HOME_DIRECTORY/.ssh/authorized_keys /root/.ssh/authorized_keys | |
| add_file /home/YOUR_HOME_DIRECTORY/.initramfs_profile /root/.profile | |
| systemd-analyze verify --root="$BUILDROOT" default.target | |
| } | |
| help() { | |
| cat <<EOF | |
| Enables remote access into the initrd to unlock encrypted disks. | |
| EOF | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment