summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--hosts/vidhar/default.nix21
-rw-r--r--system-profiles/initrd-ssh/default.nix35
-rw-r--r--system-profiles/initrd-ssh/host-keys/vidhar-private.yaml (renamed from hosts/vidhar/initrd-host-keys/private.yaml)0
-rw-r--r--system-profiles/initrd-ssh/host-keys/vidhar-public.yaml (renamed from hosts/vidhar/initrd-host-keys/public.yaml)0
4 files changed, 36 insertions, 20 deletions
diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix
index 4d7830e8..25f37133 100644
--- a/hosts/vidhar/default.nix
+++ b/hosts/vidhar/default.nix
@@ -3,6 +3,7 @@
3 imports = with flake.nixosModules.systemProfiles; [ 3 imports = with flake.nixosModules.systemProfiles; [
4 ./zfs.nix 4 ./zfs.nix
5 initrd-all-crypto-modules default-locale openssh rebuild-machines 5 initrd-all-crypto-modules default-locale openssh rebuild-machines
6 initrd-ssh
6 ]; 7 ];
7 8
8 config = { 9 config = {
@@ -41,15 +42,6 @@
41 hdd4.device = "/dev/disk/by-label/${hostName}-hdd4"; 42 hdd4.device = "/dev/disk/by-label/${hostName}-hdd4";
42 hdd5.device = "/dev/disk/by-label/${hostName}-hdd5"; 43 hdd5.device = "/dev/disk/by-label/${hostName}-hdd5";
43 }; 44 };
44
45 network = {
46 enable = true;
47 ssh = {
48 enable = true;
49 hostKeys = with config.sops.secrets; [ initrd_ssh_host_rsa_key.path initrd_ssh_host_ed25519_key.path ];
50 authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys ++ map (kF: builtins.readFile kF) config.users.users.root.openssh.authorizedKeys.keyFiles;
51 };
52 };
53 }; 45 };
54 46
55 supportedFilesystems = [ "zfs" ]; 47 supportedFilesystems = [ "zfs" ];
@@ -58,17 +50,6 @@
58 }; 50 };
59 }; 51 };
60 52
61 sops.secrets = {
62 initrd_ssh_host_rsa_key = {
63 key = "rsa";
64 sopsFile = ./initrd-host-keys/private.yaml;
65 };
66 initrd_ssh_host_ed25519_key = {
67 key = "ed25519";
68 sopsFile = ./initrd-host-keys/private.yaml;
69 };
70 };
71
72 fileSystems = { 53 fileSystems = {
73 "/" = { 54 "/" = {
74 fsType = "tmpfs"; 55 fsType = "tmpfs";
diff --git a/system-profiles/initrd-ssh/default.nix b/system-profiles/initrd-ssh/default.nix
new file mode 100644
index 00000000..00fa55b6
--- /dev/null
+++ b/system-profiles/initrd-ssh/default.nix
@@ -0,0 +1,35 @@
1{ hostName, config, pkgs, ... }:
2{
3 config = {
4 boot.initrd.network = {
5 enable = true;
6 ssh = {
7 enable = true;
8 hostKeys = with config.sops.secrets; [ initrd_ssh_host_rsa_key.path initrd_ssh_host_ed25519_key.path ];
9 authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys ++ map (kF: builtins.readFile kF) config.users.users.root.openssh.authorizedKeys.keyFiles;
10 };
11 };
12
13 sops.secrets = {
14 initrd_ssh_host_rsa_key = {
15 key = "rsa";
16 path = "/etc/initrd_ssh_host_rsa_key";
17 sopsFile = ./host-keys + "/${hostName}-private.yaml";
18 };
19 initrd_ssh_host_ed25519_key = {
20 key = "ed25519";
21 path = "/etc/initrd_ssh_host_ed25519_key";
22 sopsFile = ./host-keys + "/${hostName}-private.yaml";
23 };
24 };
25 environment.etc =
26 let
27 mkPubkey = typ: pkgs.runCommand "initrd_ssh_host_${typ}_key" { buildInputs = with pkgs; [ yq ]; } ''
28 yq -r '.${typ}' ${./host-keys + "/${hostName}-public.yaml"} > $out
29 '';
30 in {
31 "initrd_ssh_host_rsa_key.pub".source = mkPubkey "rsa";
32 "initrd_ssh_host_ed25519_key.pub".source = mkPubkey "ed25519";
33 };
34 };
35}
diff --git a/hosts/vidhar/initrd-host-keys/private.yaml b/system-profiles/initrd-ssh/host-keys/vidhar-private.yaml
index ea424974..ea424974 100644
--- a/hosts/vidhar/initrd-host-keys/private.yaml
+++ b/system-profiles/initrd-ssh/host-keys/vidhar-private.yaml
diff --git a/hosts/vidhar/initrd-host-keys/public.yaml b/system-profiles/initrd-ssh/host-keys/vidhar-public.yaml
index af521564..af521564 100644
--- a/hosts/vidhar/initrd-host-keys/public.yaml
+++ b/system-profiles/initrd-ssh/host-keys/vidhar-public.yaml