{ config, lib, pkgs, ... }:
with lib;
let
hostname = config.instance.hostname;
host-cfg = config.fudo.hosts.${hostname};
ip = host-cfg.initrd-ip;
key-type = "ed25519";
key-filename = "ssh_host_${key-type}_key";
gen-host-keys = hostname: pkgs.stdenv.mkDerivation {
name = "${hostname}-initrd-ssh-keys";
phases = [ "installPhase" ];
buildInputs = with pkgs; [ openssh ];
installPhase = ''
mkdir $out
ssh-keygen -q -t ${key-type} -N "" -f $out/ssh_host_${key-type}_key
'';
};
gen-sshfp-records = host: key-pkg: pkgs.stdenv.mkDerivation {
name = "${hostname}-initrd-ssh-fingerprints";
phases = [ "installPhase" ];
buildInputs = with pkgs; [ openssh ];
installPhase = ''
mkdir $out
ssh-keygen -r REMOVEME -f "${key-pkg}/${key-filename}" | sed 's/^REMOVEME IN SSHFP //' >> $out/${key-filename}.sshfp
'';
};
host-keys = genAttrs (attrNames config.instance.local-hosts)
(hostname: gen-host-keys hostname);
in {
config = mkIf (ip != null) {
boot = let
hostname = config.instance.hostname;
in {
kernelParams = [
"ip=${ip}"
];
initrd = {
network = {
enable = true;
ssh = let
admin-ssh-keys =
concatMap (admin: config.fudo.users.${admin}.ssh-authorized-keys)
config.instance.local-admins;
in {
enable = true;
port = 22;
authorizedKeys = admin-ssh-keys;
hostKeys = [
"/var/run/ssh/${key-filename}"
];
};
};
};
};
fudo = {
secrets.host-secrets = mapAttrs
(hostname: key-pkg: {
initrd-ssh-host-key = {
source-file = "${key-pkg}/${key-filename}";
target-file = "/var/run/ssh/${key-filename}";
user = "root";
};
})
host-keys;
local-network = {
network-definition.hosts = mapAttrs'
(hostname: hostOpts: nameValuePair "${hostname}-recovery"
{
ipv4-address = config.fudo.hosts.${hostname}.initrd-ip;
description = "${hostname} initrd host";
})
config.instance.local-hosts;
extra-records =
mapAttrs
(hostname: key-pkg: let
sshfp-pkg = gen-sshfp-records hostname key-pkg;
sshfps = read-lines "${sshfp-pkg}/${key-filename}.sshfp";
in map (sshfp: "${hostname} IN SSHFP ${sshfp}") sshfps)
host-keys;
};
};
};
}