diff options
-rw-r--r-- | hosts/vidhar/default.nix | 21 | ||||
-rw-r--r-- | system-profiles/initrd-ssh/default.nix | 35 | ||||
-rw-r--r-- | system-profiles/initrd-ssh/host-keys/vidhar-private.yaml (renamed from hosts/vidhar/initrd-host-keys/private.yaml) | 0 | ||||
-rw-r--r-- | system-profiles/initrd-ssh/host-keys/vidhar-public.yaml (renamed from hosts/vidhar/initrd-host-keys/public.yaml) | 0 |
4 files changed, 36 insertions, 20 deletions
diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix index 4d7830e8..25f37133 100644 --- a/hosts/vidhar/default.nix +++ b/hosts/vidhar/default.nix | |||
@@ -3,6 +3,7 @@ | |||
3 | imports = with flake.nixosModules.systemProfiles; [ | 3 | imports = with flake.nixosModules.systemProfiles; [ |
4 | ./zfs.nix | 4 | ./zfs.nix |
5 | initrd-all-crypto-modules default-locale openssh rebuild-machines | 5 | initrd-all-crypto-modules default-locale openssh rebuild-machines |
6 | initrd-ssh | ||
6 | ]; | 7 | ]; |
7 | 8 | ||
8 | config = { | 9 | config = { |
@@ -41,15 +42,6 @@ | |||
41 | hdd4.device = "/dev/disk/by-label/${hostName}-hdd4"; | 42 | hdd4.device = "/dev/disk/by-label/${hostName}-hdd4"; |
42 | hdd5.device = "/dev/disk/by-label/${hostName}-hdd5"; | 43 | hdd5.device = "/dev/disk/by-label/${hostName}-hdd5"; |
43 | }; | 44 | }; |
44 | |||
45 | network = { | ||
46 | enable = true; | ||
47 | ssh = { | ||
48 | enable = true; | ||
49 | hostKeys = with config.sops.secrets; [ initrd_ssh_host_rsa_key.path initrd_ssh_host_ed25519_key.path ]; | ||
50 | authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys ++ map (kF: builtins.readFile kF) config.users.users.root.openssh.authorizedKeys.keyFiles; | ||
51 | }; | ||
52 | }; | ||
53 | }; | 45 | }; |
54 | 46 | ||
55 | supportedFilesystems = [ "zfs" ]; | 47 | supportedFilesystems = [ "zfs" ]; |
@@ -58,17 +50,6 @@ | |||
58 | }; | 50 | }; |
59 | }; | 51 | }; |
60 | 52 | ||
61 | sops.secrets = { | ||
62 | initrd_ssh_host_rsa_key = { | ||
63 | key = "rsa"; | ||
64 | sopsFile = ./initrd-host-keys/private.yaml; | ||
65 | }; | ||
66 | initrd_ssh_host_ed25519_key = { | ||
67 | key = "ed25519"; | ||
68 | sopsFile = ./initrd-host-keys/private.yaml; | ||
69 | }; | ||
70 | }; | ||
71 | |||
72 | fileSystems = { | 53 | fileSystems = { |
73 | "/" = { | 54 | "/" = { |
74 | fsType = "tmpfs"; | 55 | fsType = "tmpfs"; |
diff --git a/system-profiles/initrd-ssh/default.nix b/system-profiles/initrd-ssh/default.nix new file mode 100644 index 00000000..00fa55b6 --- /dev/null +++ b/system-profiles/initrd-ssh/default.nix | |||
@@ -0,0 +1,35 @@ | |||
1 | { hostName, config, pkgs, ... }: | ||
2 | { | ||
3 | config = { | ||
4 | boot.initrd.network = { | ||
5 | enable = true; | ||
6 | ssh = { | ||
7 | enable = true; | ||
8 | hostKeys = with config.sops.secrets; [ initrd_ssh_host_rsa_key.path initrd_ssh_host_ed25519_key.path ]; | ||
9 | authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys ++ map (kF: builtins.readFile kF) config.users.users.root.openssh.authorizedKeys.keyFiles; | ||
10 | }; | ||
11 | }; | ||
12 | |||
13 | sops.secrets = { | ||
14 | initrd_ssh_host_rsa_key = { | ||
15 | key = "rsa"; | ||
16 | path = "/etc/initrd_ssh_host_rsa_key"; | ||
17 | sopsFile = ./host-keys + "/${hostName}-private.yaml"; | ||
18 | }; | ||
19 | initrd_ssh_host_ed25519_key = { | ||
20 | key = "ed25519"; | ||
21 | path = "/etc/initrd_ssh_host_ed25519_key"; | ||
22 | sopsFile = ./host-keys + "/${hostName}-private.yaml"; | ||
23 | }; | ||
24 | }; | ||
25 | environment.etc = | ||
26 | let | ||
27 | mkPubkey = typ: pkgs.runCommand "initrd_ssh_host_${typ}_key" { buildInputs = with pkgs; [ yq ]; } '' | ||
28 | yq -r '.${typ}' ${./host-keys + "/${hostName}-public.yaml"} > $out | ||
29 | ''; | ||
30 | in { | ||
31 | "initrd_ssh_host_rsa_key.pub".source = mkPubkey "rsa"; | ||
32 | "initrd_ssh_host_ed25519_key.pub".source = mkPubkey "ed25519"; | ||
33 | }; | ||
34 | }; | ||
35 | } | ||
diff --git a/hosts/vidhar/initrd-host-keys/private.yaml b/system-profiles/initrd-ssh/host-keys/vidhar-private.yaml index ea424974..ea424974 100644 --- a/hosts/vidhar/initrd-host-keys/private.yaml +++ b/system-profiles/initrd-ssh/host-keys/vidhar-private.yaml | |||
diff --git a/hosts/vidhar/initrd-host-keys/public.yaml b/system-profiles/initrd-ssh/host-keys/vidhar-public.yaml index af521564..af521564 100644 --- a/hosts/vidhar/initrd-host-keys/public.yaml +++ b/system-profiles/initrd-ssh/host-keys/vidhar-public.yaml | |||