initrd-ssh: Treat host-key as state

This also removes the explicit passing of the public key fingerprint to
the unlock script, since the host key is no longer available in pass.
Unlocking still works, since the keys are configured in modules/ssh.nix.
This commit is contained in:
Simon Bruder 2021-04-06 11:45:04 +02:00
parent aaaeb56f18
commit b595aceb7c
Signed by: simon
GPG key ID: 8D3C82F9F309F8EC
2 changed files with 3 additions and 5 deletions

View file

@ -9,10 +9,10 @@
ssh = {
enable = lib.mkDefault config.boot.initrd.network.enable;
port = 2222;
# ssh-keygen -t ed25519 -N "" -f initrd-ssh-host-key -C HOSTNAME
# pass insert -m nixos/machines/HOSTNAME/initrd-ssh-host-key < initrd-ssh-host-key
# ssh-keygen -t ed25519 -N "" -f ssh_host_ed25519_key_initrd -C HOSTNAME
# scp ssh_host_ed25519_key_initrd root@machine:/etc/ssh/
hostKeys = [
(toString <secrets> + "/initrd-ssh-host-key")
"/etc/ssh/ssh_host_ed25519_key_initrd"
];
};
};

View file

@ -37,8 +37,6 @@ let
# opening luks fails if gpg-agent is not unlocked yet
pass "devices/$machine/luks" >/dev/null
ssh \
-oStrictHostKeyChecking=no \
-oGlobalKnownHostsFile=<(echo "[$hostname]:2222 ssh-ed25519 $(ssh-keygen -l -f <(ssh-keygen -y -f<(pass "nixos/machines/$machine/initrd-ssh-host-key")) | cut -d' ' -f2)") \
-4 \
-p 2222 \
"root@$hostname" \