nix/nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Move initrd host ssh key to host.

Browse Source 
Apparently the initrd is built on the host. That's perfect!
This commit is contained in:
niten 2021-10-15 08:52:44 -07:00
parent 22999a8fa4
commit 7264d98dd8
1 changed files with 21 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
lib/fudo/initrd-network.nix
View File

@ -6,6 +6,10 @@ let
host-cfg = config.fudo.hosts.${hostname}; host-cfg = config.fudo.hosts.${hostname};
ip = host-cfg.initrd-ip; ip = host-cfg.initrd-ip;
key-type = "ed25519";
key-filename = "ssh_host_${key-type}_key";
gen-host-keys = hostname: pkgs.stdenv.mkDerivation { gen-host-keys = hostname: pkgs.stdenv.mkDerivation {
name = "${hostname}-initrd-ssh-keys"; name = "${hostname}-initrd-ssh-keys";
@ -15,7 +19,7 @@ let
installPhase = '' installPhase = ''
mkdir $out mkdir $out
ssh-keygen -q -t ed25519 -N "" -f $out/ssh_host_ed25519_key ssh-keygen -q -t ${key-type} -N "" -f $out/ssh_host_${key-type}_key
''; '';
}; };
@ -28,7 +32,7 @@ let
installPhase = '' installPhase = ''
mkdir $out mkdir $out
ssh-keygen -r REMOVEME -f "${key-pkg}/ssh_host_ed25519_key" | sed 's/^REMOVEME IN SSHFP //' >> $out/ssh_host_ed25519_key.sshfp ssh-keygen -r REMOVEME -f "${key-pkg}/${key-filename}" | sed 's/^REMOVEME IN SSHFP //' >> $out/${key-filename}.sshfp
''; '';
}; };
@ -37,13 +41,15 @@ let
in { in {
config = mkIf (ip != null) { config = mkIf (ip != null) {
boot = { boot = let
hostname = config.instance.hostname;
in {
kernelParams = [ kernelParams = [
"ip=${ip}" "ip=${ip}"
]; ];
initrd = let initrd = let
host-key-pkg = host-keys.${config.instance.hostname}; host-key-pkg = host-keys.${config.instance.hostname};
host-privkey = builtins.toPath "${host-key-pkg}/ssh_host_ed25519_key"; host-privkey = builtins.toPath "${host-key-pkg}/${key-filename}";
in { in {
network = { network = {
enable = true; enable = true;
@ -57,7 +63,7 @@ in {
port = 22; port = 22;
authorizedKeys = admin-ssh-keys; authorizedKeys = admin-ssh-keys;
hostKeys = [ hostKeys = [
(builtins.unsafeDiscardStringContext host-privkey) config.fudo.secrets.host-secrets.${hostname}.initrd-ssh-host-key.target-file
]; ];
}; };
}; };
@ -65,6 +71,15 @@ in {
}; };
fudo = { fudo = {
secrets.host-secrets = mapAttrs
(hostname: key-pkg: {
initrd-ssh-host-key = {
source-file = "${key-pkg}/${key-fdilename}";
target-file = "/var/run/ssh/${key-filename}";
user = "root";
};
});
local-network = { local-network = {
network-definition.hosts = mapAttrs' network-definition.hosts = mapAttrs'
(hostname: hostOpts: nameValuePair "${hostname}-recovery" (hostname: hostOpts: nameValuePair "${hostname}-recovery"
@ -78,7 +93,7 @@ in {
mapAttrs mapAttrs
(hostname: key-pkg: let (hostname: key-pkg: let
sshfp-pkg = gen-sshfp-records hostname key-pkg; sshfp-pkg = gen-sshfp-records hostname key-pkg;
sshfps = read-lines "${sshfp-pkg}/ssh_host_ed25519_key.sshfp"; sshfps = read-lines "${sshfp-pkg}/${key-filename}.sshfp";
in map (sshfp: "${hostname} IN SSHFP ${sshfp}") sshfps) in map (sshfp: "${hostname} IN SSHFP ${sshfp}") sshfps)
host-keys; host-keys;
}; };