modules/nixos/common: add initrd ssh

nix-community · Feb 1, 2025 · 8dc36a7 · 8dc36a7
1 parent 133bdce
commit 8dc36a7
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 17 deletions.
diff --git a/modules/nixos/common/security.nix b/modules/nixos/common/security.nix
@@ -1,10 +1,20 @@
+{ inputs, lib, ... }:
 {
   # Make sure that the firewall is enabled, even if it's the default.
   networking.firewall.enable = true;
 
   # allow to access emergency shell with a password
   boot.initrd.systemd.emergencyAccess = "$6$he2fblfl/H7I.kvz$WbSCMXu8ztmqfj5jG4czqvu/rkMHxufxqHgy1urzXFSN.jZB4QiW5lOjR08vk8pZTyim3TT1wFkMaNE9zZ3sc1";
 
+  boot.initrd.network = {
+    enable = true;
+    ssh = {
+      enable = true;
+      authorizedKeyFiles = lib.filesystem.listFilesRecursive "${inputs.self}/users/keys";
+      hostKeys = [ "/etc/ssh/initrd_host_ed25519_key" ];
+    };
+  };
+
   services.openssh = {
     hostKeys = [
       {

diff --git a/secrets.yaml b/secrets.yaml
@@ -8,6 +8,7 @@ accounts:
     - name: ENC[AES256_GCM,data:BGA/HMgie64=,iv:c+utmChiZA73GRS4uzZDyfdU+DZaDpB3WljC2uye8o0=,tag:lr1w5TWr05lpfBNLK0Swxw==,type:str]
       totpsecret: ENC[AES256_GCM,data:Q5aJq9sLmW/0oMIgy4FErA==,iv:cFhVj/QV4tMjvB/Y8ExOSSLArvjxCV8+39YtMaADK04=,tag:aPJFH7WhaBYAW7eYsGzGYg==,type:str]
 emergency_access_password: ENC[AES256_GCM,data:ELpkrEQjFQwDicz3WeJoivrZBAWeAKkfFg==,iv:rzbKvnS5IBjUCCT2NAHINZs60F0jrRPJvZ1wnBa6xkI=,tag:hWax9+gTRhuhtIikP/jO/Q==,type:str]
+initrd_host_ed25519_key: ENC[AES256_GCM,data:+v/HTgLVacjrlVjqLMuuymtCIdEpQgZLF1vzFGVKITt+Gu42TG02OrRfXlxrr4jh5DMCavwKF270hSz3ecejpzSlETTjKRlSh+0aP49Rkut6/EFduuTzm/+QEqI504xm/pAllXvpsOVAT4/UTbJ5ezirbVZES4Szs/xbyEqCFD/KfyRM86ksqxdAHjR3+Mt1wqSvgV2zcD8x3L540toi0WoRmb77DYAqYo/BcPnBmbo8C2SdWon4iYRwtBtq/u050rQQOHeHXx0c+K5oV9X28Vdgih/VHLk0XopXlYUz+fC26R5l0tKpBZmaEs5w4Ai62R81lxTCk4xj9VgKtAHdwp84+7TVrUzHveHGQv4MC/PCyCDtyDbKafFyuI77lGwZ5FD1F8GGp9zqPkzGUYdujNXJuk8RjVJbn1j0sBErEteeW9w6Wit6wM+Ze18fgdf1r5rCHliwOLBMve0XqgXdQB7uScAq3mfTvU/OhE0ytPg9N8uu+AP1LQMViQXwgwKcrreE3ZaLoYDiBr0px2gwmHOv4n7Z7qU58/+FhOJbDMfL45U=,iv:Og2wky2h3c6VGoXa2Q8RDwOpAqLY3xYl2XR1HZ6omT8=,tag:yOjtBw56Nb/+ueuG6x6bgA==,type:str]
 ssh_host_ed25519_key:
     build01: ENC[AES256_GCM,data:5rG0+Iw8uVKXTrT5A/uvbz9MJZHPyTBPKIxSbMIgvwEVHDsCENDihxL5C00PisZ4dgMIW1WQIvD3zLtJ5RxedY832K9dwO36lWH2uHZW96qlObnTqMpi0vtsZQ1FQVUtNWPj146uz7QyasisFu6CFFMBBbx6y5ZAipfJ+bsth7YliCMPL+1bM84b8a40m3k9gI4xpYH9txrq1+yvTLau25rNsmAq4oHDGKEZqRoN2WflBZLP0DL3zQ/8uPODUjOmyFpKnbDeKsDQ3RuFcPaLZOGEBruayYldxiv215pdFgw72TbvtLXc726y7bUTOvsOiLfVMdfiXZCRPzVbjGB+NLtiyz9hlCa5WdJrQmLceqC/v5zy1TbV0azlZCDNopw1yznLn8fPA8KIYJUGw+PkdKPDFKRn+F78+5QG4wpYFK9qZ/vaukvpuZrUdboFIU/qFdjplrGhniYfbh7enIGhnd2Y+qLC92IG0SQPVpI2fQNx7h3MD2V9w2spk8hZ4QGWsA4JU0fJ9mKY4w6eElGLggzT15vuCrrJx4zbThSfyVYHmlE=,iv:ksSPKFNHdy646BU2x0fr6ey+kif1jpPhlsQ5Kmxjqd4=,tag:2SL/1x4/9LoNqfHPMk8H8Q==,type:str]
