nixos-config/lib/fudo/initrd-network.nix

{ config, lib, pkgs, ... }:

with lib;
let
  hostname = config.instance.hostname;
  initrd-cfg = config.fudo.hosts.${hostname}.initrd-network;

  read-lines = filename: splitString "\n" (fileContents filename);

  concatLists = lsts: concatMap (i: i) lsts;

  gen-sshfp-records-pkg = hostname: pubkey: let
    pubkey-file = writeTextFile {
      name = "${hostname}-initrd-ssh-pubkey";
      text = pubkey;
    };
  in pkgs.stdenv.mkDerivation {
    name = "${hostname}-initrd-ssh-firngerprint";

    phases = [ "installPhase" ];

    installPhase = ''
      mkdir $out
      ssh-keygen -r REMOVEME -f "${pubkey-file}" | sed 's/^REMOVEME IN SSHFP //' >> $out/initrd-ssh-pubkey.sshfp
    '';
  };

  gen-sshfp-records = hostname: pubkey: let
    sshfp-record-pkg = gen-sshfp-records-pkg hostname pubkey;
  in read-lines "${sshfp-record-pkg}/initrd-ssh-pubkey.sshfp";

in {
  config = {
    boot = mkIf (initrd-cfg != null) {
      kernelParams = [
        "ip=${initrd-cfg.ip}"
      ];
      initrd = {
        network = {
          enable = true;

          ssh = let
            admin-ssh-keys =
              concatMap (admin: config.fudo.users.${admin}.ssh-authorized-keys)
                config.instance.local-admins;
          in {
            enable = true;
            port = 22;
            authorizedKeys = admin-ssh-keys;
            hostKeys = [
              (builtins.trace initrd-cfg.keypair.private-key-file initrd-cfg.keypair.private-key-file)
            ];
          };
        };
      };
    };

    fudo = {
      ## Sigh...this doesn't work because the file isn't available soon enough
      ## during activation.
      #
      # secrets.host-secrets = mapAttrs
      #   (hostname: key-pkg: {
      #     initrd-ssh-host-key = {
      #       source-file = "${key-pkg}/${key-filename}";
      #       target-file = "/var/run/ssh/${key-filename}";
      #       user = "root";
      #     };
      #   })
      #   host-keys;

      local-network = let
        initrd-network-hosts =
          filterAttrs
            (hostname: hostOpts: hostOpts.initrd-network != null)
            config.instance.local-hosts;
      in {
        network-definition.hosts = mapAttrs'
          (hostname: hostOpts: nameValuePair "${hostname}-recovery"
            {
              ipv4-address = hostOpts.initrd-network-config.ip;
              description = "${hostname} initrd host";
            })
          initrd-network-hosts;

        extra-records = let
          recs = (mapAttrsToList
            (hostname: hostOpts: map
              (sshfp: "${hostname} IN SSHFP ${sshfp}")
              (gen-sshfp-records hostname hostOpts.initrd-network.keypair.public-key))
            initrd-network-hosts);
        in concatLists recs;
      };
    };
  };
}