From b595aceb7cc794173522e65c49b7da6edd5cec28 Mon Sep 17 00:00:00 2001
From: Simon Bruder <simon@sbruder.de>
Date: Tue, 6 Apr 2021 11:45:04 +0200
Subject: [PATCH] initrd-ssh: Treat host-key as state

This also removes the explicit passing of the public key fingerprint to
the unlock script, since the host key is no longer available in pass.
Unlocking still works, since the keys are configured in modules/ssh.nix.
---
 modules/initrd-ssh.nix | 6 +++---
 shell.nix              | 2 --
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/modules/initrd-ssh.nix b/modules/initrd-ssh.nix
index 4b38c2b..afda98b 100644
--- a/modules/initrd-ssh.nix
+++ b/modules/initrd-ssh.nix
@@ -9,10 +9,10 @@
     ssh = {
       enable = lib.mkDefault config.boot.initrd.network.enable;
       port = 2222;
-      # ssh-keygen -t ed25519 -N "" -f initrd-ssh-host-key -C HOSTNAME
-      # pass insert -m nixos/machines/HOSTNAME/initrd-ssh-host-key < initrd-ssh-host-key
+      # ssh-keygen -t ed25519 -N "" -f ssh_host_ed25519_key_initrd -C HOSTNAME
+      # scp ssh_host_ed25519_key_initrd root@machine:/etc/ssh/
       hostKeys = [
-        (toString <secrets> + "/initrd-ssh-host-key")
+        "/etc/ssh/ssh_host_ed25519_key_initrd"
       ];
     };
   };
diff --git a/shell.nix b/shell.nix
index dfa1286..74be3ff 100644
--- a/shell.nix
+++ b/shell.nix
@@ -37,8 +37,6 @@ let
       # opening luks fails if gpg-agent is not unlocked yet
       pass "devices/$machine/luks" >/dev/null
       ssh \
-          -oStrictHostKeyChecking=no \
-          -oGlobalKnownHostsFile=<(echo "[$hostname]:2222 ssh-ed25519 $(ssh-keygen -l -f <(ssh-keygen -y -f<(pass "nixos/machines/$machine/initrd-ssh-host-key")) | cut -d' ' -f2)") \
           -4 \
           -p 2222 \
           "root@$hostname" \