baremetal: regen 3072 bit rsa keys
This commit is contained in:
parent
00000017b2
commit
000000710a
|
@ -58,12 +58,20 @@
|
||||||
smartd.enable = true;
|
smartd.enable = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
system.activationScripts.generateInitrdOpensshHostKeys = lib.mkIf config.boot.initrd.network.ssh.enable ''
|
system.activationScripts.generateInitrdOpensshHostKeys = let
|
||||||
|
sshKeygen = "${config.programs.ssh.package}/bin/ssh-keygen";
|
||||||
|
in lib.mkIf config.boot.initrd.network.ssh.enable ''
|
||||||
if [[ ! -e ${initrdEd2219Key} || ! -e ${initrdRsaKey} ]]; then
|
if [[ ! -e ${initrdEd2219Key} || ! -e ${initrdRsaKey} ]]; then
|
||||||
echo "Generating initrd OpenSSH hostkeys..."
|
echo "Generating initrd OpenSSH hostkeys..."
|
||||||
mkdir -m700 -p /etc/ssh/initrd/
|
mkdir -m700 -p /etc/ssh/initrd/
|
||||||
${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f ${initrdEd2219Key}
|
${sshKeygen} -t ed25519 -N "" -f ${initrdEd2219Key}
|
||||||
${pkgs.openssh}/bin/ssh-keygen -t rsa -N "" -f ${initrdRsaKey}
|
${sshKeygen} -t rsa -b 4096 -N "" -f ${initrdRsaKey}
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ -e ${initrdRsaKey} && $(${sshKeygen} -l -f ${initrdRsaKey} | ${pkgs.gawk}/bin/awk '{print $1}') == 3072 ]]; then
|
||||||
|
echo "Upgrading RSA initrd OpenSSH hostkey with only 3072 bit..."
|
||||||
|
rm -f ${initrdRsaKey} ${initrdRsaKey}.pub
|
||||||
|
${sshKeygen} -t rsa -b 4096 -N "" -f ${initrdRsaKey}
|
||||||
fi
|
fi
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in New Issue
Block a user