{ config, lib, pkgs, ... }:
with lib;
let
hostname = config.instance.hostname;
initrd-cfg = config.fudo.hosts.${hostname}.initrd-network;
read-lines = filename: splitString "\n" (fileContents filename);
concatLists = lsts: concatMap (i: i) lsts;
gen-sshfp-records-pkg = hostname: pubkey: let
pubkey-file = writeTextFile {
name = "${hostname}-initrd-ssh-pubkey";
text = pubkey;
};
in pkgs.stdenv.mkDerivation {
name = "${hostname}-initrd-ssh-firngerprint";
phases = [ "installPhase" ];
installPhase = ''
mkdir $out
ssh-keygen -r REMOVEME -f "${pubkey-file}" | sed 's/^REMOVEME IN SSHFP //' >> $out/initrd-ssh-pubkey.sshfp
'';
};
gen-sshfp-records = hostname: pubkey: let
sshfp-record-pkg = gen-sshfp-records-pkg hostname pubkey;
in read-lines "${sshfp-record-pkg}/initrd-ssh-pubkey.sshfp";
in {
config = {
boot = mkIf (initrd-cfg != null) {
kernelParams = [
"ip=${initrd-cfg.ip}"
];
initrd = {
network = {
enable = true;
ssh = let
admin-ssh-keys =
concatMap (admin: config.fudo.users.${admin}.ssh-authorized-keys)
config.instance.local-admins;
in {
enable = true;
port = 22;
authorizedKeys = admin-ssh-keys;
hostKeys = [
initrd-cfg.keypair.private-key-file
];
};
};
};
};
fudo = {
local-network = let
initrd-network-hosts =
filterAttrs
(hostname: hostOpts: hostOpts.initrd-network != null)
config.instance.local-hosts;
in {
network-definition.hosts = mapAttrs'
(hostname: hostOpts: nameValuePair "${hostname}-recovery"
{
ipv4-address = hostOpts.initrd-network.ip;
description = "${hostname} initrd host";
})
initrd-network-hosts;
extra-records = let
recs = (mapAttrsToList
(hostname: hostOpts: map
(sshfp: "${hostname} IN SSHFP ${sshfp}")
(gen-sshfp-records hostname hostOpts.initrd-network.keypair.public-key))
initrd-network-hosts);
in concatLists recs;
};
};
};
}