From 7264d98dd84557c292e3d529ebc74cf446c32d8e Mon Sep 17 00:00:00 2001
From: niten <niten@fudo.org>
Date: Fri, 15 Oct 2021 08:52:44 -0700
Subject: [PATCH] Move initrd host ssh key to host.

Apparently the initrd is built on the host. That's perfect!
---
 lib/fudo/initrd-network.nix | 27 +++++++++++++++++++++------
 1 file changed, 21 insertions(+), 6 deletions(-)

diff --git a/lib/fudo/initrd-network.nix b/lib/fudo/initrd-network.nix
index 245f9c0..e1eeaff 100644
--- a/lib/fudo/initrd-network.nix
+++ b/lib/fudo/initrd-network.nix
@@ -6,6 +6,10 @@ let
   host-cfg = config.fudo.hosts.${hostname};
   ip = host-cfg.initrd-ip;
 
+  key-type = "ed25519";
+
+  key-filename = "ssh_host_${key-type}_key";
+
   gen-host-keys = hostname: pkgs.stdenv.mkDerivation {
     name = "${hostname}-initrd-ssh-keys";
 
@@ -15,7 +19,7 @@ let
 
     installPhase = ''
       mkdir $out
-      ssh-keygen -q -t ed25519 -N "" -f $out/ssh_host_ed25519_key
+      ssh-keygen -q -t ${key-type} -N "" -f $out/ssh_host_${key-type}_key
     '';
   };
 
@@ -28,7 +32,7 @@ let
 
     installPhase = ''
       mkdir $out
-      ssh-keygen -r REMOVEME -f "${key-pkg}/ssh_host_ed25519_key" | sed 's/^REMOVEME IN SSHFP //' >> $out/ssh_host_ed25519_key.sshfp
+      ssh-keygen -r REMOVEME -f "${key-pkg}/${key-filename}" | sed 's/^REMOVEME IN SSHFP //' >> $out/${key-filename}.sshfp
     '';
   };
 
@@ -37,13 +41,15 @@ let
 
 in {
   config = mkIf (ip != null) {
-    boot = {
+    boot = let
+      hostname = config.instance.hostname;
+    in {
       kernelParams = [
         "ip=${ip}"
       ];
       initrd = let
         host-key-pkg = host-keys.${config.instance.hostname};
-        host-privkey = builtins.toPath "${host-key-pkg}/ssh_host_ed25519_key";
+        host-privkey = builtins.toPath "${host-key-pkg}/${key-filename}";
       in {
         network = {
           enable = true;
@@ -57,7 +63,7 @@ in {
             port = 22;
             authorizedKeys = admin-ssh-keys;
             hostKeys = [
-              (builtins.unsafeDiscardStringContext host-privkey)
+              config.fudo.secrets.host-secrets.${hostname}.initrd-ssh-host-key.target-file
             ];
           };
         };
@@ -65,6 +71,15 @@ in {
     };
 
     fudo = {
+      secrets.host-secrets = mapAttrs
+        (hostname: key-pkg: {
+          initrd-ssh-host-key = {
+            source-file = "${key-pkg}/${key-fdilename}";
+            target-file = "/var/run/ssh/${key-filename}";
+            user = "root";
+          };
+        });
+
       local-network = {
         network-definition.hosts = mapAttrs'
           (hostname: hostOpts: nameValuePair "${hostname}-recovery"
@@ -78,7 +93,7 @@ in {
           mapAttrs
             (hostname: key-pkg: let
               sshfp-pkg = gen-sshfp-records hostname key-pkg;
-              sshfps = read-lines "${sshfp-pkg}/ssh_host_ed25519_key.sshfp";
+              sshfps = read-lines "${sshfp-pkg}/${key-filename}.sshfp";
             in map (sshfp: "${hostname} IN SSHFP ${sshfp}") sshfps)
             host-keys;
       };