From 02a0b57551a6a5f9ebccff226c12b8f671a7c149 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Tue, 3 Aug 2021 17:12:41 +0200
Subject: vidhar: initrd ssh

---
 system-profiles/initrd-ssh/default.nix | 35 ++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 system-profiles/initrd-ssh/default.nix

(limited to 'system-profiles/initrd-ssh/default.nix')

diff --git a/system-profiles/initrd-ssh/default.nix b/system-profiles/initrd-ssh/default.nix
new file mode 100644
index 00000000..00fa55b6
--- /dev/null
+++ b/system-profiles/initrd-ssh/default.nix
@@ -0,0 +1,35 @@
+{ hostName, config, pkgs, ... }:
+{
+  config = {
+    boot.initrd.network = {
+      enable = true;
+      ssh = {
+        enable = true;
+        hostKeys = with config.sops.secrets; [ initrd_ssh_host_rsa_key.path initrd_ssh_host_ed25519_key.path ];
+        authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys ++ map (kF: builtins.readFile kF) config.users.users.root.openssh.authorizedKeys.keyFiles;
+      };
+    };
+    
+    sops.secrets = {
+      initrd_ssh_host_rsa_key = {
+          key = "rsa";
+          path = "/etc/initrd_ssh_host_rsa_key";
+          sopsFile = ./host-keys + "/${hostName}-private.yaml";
+      };
+      initrd_ssh_host_ed25519_key = {
+          key = "ed25519";
+          path = "/etc/initrd_ssh_host_ed25519_key";
+          sopsFile = ./host-keys + "/${hostName}-private.yaml";
+      };
+    };
+    environment.etc =
+      let
+        mkPubkey = typ: pkgs.runCommand "initrd_ssh_host_${typ}_key" { buildInputs = with pkgs; [ yq ]; } ''
+          yq -r '.${typ}' ${./host-keys + "/${hostName}-public.yaml"} > $out
+        '';
+      in {
+        "initrd_ssh_host_rsa_key.pub".source = mkPubkey "rsa";
+        "initrd_ssh_host_ed25519_key.pub".source = mkPubkey "ed25519";
+      };
+  };
+}
-- 
cgit v1.2.3