From 45d251666e81175759d906a80e5a1d5c91af663a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= <sandro.jaeckel@gmail.com>
Date: Sat, 20 May 2023 22:12:16 +0200
Subject: [PATCH] baremetal: generate initrd host keys if they don't exist and
 are required

---
 modules/baremetal.nix | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/modules/baremetal.nix b/modules/baremetal.nix
index 27029025..d365856b 100644
--- a/modules/baremetal.nix
+++ b/modules/baremetal.nix
@@ -3,15 +3,19 @@
 {
   options.c3d2.baremetal = lib.mkEnableOption "baremetal";
 
-  config = lib.mkIf config.c3d2.baremetal {
+  config = let
+    initrdEd2219Key = "/etc/ssh/initrd/ssh_host_ed25519_key";
+    initrdRsaKey = "/etc/ssh/initrd/ssh_host_rsa_key";
+  in lib.mkIf config.c3d2.baremetal {
     boot.initrd.network = {
       enable = true;
       ssh = {
-        enable = true;
+        # TODO: enable now per machine
+        # enable = true;
         authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
         hostKeys = [
-          "/etc/ssh/initrd/ssh_host_ed25519_key"
-          "/etc/ssh/initrd/ssh_host_rsa_key"
+          initrdEd2219Key
+          initrdRsaKey
         ];
         port = 4748;
       };
@@ -37,5 +41,14 @@
       fstrim.enable = true;
       smartd.enable = true;
     };
+
+    system.activationScripts.generateInitrdOpensshHostKeys = lib.mkIf config.boot.initrd.network.ssh.enable ''
+      if [[ ! -e ${initrdEd2219Key} || ! -e ${initrdRsaKey} ]]; then
+        echo "Generating initrd OpenSSH hostkeys..."
+        mkdir -m700 -p /etc/ssh/initrd/
+        ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f ${initrdEd2219Key}
+        ${pkgs.openssh}/bin/ssh-keygen -t rsa -N "" -f ${initrdRsaKey}
+      fi
+    '';
   };
 }