{ config, lib, pkgs, ... }:
with lib;
let
hostname = config.instance.hostname;
host-cfg = config.fudo.hosts.${hostname};
ip = host-cfg.initrd-ip;
gen-host-keys = hostname: pkgs.stdenv.mkDerivation {
name = "${hostname}-initrd-ssh-keys";
phases = [ "installPhase" ];
buildInputs = with pkgs; [ openssh ];
installPhase = ''
mkdir $out
ssh-keygen -q -t ed25519 -N "" -f $out/ssh_host_ed25519_key
'';
};
gen-sshfp-records = host: key-pkg: pkgs.stdenv.mkDerivation {
name = "${hostname}-initrd-ssh-fingerprints";
phases = [ "installPhase" ];
buildInputs = with pkgs; [ openssh ];
installPhase = ''
mkdir $out
ssh-keygen -r REMOVEME -f "${key-pkg}/ssh_host_ed25519_key" | sed 's/^REMOVEME IN SSHFP //' >> $out/ssh_host_ed25519_key.sshfp
'';
};
host-keys = genAttrs (attrNames config.instance.local-hosts)
(hostname: gen-host-keys hostname);
in {
config = mkIf (ip != null) {
boot = {
kernelParams = [
"ip=${ip}"
];
initrd = let
host-key-pkg = host-keys.${config.instance.hostname};
host-privkey = builtins.toPath "${host-key-pkg}/ssh_host_ed25519_key";
in {
network = {
enable = true;
ssh = let
admin-ssh-keys =
concatMap (admin: config.fudo.users.${admin}.ssh-authorized-keys)
config.instance.local-admins;
in {
enable = true;
port = 22;
authorizedKeys = admin-ssh-keys;
hostKeys = [
(builtins.unsafeDiscardStringContext host-privkey)
];
};
};
};
};
fudo = {
local-network = {
network-definition.hosts = mapAttrs'
(hostname: hostOpts: nameValuePair "${hostname}-recovery"
{
ipv4-address = config.fudo.hosts.${hostname}.initrd-ip;
description = "${hostname} initrd host";
})
config.instance.local-hosts;
extra-records =
mapAttrs
(hostname: key-pkg: let
sshfp-pkg = gen-sshfp-records hostname key-pkg;
sshfps = read-lines "${sshfp-pkg}/ssh_host_ed25519_key.sshfp";
in map (sshfp: "${hostname} IN SSHFP ${sshfp}") sshfps)
host-keys;
};
};
};
}