Move initrd host ssh key to host.
Apparently the initrd is built on the host. That's perfect!
This commit is contained in:
parent
22999a8fa4
commit
7264d98dd8
@ -6,6 +6,10 @@ let
|
||||
host-cfg = config.fudo.hosts.${hostname};
|
||||
ip = host-cfg.initrd-ip;
|
||||
|
||||
key-type = "ed25519";
|
||||
|
||||
key-filename = "ssh_host_${key-type}_key";
|
||||
|
||||
gen-host-keys = hostname: pkgs.stdenv.mkDerivation {
|
||||
name = "${hostname}-initrd-ssh-keys";
|
||||
|
||||
@ -15,7 +19,7 @@ let
|
||||
|
||||
installPhase = ''
|
||||
mkdir $out
|
||||
ssh-keygen -q -t ed25519 -N "" -f $out/ssh_host_ed25519_key
|
||||
ssh-keygen -q -t ${key-type} -N "" -f $out/ssh_host_${key-type}_key
|
||||
'';
|
||||
};
|
||||
|
||||
@ -28,7 +32,7 @@ let
|
||||
|
||||
installPhase = ''
|
||||
mkdir $out
|
||||
ssh-keygen -r REMOVEME -f "${key-pkg}/ssh_host_ed25519_key" | sed 's/^REMOVEME IN SSHFP //' >> $out/ssh_host_ed25519_key.sshfp
|
||||
ssh-keygen -r REMOVEME -f "${key-pkg}/${key-filename}" | sed 's/^REMOVEME IN SSHFP //' >> $out/${key-filename}.sshfp
|
||||
'';
|
||||
};
|
||||
|
||||
@ -37,13 +41,15 @@ let
|
||||
|
||||
in {
|
||||
config = mkIf (ip != null) {
|
||||
boot = {
|
||||
boot = let
|
||||
hostname = config.instance.hostname;
|
||||
in {
|
||||
kernelParams = [
|
||||
"ip=${ip}"
|
||||
];
|
||||
initrd = let
|
||||
host-key-pkg = host-keys.${config.instance.hostname};
|
||||
host-privkey = builtins.toPath "${host-key-pkg}/ssh_host_ed25519_key";
|
||||
host-privkey = builtins.toPath "${host-key-pkg}/${key-filename}";
|
||||
in {
|
||||
network = {
|
||||
enable = true;
|
||||
@ -57,7 +63,7 @@ in {
|
||||
port = 22;
|
||||
authorizedKeys = admin-ssh-keys;
|
||||
hostKeys = [
|
||||
(builtins.unsafeDiscardStringContext host-privkey)
|
||||
config.fudo.secrets.host-secrets.${hostname}.initrd-ssh-host-key.target-file
|
||||
];
|
||||
};
|
||||
};
|
||||
@ -65,6 +71,15 @@ in {
|
||||
};
|
||||
|
||||
fudo = {
|
||||
secrets.host-secrets = mapAttrs
|
||||
(hostname: key-pkg: {
|
||||
initrd-ssh-host-key = {
|
||||
source-file = "${key-pkg}/${key-fdilename}";
|
||||
target-file = "/var/run/ssh/${key-filename}";
|
||||
user = "root";
|
||||
};
|
||||
});
|
||||
|
||||
local-network = {
|
||||
network-definition.hosts = mapAttrs'
|
||||
(hostname: hostOpts: nameValuePair "${hostname}-recovery"
|
||||
@ -78,7 +93,7 @@ in {
|
||||
mapAttrs
|
||||
(hostname: key-pkg: let
|
||||
sshfp-pkg = gen-sshfp-records hostname key-pkg;
|
||||
sshfps = read-lines "${sshfp-pkg}/ssh_host_ed25519_key.sshfp";
|
||||
sshfps = read-lines "${sshfp-pkg}/${key-filename}.sshfp";
|
||||
in map (sshfp: "${hostname} IN SSHFP ${sshfp}") sshfps)
|
||||
host-keys;
|
||||
};
|
||||
|
Loading…
Reference in New Issue
Block a user