Move initrd host ssh key to host.

Apparently the initrd is built on the host. That's perfect!
2021-10-15 08:52:44 -07:00 · 2021-10-15 08:52:44 -07:00 · 7264d98dd8
commit 7264d98dd8
parent 22999a8fa4
1 changed files with 21 additions and 6 deletions
--- a/lib/fudo/initrd-network.nix
+++ b/lib/fudo/initrd-network.nix
@ -6,6 +6,10 @@ let
  host-cfg = config.fudo.hosts.${hostname};
  ip = host-cfg.initrd-ip;

+  key-type = "ed25519";
+
+  key-filename = "ssh_host_${key-type}_key";
+
  gen-host-keys = hostname: pkgs.stdenv.mkDerivation {
    name = "${hostname}-initrd-ssh-keys";

@ -15,7 +19,7 @@ let

    installPhase = ''
      mkdir $out
-      ssh-keygen -q -t ed25519 -N "" -f $out/ssh_host_ed25519_key
+      ssh-keygen -q -t ${key-type} -N "" -f $out/ssh_host_${key-type}_key
    '';
  };

@ -28,7 +32,7 @@ let

    installPhase = ''
      mkdir $out
-      ssh-keygen -r REMOVEME -f "${key-pkg}/ssh_host_ed25519_key" | sed 's/^REMOVEME IN SSHFP //' >> $out/ssh_host_ed25519_key.sshfp
+      ssh-keygen -r REMOVEME -f "${key-pkg}/${key-filename}" | sed 's/^REMOVEME IN SSHFP //' >> $out/${key-filename}.sshfp
    '';
  };

@ -37,13 +41,15 @@ let

 in {
  config = mkIf (ip != null) {
-    boot = {
+    boot = let
+      hostname = config.instance.hostname;
+    in {
      kernelParams = [
        "ip=${ip}"
      ];
      initrd = let
        host-key-pkg = host-keys.${config.instance.hostname};
-        host-privkey = builtins.toPath "${host-key-pkg}/ssh_host_ed25519_key";
+        host-privkey = builtins.toPath "${host-key-pkg}/${key-filename}";
      in {
        network = {
          enable = true;
@ -57,7 +63,7 @@ in {
            port = 22;
            authorizedKeys = admin-ssh-keys;
            hostKeys = [
-              (builtins.unsafeDiscardStringContext host-privkey)
+              config.fudo.secrets.host-secrets.${hostname}.initrd-ssh-host-key.target-file
            ];
          };
        };
@ -65,6 +71,15 @@ in {
    };

    fudo = {
+      secrets.host-secrets = mapAttrs
+        (hostname: key-pkg: {
+          initrd-ssh-host-key = {
+            source-file = "${key-pkg}/${key-fdilename}";
+            target-file = "/var/run/ssh/${key-filename}";
+            user = "root";
+          };
+        });
+
      local-network = {
        network-definition.hosts = mapAttrs'
          (hostname: hostOpts: nameValuePair "${hostname}-recovery"
@ -78,7 +93,7 @@ in {
          mapAttrs
            (hostname: key-pkg: let
              sshfp-pkg = gen-sshfp-records hostname key-pkg;
-              sshfps = read-lines "${sshfp-pkg}/ssh_host_ed25519_key.sshfp";
+              sshfps = read-lines "${sshfp-pkg}/${key-filename}.sshfp";
            in map (sshfp: "${hostname} IN SSHFP ${sshfp}") sshfps)
            host-keys;
      };