!JQvnJacrwKgtkGHYHO:matrix.org

NixOS + Framework

227 Members
Discussing NixOS in the context of the Framework laptop52 Servers

Load older messages

SenderMessageTime
10 May 2026
@albertlarsan68:albertlarsan.frAlbert LarsanMine are across 4 LANs, with ISP-provided routers.21:30:36
@sudoforge:matrix.orgsudoforgeand yep, all my servers are in a single LAN21:30:45
@sudoforge:matrix.orgsudoforgeinteresting - family homes?21:30:49
@sudoforge:matrix.orgsudoforgei'm "netflix" for my family, and have a small node with some storage that acts as a pull-through cache to my storage cluster (ceph) via a persistent wg tunnel21:31:38
@sudoforge:matrix.orgsudoforgeso, even those remote nodes are "on the LAN"21:31:45
@albertlarsan68:albertlarsan.frAlbert LarsanMy home, my grandparents’ home, and a school/work server room (this one I can touch the router, and I might grab a free IPv4 for the laptop there)21:32:11
@sudoforge:matrix.orgsudoforge* i'm "netflix" for my family, and have a small node with some storage at each of their homes that acts as a pull-through cache to my storage cluster (ceph) via a persistent wg tunnel21:32:16
@albertlarsan68:albertlarsan.frAlbert LarsanBut your wg tunnel works even when the disks are crypted?21:32:38
@sudoforge:matrix.orgsudoforge yes, it's the one thing that is always up and available 21:32:55
@albertlarsan68:albertlarsan.frAlbert LarsanSo each machine has the wg secret in the initramfs? Or is it protected some other way?21:33:48
@sudoforge:matrix.orgsudoforgemy wg relay runs on dedicated hardware, distributed across currently 8 intel NUCs (they are all replicas of each other) in an HA topology, with independent power backup. i have fiber to the house, cellular backup, and optionally satellite that i can enable if i need to21:35:32
@albertlarsan68:albertlarsan.frAlbert LarsanAlright. I have FTTH and Ethernet from my laptops to the ISP router, with backup of wifi if ethernet is disconnected. I can have some of the routers act as openvpn servers, with a bridged mode to access the lan.21:37:07
@sudoforge:matrix.orgsudoforgenice. my infra can run entirely offline21:38:28
@sudoforge:matrix.orgsudoforgekey things (e.g. the wg relay) are actually available as hidden services on the onion network too21:38:42
@albertlarsan68:albertlarsan.frAlbert LarsanWould it be a good idea to launch Tor in initramfs?21:39:22
@sudoforge:matrix.orgsudoforge* nice. my infra can run entirely offline (well, for anyone on prem -- of course the remote nodes can't get in if all networking is down)21:39:22
@sudoforge:matrix.orgsudoforgewhy would you do that?21:39:44
@albertlarsan68:albertlarsan.frAlbert LarsanTo unlock the machines via ssh over Tor, as they don’t all have a dedicated IPv4 (and when in initramfs they get IPv6 with SLAAC). And port forwarding isn’t always an option. And some machines are alone on their LAN21:42:28
@sudoforge:matrix.orgsudoforgeah i see. i imagine you could21:43:28
@sudoforge:matrix.orgsudoforgemaybe this will help. my remote nodes are "clients" that my infra doesn't reach out to (it's the other way around). they are designed to establish the tunnel in initramfs in order to be able to hit my tang server (which again, is just another device on the LAN basically) for unlocking; i do this with a systemd unit since i use systemd in initrd. as a fallback, these each have a unique key file stored on USBs, given to the adults in each household and instructed to keep it where they keep all of their important documents, so that they never lose it. it's comically large, and brightly colored, so it's hard to miss. this USB is automatically decrypted with on-device TPM (yes, looser PCRs) and can unlock the disks in the event that my tang server is unreachable21:55:42
@sudoforge:matrix.orgsudoforgei live about 1400km away from the bulk of these nodes21:58:55
@sudoforge:matrix.orgsudoforgeso some balance between my desire for the highest level of security and "well what if i'm unavailable" needed to be found lol21:59:37
@rajil:rajils.comtrumee

sudoforge: i enrolled the yubikey when using disko. It did not create a receovery password. How can i open the disk manually using yubikey? This fails:

