nixos-config/lib/fudo/initrd-network.nix

{ config, lib, pkgs, ... }:

with lib;
let
  hostname = config.instance.hostname;
  initrd-cfg = config.fudo.hosts.${hostname}.initrd-network;

  gen-sshfp-records = hostname: pubkey: let
    pubkey-file = wirteTextFile {
      name = "${hostname}-initrd-ssh-pubkey";
      text = pubkey;
    };
  in pkgs.stdenv.mkDerivation {
    name = "${hostname}-initrd-ssh-firngerprint";

    phases = [ "installPhase" ];

    installPhase = ''
      mkdir $out
      ssh-keygen -r REMOVEME -f "${pubkey-file}" | sed 's/^REMOVEME IN SSHFP //' >> $out/${hostname}-initrd-ssh-pubkey.sshfp
    '';
  };

in {
  config = mkIf (initrd-cfg != null) {
    boot = {
      kernelParams = [
n        "ip=${initrd-cfg.ip}"
      ];
      initrd = {
        network = {
          enable = true;

          ssh = let
            admin-ssh-keys =
              concatMap (admin: config.fudo.users.${admin}.ssh-authorized-keys)
                config.instance.local-admins;
          in {
            enable = true;
            port = 22;
            authorizedKeys = admin-ssh-keys;
            hostKeys = [
              initrd-cfg.keypair.private-key-file
            ];
          };
        };
      };
    };

    fudo = {
      ## Sigh...this doesn't work because the file isn't available soon enough
      ## during activation.
      #
      # secrets.host-secrets = mapAttrs
      #   (hostname: key-pkg: {
      #     initrd-ssh-host-key = {
      #       source-file = "${key-pkg}/${key-filename}";
      #       target-file = "/var/run/ssh/${key-filename}";
      #       user = "root";
      #     };
      #   })
      #   host-keys;

      local-network = {
        network-definition.hosts = mapAttrs'
          (hostname: hostOpts: nameValuePair "${hostname}-recovery"
            {
              ipv4-address = hostOpts.initrd-network-config.ip;
              description = "${hostname} initrd host";
            })
          config.instance.local-hosts;

        extra-records =
          mapAttrs
            (hostname: key-pkg: let
              sshfp-pkg =
                gen-sshfp-records
                  hostname hostOpts.initrd-network-config.keypair.public-key;
              sshfps = read-lines "${sshfp-pkg}/${hostname}-initrd-ssh-pubkey.sshfp";
            in map (sshfp: "${hostname} IN SSHFP ${sshfp}") sshfps)
            host-keys;
      };
    };
  };
}