From 000000710ae9fc4f6921931289653086de6a6b12 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= <sandro.jaeckel@gmail.com>
Date: Thu, 22 Jun 2023 22:23:38 +0200
Subject: [PATCH] baremetal: regen 3072 bit rsa keys

---
 modules/baremetal.nix | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/modules/baremetal.nix b/modules/baremetal.nix
index 80410d31..b5cac754 100644
--- a/modules/baremetal.nix
+++ b/modules/baremetal.nix
@@ -58,12 +58,20 @@
       smartd.enable = true;
     };
 
-    system.activationScripts.generateInitrdOpensshHostKeys = lib.mkIf config.boot.initrd.network.ssh.enable ''
+    system.activationScripts.generateInitrdOpensshHostKeys = let
+      sshKeygen = "${config.programs.ssh.package}/bin/ssh-keygen";
+    in lib.mkIf config.boot.initrd.network.ssh.enable ''
       if [[ ! -e ${initrdEd2219Key} || ! -e ${initrdRsaKey} ]]; then
         echo "Generating initrd OpenSSH hostkeys..."
         mkdir -m700 -p /etc/ssh/initrd/
-        ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f ${initrdEd2219Key}
-        ${pkgs.openssh}/bin/ssh-keygen -t rsa -N "" -f ${initrdRsaKey}
+        ${sshKeygen} -t ed25519 -N "" -f ${initrdEd2219Key}
+        ${sshKeygen} -t rsa -b 4096 -N "" -f ${initrdRsaKey}
+      fi
+
+      if [[ -e ${initrdRsaKey} && $(${sshKeygen} -l -f ${initrdRsaKey} | ${pkgs.gawk}/bin/awk '{print $1}') == 3072 ]]; then
+        echo "Upgrading RSA initrd OpenSSH hostkey with only 3072 bit..."
+        rm -f ${initrdRsaKey} ${initrdRsaKey}.pub
+        ${sshKeygen} -t rsa -b 4096 -N "" -f ${initrdRsaKey}
       fi
     '';
   };