nixos-config/system/all/sshd-known-hosts-bootup.nix

50 lines
1.4 KiB
Nix
Raw Normal View History

2019-10-24 02:20:38 +02:00
{ lib, pkgs, ... }:
with lib;
let
computers = {
workhorse = {
onionId = fileContents <common_secrets/onion/workhorse>;
2019-12-20 05:54:26 +01:00
publicKey =
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBB+sHmukNa2TmtBDCqN+LVaYblvHztD/ziK2cbKR8dEHztF0YBS60MHMpbGPOII5NVMUY6Z2OHFBQi9X6PG1YBY=";
2019-10-24 02:20:38 +02:00
};
porani = {
onionId = fileContents <common_secrets/onion/porani>;
2019-12-20 05:54:26 +01:00
publicKey =
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGFaTRGqMd/rKpyMUP6wVbgiWFOUvUV2qS/B5Xe02UUch/wxR4fTCY+vnzku5K0V/qqJpjYLgHotwZFqO/8lFu4=";
2019-10-24 02:20:38 +02:00
};
};
2019-12-20 05:54:26 +01:00
in {
2019-10-24 02:20:38 +02:00
2019-12-20 05:54:26 +01:00
services.openssh.knownHosts = mapAttrs' (name:
{ onionId, publicKey, ... }: {
name = "${name}-init-ssh";
value = {
hostNames = [ onionId ];
inherit publicKey;
};
}) computers;
2019-10-24 02:20:38 +02:00
2019-12-20 05:54:26 +01:00
environment.systemPackages = let
2019-10-24 02:20:38 +02:00
2019-12-20 05:54:26 +01:00
ssh = mapAttrsToList (name:
{ onionId, ... }:
2019-10-24 02:20:38 +02:00
pkgs.writers.writeDashBin "ssh-boot-to-${name}" ''
${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 23
'') computers;
2019-12-20 05:54:26 +01:00
password = mapAttrsToList (name:
{ onionId, ... }:
2019-10-24 02:20:38 +02:00
pkgs.writers.writeDashBin "unlock-boot-${name}" ''
2019-12-20 05:54:26 +01:00
${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 23 '
echo -n "enter password : "
read password
echo "$password" > /crypt-ramfs/passphrase
'
2019-10-24 02:20:38 +02:00
'') computers;
2019-12-20 05:54:26 +01:00
in ssh ++ password;
2019-10-24 02:20:38 +02:00
}