vidhar: initrd ssh

4 files changed, 36 insertions, 20 deletions

diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix
index 4d7830e8..25f37133 100644
--- a/hosts/vidhar/default.nix
+++ b/hosts/vidhar/default.nix
@@ -3,6 +3,7 @@
   imports = with flake.nixosModules.systemProfiles; [
     ./zfs.nix
     initrd-all-crypto-modules default-locale openssh rebuild-machines
+    initrd-ssh
   ];
 
   config = {
@@ -41,15 +42,6 @@
           hdd4.device = "/dev/disk/by-label/${hostName}-hdd4";
           hdd5.device = "/dev/disk/by-label/${hostName}-hdd5";
         };
-
-        network = {
-          enable = true;
-          ssh = {
-            enable = true;
-            hostKeys = with config.sops.secrets; [ initrd_ssh_host_rsa_key.path initrd_ssh_host_ed25519_key.path ];
-            authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys ++ map (kF: builtins.readFile kF) config.users.users.root.openssh.authorizedKeys.keyFiles;
-          };
-        };
       };
       
       supportedFilesystems = [ "zfs" ];
@@ -58,17 +50,6 @@
       };
     };
 
-    sops.secrets = {
-      initrd_ssh_host_rsa_key = {
-          key = "rsa";
-          sopsFile = ./initrd-host-keys/private.yaml;
-      };
-      initrd_ssh_host_ed25519_key = {
-          key = "ed25519";
-          sopsFile = ./initrd-host-keys/private.yaml;
-      };
-    };
-
     fileSystems = {
       "/" = {
         fsType = "tmpfs";
diff --git a/system-profiles/initrd-ssh/default.nix b/system-profiles/initrd-ssh/default.nix
new file mode 100644
index 00000000..00fa55b6
--- /dev/null
+++ b/system-profiles/initrd-ssh/default.nix
@@ -0,0 +1,35 @@
+{ hostName, config, pkgs, ... }:
+{
+  config = {
+    boot.initrd.network = {
+      enable = true;
+      ssh = {
+        enable = true;
+        hostKeys = with config.sops.secrets; [ initrd_ssh_host_rsa_key.path initrd_ssh_host_ed25519_key.path ];
+        authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys ++ map (kF: builtins.readFile kF) config.users.users.root.openssh.authorizedKeys.keyFiles;
+      };
+    };
+    
+    sops.secrets = {
+      initrd_ssh_host_rsa_key = {
+          key = "rsa";
+          path = "/etc/initrd_ssh_host_rsa_key";
+          sopsFile = ./host-keys + "/${hostName}-private.yaml";
+      };
+      initrd_ssh_host_ed25519_key = {
+          key = "ed25519";
+          path = "/etc/initrd_ssh_host_ed25519_key";
+          sopsFile = ./host-keys + "/${hostName}-private.yaml";
+      };
+    };
+    environment.etc =
+      let
+        mkPubkey = typ: pkgs.runCommand "initrd_ssh_host_${typ}_key" { buildInputs = with pkgs; [ yq ]; } ''
+          yq -r '.${typ}' ${./host-keys + "/${hostName}-public.yaml"} > $out
+        '';
+      in {
+        "initrd_ssh_host_rsa_key.pub".source = mkPubkey "rsa";
+        "initrd_ssh_host_ed25519_key.pub".source = mkPubkey "ed25519";
+      };
+  };
+}
diff --git a/hosts/vidhar/initrd-host-keys/private.yaml b/system-profiles/initrd-ssh/host-keys/vidhar-private.yaml
index ea424974..ea424974 100644
--- a/hosts/vidhar/initrd-host-keys/private.yaml
+++ b/system-profiles/initrd-ssh/host-keys/vidhar-private.yaml
diff --git a/hosts/vidhar/initrd-host-keys/public.yaml b/system-profiles/initrd-ssh/host-keys/vidhar-public.yaml
index af521564..af521564 100644
--- a/hosts/vidhar/initrd-host-keys/public.yaml
+++ b/system-profiles/initrd-ssh/host-keys/vidhar-public.yaml