nix-config/config/support/initrd-ssh.nix

37 lines
1.6 KiB
Nix
Raw Permalink Normal View History

2024-07-26 22:12:48 +02:00
{ config, pkgs, ... }:
2023-09-20 21:49:49 +02:00
{
age.secrets.initrd_host_ed25519_key.generator.script = "ssh-ed25519";
boot.initrd.network.enable = true;
boot.initrd.network.ssh = {
enable = true;
port = 4;
# I think this is impure as the new initrd gets generated before
# agenix decrypts your secrets, meaning your initrd hostkey
# need two activations to change as well as that to enable this
# module you need to set hostKeys to a dummy value and generate
# and invalid initrd once
2024-07-26 22:12:48 +02:00
hostKeys = [ config.age.secrets.initrd_host_ed25519_key.path ];
2023-09-20 21:49:49 +02:00
};
# Make sure that there is always a valid initrd hostkey available that can be installed into
# the initrd. When bootstrapping a system (or re-installing), agenix cannot succeed in decrypting
# whatever is given, since the correct hostkey doesn't even exist yet. We still require
# a valid hostkey to be available so that the initrd can be generated successfully.
# The correct initrd host-key will be installed with the next update after the host is booted
# for the first time, and the secrets were rekeyed for the the new host identity.
system.activationScripts.agenixEnsureInitrdHostkey = {
text = ''
2023-12-22 23:53:11 +01:00
if [[ ! -e ${config.age.secrets.initrd_host_ed25519_key.path} ]]; then
mkdir -p "$(dirname "${config.age.secrets.initrd_host_ed25519_key.path}")"
${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f "${config.age.secrets.initrd_host_ed25519_key.path}"
fi
2023-09-20 21:49:49 +02:00
'';
2024-07-26 22:12:48 +02:00
deps = [
"agenixInstall"
"users"
];
2023-09-20 21:49:49 +02:00
};
2024-07-26 22:12:48 +02:00
system.activationScripts.agenixChown.deps = [ "agenixEnsureInitrdHostkey" ];
2023-09-20 21:49:49 +02:00
}