{ config, lib, pkgs, ... }: with lib; let hostname = config.instance.hostname; host-cfg = config.fudo.hosts.${hostname}; ip = host-cfg.initrd-ip; gen-host-keys = hostname: pkgs.stdenv.mkDerivation { name = "${hostname}-initrd-ssh-keys"; phases = [ "installPhase" ]; buildInputs = with pkgs; [ openssh ]; installPhase = '' mkdir $out ssh-keygen -q -t ed25519 -N "" -f $out/ssh_host_ed25519_key ''; }; gen-sshfp-records = host: key-pkg: pkgs.stdenv.mkDerivation { name = "${hostname}-initrd-ssh-fingerprints"; phases = [ "installPhase" ]; buildInputs = with pkgs; [ openssh ]; installPhase = '' mkdir $out ssh-keygen -r REMOVEME -f "${key-pkg}/ssh_host_ed25519_key" | sed 's/^REMOVEME IN SSHFP //' >> $out/ssh_host_ed25519_key.sshfp ''; }; host-keys = genAttrs (attrNames config.instance.local-hosts) (hostname: gen-host-keys hostname); in { config = mkIf (ip != null) { boot = { kernelParams = [ "ip=${ip}" ]; initrd = let host-key-pkg = host-keys.${config.instance.hostname}; host-privkey = "${host-key-pkg}/ssh_host_ed25519_key"; in { network = { enable = true; ssh = let admin-ssh-keys = concatMap (admin: config.fudo.users.${admin}.ssh-authorized-keys) config.instance.local-admins; in { enable = true; port = 22; authorizedKeys = admin-ssh-keys; hostKeys = [ host-privkey ]; }; }; }; }; fudo = { local-network = { network-definition.hosts = mapAttrs' (hostname: hostOpts: nameValuePair "${hostname}-recovery" { ipv4-address = config.fudo.hosts.${hostname}.initrd-ip; description = "${hostname} initrd host"; }) config.instance.local-hosts; extra-records = mapAttrs (hostname: key-pkg: let sshfp-pkg = gen-sshfp-records hostname key-pkg; sshfps = read-lines "${sshfp-pkg}/ssh_host_ed25519_key.sshfp"; in map (sshfp: "${hostname} IN SSHFP ${sshfp}") sshfps) host-keys; }; }; }; }