root@portable ~ [1]# cryptsetup open /dev/nvme0n1p2 --fido2-device=auto cryptdisk
Usage: cryptsetup [-?VqrvyN] [-?|--help] [--usage] [-V|--version]
        [--active-name=STRING] [--align-payload=SECTORS] [--allow-discards]
        [-q|--batch-mode] [--cancel-deferred] [-c|--cipher=STRING] [--debug]
        [--debug-json] [--decrypt] [--deferred] [--device-size=bytes]
        [--disable-blkid] [--disable-external-tokens] [--disable-keyring]
        [--disable-locks] [--disable-veracrypt] [--dump-json-metadata]
        [--dump-volume-key] [--encrypt] [--external-tokens-path=STRING]
        [--force-password] [--force-offline-reencrypt] [--force-no-keyslots]
        [-h|--hash=STRING] [--header=STRING] [--header-backup-file=STRING]
        [--hotzone-size=bytes] [--hw-opal] [--hw-opal-factory-reset]
        [--hw-opal-only] [--init-only] [-I|--integrity=STRING]
        [--integrity-inline] [--integrity-key-size=BITS]
        [--integrity-legacy-padding] [--integrity-no-journal]
        [--integrity-no-wipe] [-i|--iter-time=msecs] [--iv-large-sectors]
        [--json-file=STRING] [--keep-key] [--key-description=STRING]
        [-d|--key-file=STRING] [-s|--key-size=BITS] [-S|--key-slot=INT]
        [--keyfile-offset=bytes] [-l|--keyfile-size=bytes]
        [--keyslot-cipher=STRING] [--keyslot-key-size=BITS] [--label=STRING]
        [--link-vk-to-keyring=STRING] [--luks2-keyslots-size=bytes]
        [--luks2-metadata-size=bytes] [--new-keyfile=STRING]
        [--new-keyfile-offset=bytes] [--new-keyfile-size=bytes]
        [--new-key-description=STRING] [--new-key-size=BITS]
        [--new-key-slot=INT] [--new-token-id=INT]
        [--new-volume-key-file=STRING] [--new-volume-key-keyring=STRING]
        [-o|--offset=SECTORS] [--pbkdf=STRING]
        [--pbkdf-force-iterations=LONG] [--pbkdf-memory=kilobytes]
        [--pbkdf-parallel=threads] [--perf-high_priority]
        [--perf-no_read_workqueue] [--perf-no_write_workqueue]
        [--perf-same_cpu_crypt] [--perf-submit_from_crypt_cpus]
        [--persistent] [--priority=STRING] [--progress-json]
        [--progress-frequency=secs] [-r|--readonly]
        [--reduce-device-size=bytes] [--refresh] [--resilience=STRING]
        [--resilience-hash=STRING] [--resume-only] [--sector-size=INT]
        [--serialize-memory-hard-pbkdf] [--shared] [-b|--size=SECTORS]
        [-p|--skip=SECTORS] [--subsystem=STRING] [--test-args]
        [--test-passphrase] [-t|--timeout=secs] [--token-id=INT]
        [--token-only] [--token-replace] [--token-type=STRING]
        [--tcrypt-backup] [--tcrypt-hidden] [--tcrypt-system]
        [-T|--tries=INT] [-M|--type=STRING] [--unbound] [--use-random]
        [--use-urandom] [--uuid=STRING] [--veracrypt] [--veracrypt-pim=INT]
        [--veracrypt-query-pim] [-v|--verbose] [-y|--verify-passphrase]
        [--volume-key-file=STRING] [--volume-key-keyring=STRING]
        [-B|--block-size=MiB] [-N|--new] [--use-directio] [--use-fsync]
        [--write-log] [--dump-master-key] [--master-key-file=STRING]
        [OPTION...] <action> <action-specific>
--fido2-device=auto: unknown option
22:09:51
@sudoforge:matrix.orgsudoforge drop --fido2-device=auto 22:12:39
@rajil:rajils.comtrumeeIt asks for passphrase which i dont have/set.22:13:31
@rajil:rajils.comtrumeeI should have setup a recorvery key post disko run, which i didnt.22:14:07
@rajil:rajils.comtrumeeOnly the yubikey was enrolled.22:14:29
@sudoforge:matrix.orgsudoforge did you explicitly disable the recovery key? this is the content.enrollRecovery option 22:14:30
@rajil:rajils.comtrumeeyes, i disabled it.22:14:39
@rajil:rajils.comtrumeeSo there is no way to use the yubikey token to open the disk manually?22:15:24

Show newer messages

Back to Room ListRoom Version: 10