1 files changed, 35 insertions, 0 deletions
diff --git a/system-profiles/initrd-ssh/default.nix b/system-profiles/initrd-ssh/default.nix
new file mode 100644
index 00000000..00fa55b6
--- /dev/null
+++ b/system-profiles/initrd-ssh/default.nix
@@ -0,0 +1,35 @@
+{ hostName, config, pkgs, ... }:
+{
+  config = {
+    boot.initrd.network = {
+      enable = true;
+      ssh = {
+        enable = true;
+        hostKeys = with config.sops.secrets; [ initrd_ssh_host_rsa_key.path initrd_ssh_host_ed25519_key.path ];
+        authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys ++ map (kF: builtins.readFile kF) config.users.users.root.openssh.authorizedKeys.keyFiles;
+      };
+    };
+    
+    sops.secrets = {
+      initrd_ssh_host_rsa_key = {
+          key = "rsa";
+          path = "/etc/initrd_ssh_host_rsa_key";
+          sopsFile = ./host-keys + "/${hostName}-private.yaml";
+      };
+      initrd_ssh_host_ed25519_key = {
+          key = "ed25519";
+          path = "/etc/initrd_ssh_host_ed25519_key";
+          sopsFile = ./host-keys + "/${hostName}-private.yaml";
+      };
+    };
+    environment.etc =
+      let
+        mkPubkey = typ: pkgs.runCommand "initrd_ssh_host_${typ}_key" { buildInputs = with pkgs; [ yq ]; } ''
+          yq -r '.${typ}' ${./host-keys + "/${hostName}-public.yaml"} > $out
+        '';
+      in {
+        "initrd_ssh_host_rsa_key.pub".source = mkPubkey "rsa";
+        "initrd_ssh_host_ed25519_key.pub".source = mkPubkey "ed25519";
+      };
+  };
+}

diff --git a/system-profiles/initrd-ssh/default.nix b/system-profiles/initrd-ssh/default.nix new file mode 100644 index 00000000..00fa55b6 --- /dev/null +++ b/system-profiles/initrd-ssh/default.nix
@@ -0,0 +1,35 @@
	1	{ hostName, config, pkgs, ... }:
	2	{
	3	config = {
	4	boot.initrd.network = {
	5	enable = true;
	6	ssh = {
	7	enable = true;
	8	hostKeys = with config.sops.secrets; [ initrd_ssh_host_rsa_key.path initrd_ssh_host_ed25519_key.path ];
	9	authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys ++ map (kF: builtins.readFile kF) config.users.users.root.openssh.authorizedKeys.keyFiles;
	10	};
	11	};
	12
	13	sops.secrets = {
	14	initrd_ssh_host_rsa_key = {
	15	key = "rsa";
	16	path = "/etc/initrd_ssh_host_rsa_key";
	17	sopsFile = ./host-keys + "/${hostName}-private.yaml";
	18	};
	19	initrd_ssh_host_ed25519_key = {
	20	key = "ed25519";
	21	path = "/etc/initrd_ssh_host_ed25519_key";
	22	sopsFile = ./host-keys + "/${hostName}-private.yaml";
	23	};
	24	};
	25	environment.etc =
	26	let
	27	mkPubkey = typ: pkgs.runCommand "initrd_ssh_host_${typ}_key" { buildInputs = with pkgs; [ yq ]; } ''
	28	yq -r '.${typ}' ${./host-keys + "/${hostName}-public.yaml"} > $out
	29	'';
	30	in {
	31	"initrd_ssh_host_rsa_key.pub".source = mkPubkey "rsa";
	32	"initrd_ssh_host_ed25519_key.pub".source = mkPubkey "ed25519";
	33	};
	34	};
	35	}