diff options
| author | Gregor Kleen <gkleen@yggdrasil.li> | 2023-01-13 10:55:43 +0100 |
|---|---|---|
| committer | Gregor Kleen <gkleen@yggdrasil.li> | 2023-01-13 10:55:43 +0100 |
| commit | 4d7bf8c3e3dfce240c55b8fd863916dff0dc497c (patch) | |
| tree | 450ffe476607ce4651113a665cfc1f90b4766955 /system-profiles/initrd-ssh/default.nix | |
| parent | 9cbd833e5d5c3c146bf0e2d2187f1dcf3a82d912 (diff) | |
| download | nixos-4d7bf8c3e3dfce240c55b8fd863916dff0dc497c.tar nixos-4d7bf8c3e3dfce240c55b8fd863916dff0dc497c.tar.gz nixos-4d7bf8c3e3dfce240c55b8fd863916dff0dc497c.tar.bz2 nixos-4d7bf8c3e3dfce240c55b8fd863916dff0dc497c.tar.xz nixos-4d7bf8c3e3dfce240c55b8fd863916dff0dc497c.zip | |
fixup initrd-ssh
Diffstat (limited to 'system-profiles/initrd-ssh/default.nix')
| -rw-r--r-- | system-profiles/initrd-ssh/default.nix | 46 |
1 files changed, 28 insertions, 18 deletions
diff --git a/system-profiles/initrd-ssh/default.nix b/system-profiles/initrd-ssh/default.nix index 55a608b9..dca0f125 100644 --- a/system-profiles/initrd-ssh/default.nix +++ b/system-profiles/initrd-ssh/default.nix | |||
| @@ -1,35 +1,45 @@ | |||
| 1 | { hostName, config, pkgs, ... }: | 1 | { hostName, config, pkgs, lib, ... }: |
| 2 | |||
| 3 | with lib; | ||
| 4 | |||
| 2 | { | 5 | { |
| 6 | imports = [ ./module.nix ]; | ||
| 7 | |||
| 3 | config = { | 8 | config = { |
| 4 | boot.initrd.network = { | 9 | boot.initrd = { |
| 5 | enable = true; | 10 | network = { |
| 6 | ssh = { | ||
| 7 | enable = true; | 11 | enable = true; |
| 8 | hostKeys = with config.sops.secrets; [ initrd_ssh_host_rsa_key.path initrd_ssh_host_ed25519_key.path ]; | 12 | ssh = { |
| 9 | authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys ++ map (kF: builtins.readFile kF) config.users.users.root.openssh.authorizedKeys.keyFiles; | 13 | enable = true; |
| 14 | hostKeys = [ "/etc/ssh/ssh_host_ed25519_key" "/etc/ssh/ssh_host_rsa_key" ]; | ||
| 15 | authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys ++ map (kF: builtins.readFile kF) config.users.users.root.openssh.authorizedKeys.keyFiles; | ||
| 16 | }; | ||
| 17 | }; | ||
| 18 | |||
| 19 | secrets = with config.sops.secrets; { | ||
| 20 | "/etc/ssh/ssh_host_ed25519_key" = initrd_ssh_host_ed25519_key.path; | ||
| 21 | "/etc/ssh/ssh_host_rsa_key" = initrd_ssh_host_rsa_key.path; | ||
| 22 | }; | ||
| 23 | |||
| 24 | extraFiles = let | ||
| 25 | mkPubkey = typ: pkgs.runCommand "ssh_host_${typ}_key.pub" { buildInputs = with pkgs; [ yq ]; } '' | ||
| 26 | yq -r '.${typ}' ${./host-keys + "/${hostName}-public.yaml"} > $out | ||
| 27 | ''; | ||
| 28 | in { | ||
| 29 | "/etc/ssh/ssh_host_rsa_key.pub".source = mkPubkey "rsa"; | ||
| 30 | "/etc/ssh/ssh_host_ed25519_key.pub".source = mkPubkey "ed25519"; | ||
| 10 | }; | 31 | }; |
| 11 | }; | 32 | }; |
| 12 | 33 | ||
| 13 | sops.secrets = { | 34 | sops.secrets = { |
| 14 | initrd_ssh_host_rsa_key = { | 35 | initrd_ssh_host_rsa_key = { |
| 15 | key = "rsa"; | 36 | key = "rsa"; |
| 16 | path = "/etc/initrd-ssh/ssh_host_rsa_key"; | ||
| 17 | sopsFile = ./host-keys + "/${hostName}-private.yaml"; | 37 | sopsFile = ./host-keys + "/${hostName}-private.yaml"; |
| 18 | }; | 38 | }; |
| 19 | initrd_ssh_host_ed25519_key = { | 39 | initrd_ssh_host_ed25519_key = { |
| 20 | key = "ed25519"; | 40 | key = "ed25519"; |
| 21 | path = "/etc/initrd-ssh/ssh_host_ed25519_key"; | ||
| 22 | sopsFile = ./host-keys + "/${hostName}-private.yaml"; | 41 | sopsFile = ./host-keys + "/${hostName}-private.yaml"; |
| 23 | }; | 42 | }; |
| 24 | }; | 43 | }; |
| 25 | environment.etc = | ||
| 26 | let | ||
| 27 | mkPubkey = typ: pkgs.runCommand "initrd_ssh_host_${typ}_key" { buildInputs = with pkgs; [ yq ]; } '' | ||
| 28 | yq -r '.${typ}' ${./host-keys + "/${hostName}-public.yaml"} > $out | ||
| 29 | ''; | ||
| 30 | in { | ||
| 31 | "initrd-ssh/ssh_host_rsa_key.pub".source = mkPubkey "rsa"; | ||
| 32 | "initrd-ssh/ssh_host_ed25519_key.pub".source = mkPubkey "ed25519"; | ||
| 33 | }; | ||
| 34 | }; | 44 | }; |
| 35 | } | 45 | } |