baremetal: generate initrd host keys if they don't exist and are required

modules/baremetal.nix

@@ -3,15 +3,19 @@
 {
   options.c3d2.baremetal = lib.mkEnableOption "baremetal";
 
-  config = lib.mkIf config.c3d2.baremetal {
+  config = let
+    initrdEd2219Key = "/etc/ssh/initrd/ssh_host_ed25519_key";
+    initrdRsaKey = "/etc/ssh/initrd/ssh_host_rsa_key";
+  in lib.mkIf config.c3d2.baremetal {
     boot.initrd.network = {
       enable = true;
       ssh = {
-        enable = true;
+        # TODO: enable now per machine
+        # enable = true;
         authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
         hostKeys = [
-          "/etc/ssh/initrd/ssh_host_ed25519_key"
-          "/etc/ssh/initrd/ssh_host_rsa_key"
+          initrdEd2219Key
+          initrdRsaKey
         ];
         port = 4748;
       };
@@ -37,5 +41,14 @@
       fstrim.enable = true;
       smartd.enable = true;
     };
+
+    system.activationScripts.generateInitrdOpensshHostKeys = lib.mkIf config.boot.initrd.network.ssh.enable ''
+      if [[ ! -e ${initrdEd2219Key} || ! -e ${initrdRsaKey} ]]; then
+        echo "Generating initrd OpenSSH hostkeys..."
+        mkdir -m700 -p /etc/ssh/initrd/
+        ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f ${initrdEd2219Key}
+        ${pkgs.openssh}/bin/ssh-keygen -t rsa -N "" -f ${initrdRsaKey}
+      fi
+    '';
   };
 }