     build02: ENC[AES256_GCM,data:kwc1rs7xbKod7+vV9yDNqAZMmTqencDe6LTMqxihNLuvGny1atjJ/4cf2vnWEyPar4AvqLtawbIexowbpgyzIiJBKskw0voUgUan0TMH7dsjeZtcdnBSsGWDlcBSjq8bK+yfNMWxwaq7FB9eTJkhN41UhQwqXIVpitEJg0LQcz7+BeQnYhCMnMOc+AG78zIZK+lbzAikejFJUV1A0/kmEl9VirBTpGqxhsiPUSCpAq9c3mE16f31YF9bUn9Dr/4gLW42xxbt/+6psDstKlKgfldzC+izCCCfL1qKcKz7RtyLX37O1MkQqLWvC5I5XRt81tKPOgmtjtGSM0iYmx9zy6FKGJlWqHGNb5K+g1NugWuKMzkBQNoWIypS/yHUY9R3eLa6JJM+tfE/Hvw4Q6/4HGBePMauULd/sgTC8D6o+6023a9ZdC6vdwAWzgWzhbG8uN8vjRR9JKy8/tzgzWJsR4PvPFw9ka0HbRMjigmMxZ817Z6iB2BcO2xmJvD5hP2YpPKCNLQzUznq0vh1s91C,iv:cQERNZJUQ0TJW0pbEzJF6O+1Idkt2e+I06+Kjygr4lk=,tag:2X4KhuEd/0153sCT7qeyqQ==,type:str]
@@ -112,8 +113,8 @@ sops:
             MkcvL1JyVFBJV0Y5RFFCMGN1OUFXdU0Kdx1wy6ZOOTg1a6VKaq52SMBvC26lMsW/
             oMP+hmXc2WtoqZp+jZ9rrXz6cZW6/dO7CPqxl3aUEKg6BkXIwgyKeg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-01-05T23:10:24Z"
-    mac: ENC[AES256_GCM,data:eU+Fviv9czFkz+fGXQZSh7RlMGNhrWb+4NX7uBljU9F/gyRrMGdMmqlCHEG9spJV3ytnXHE8ByLMcnojLC9Gou3pbCjN7+X/1KP82KS05xKh6P1x4S3/uSyYl5YYSzuDxVHiT4NuCCwx5vyRUO33YLP68SZdFlFCGp0/SUgdd80=,iv:Pr/BHMNiqj88jkOMDYKtqnSnoBGSxNqEzGwNSQuPmr0=,tag:vR+XXYWnRzEIQOPHpNTndw==,type:str]
+    lastmodified: "2025-02-01T21:49:38Z"
+    mac: ENC[AES256_GCM,data:ma8JFAf22BJvviL9d58aQ4T2Dv6M20w1cA+8bX/KHsCJKDOdIM8Od/qWxsJWFHh7ttgAU0R/HxcgD8ji3Rxv46jiWKIYNTby7QvwARSmai9LbxlLhYq2tgi73DoKpV9Mu/VEt7NHzuZR+0dQiKyNSWfa/nKfcFku7Oly1Z6oVfI=,iv:zS7uJEm/dRFcN9k2HOtO6cjAOlurqBdhqPN1P+V9h44=,tag:p5KgPGPSL5nd1sOdkzFEzA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.2
+    version: 3.9.4
diff --git a/tasks.py b/tasks.py
@@ -144,20 +144,28 @@ def opener(path: str, flags: int) -> Union[str, int]:
     t = Path(tmpdir)
     t.mkdir(parents=True, exist_ok=True)
     t.chmod(0o755)
-    host_key = t / "etc/ssh/ssh_host_ed25519_key"
-    host_key.parent.mkdir(parents=True, exist_ok=True)
-    with open(host_key, "w", opener=opener) as fh:
-        subprocess.run(
-            [
-                "sops",
-                "--extract",
-                f'["ssh_host_ed25519_key"]["{flake_attr}"]',
-                "--decrypt",
-                f"{ROOT}/secrets.yaml",
-            ],
-            check=True,
-            stdout=fh,
-        )
+
+    def decrypt(path: str, secret: str) -> None:
+        file = t / path
+        file.parent.mkdir(parents=True, exist_ok=True)
+        with open(file, "w", opener=opener) as fh:
+            subprocess.run(
+                [
+                    "sops",
+                    "--extract",
+                    secret,
+                    "--decrypt",
+                    f"{ROOT}/secrets.yaml",
+                ],
+                check=True,
+                stdout=fh,
+            )
+
+    decrypt(
+        "etc/ssh/ssh_host_ed25519_key",
+        f'["ssh_host_ed25519_key"]["{flake_attr}"]',
+    )
+    decrypt("etc/ssh/initrd_host_ed25519_key", '["initrd_host_ed25519_key"]')
 
 
 @task