initrd-ssh: Treat host-key as state

This also removes the explicit passing of the public key fingerprint to the unlock script, since the host key is no longer available in pass. Unlocking still works, since the keys are configured in modules/ssh.nix.
2021-04-06 11:45:04 +02:00 · 2021-04-06 11:45:04 +02:00 · b595aceb7c
parent aaaeb56f18
commit b595aceb7c
2 changed files with 3 additions and 5 deletions
--- a/modules/initrd-ssh.nix
+++ b/modules/initrd-ssh.nix
@ -9,10 +9,10 @@
    ssh = {
      enable = lib.mkDefault config.boot.initrd.network.enable;
      port = 2222;
-      # ssh-keygen -t ed25519 -N "" -f initrd-ssh-host-key -C HOSTNAME
-      # pass insert -m nixos/machines/HOSTNAME/initrd-ssh-host-key < initrd-ssh-host-key
+      # ssh-keygen -t ed25519 -N "" -f ssh_host_ed25519_key_initrd -C HOSTNAME
+      # scp ssh_host_ed25519_key_initrd root@machine:/etc/ssh/
      hostKeys = [
-        (toString <secrets> + "/initrd-ssh-host-key")
+        "/etc/ssh/ssh_host_ed25519_key_initrd"
      ];
    };
  };
--- a/shell.nix
+++ b/shell.nix
@ -37,8 +37,6 @@ let
      # opening luks fails if gpg-agent is not unlocked yet
      pass "devices/$machine/luks" >/dev/null
      ssh \
-          -oStrictHostKeyChecking=no \
-          -oGlobalKnownHostsFile=<(echo "[$hostname]:2222 ssh-ed25519 $(ssh-keygen -l -f <(ssh-keygen -y -f<(pass "nixos/machines/$machine/initrd-ssh-host-key")) | cut -d' ' -f2)") \
          -4 \
          -p 2222 \
          "root@$hostname" \