From e9a180ab77471bc790a8101c322e864b816e132d Mon Sep 17 00:00:00 2001
From: Ingolf Wagner <contact@ingolf-wagner.de>
Date: Sat, 24 Apr 2021 14:23:51 +0200
Subject: [PATCH] wip on init-ssh

---
 configs/workhorse/configuration.nix    |  3 +--
 system/all/sshd-known-hosts-public.nix |  3 ++-
 system/server/initssh.nix              | 14 +++++++-------
 3 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/configs/workhorse/configuration.nix b/configs/workhorse/configuration.nix
index 7bb94fc..e85db26 100644
--- a/configs/workhorse/configuration.nix
+++ b/configs/workhorse/configuration.nix
@@ -59,8 +59,7 @@
   configuration.init-ssh = {
     enable = "enabled";
     kernelModules = [ "r8169" ];
-    #hostECDSAKey = <secrets/init-ssh/host_ecdsa_key>;
-    hostECDSAKey = <secrets/init-ssh/ssh_host_ed25519_key>;
+    hostKey = "/etc/ssh/ssh_host_ed25519_key";
   };
 
   # nix-shell -p speedtest_cli --run speedtest
diff --git a/system/all/sshd-known-hosts-public.nix b/system/all/sshd-known-hosts-public.nix
index 97af33f..c9861b5 100644
--- a/system/all/sshd-known-hosts-public.nix
+++ b/system/all/sshd-known-hosts-public.nix
@@ -41,7 +41,8 @@ with lib;
     # space-left
     gitlabSpaceLeft = {
       hostNames = [ "git.space-left.org" ];
-      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAapztj8I3xy6Ea8A1q7Mo5C6zdgsK1bguAXcKUDCRBO";
+      publicKey =
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAapztj8I3xy6Ea8A1q7Mo5C6zdgsK1bguAXcKUDCRBO";
     };
     # c-base
     "bnd-cbase" = {
diff --git a/system/server/initssh.nix b/system/server/initssh.nix
index d0fe5ba..5b4dbf5 100644
--- a/system/server/initssh.nix
+++ b/system/server/initssh.nix
@@ -28,12 +28,13 @@ in {
         ++ (map (keyFile: lib.fileContents keyFile)
           config.users.users.root.openssh.authorizedKeys.keyFiles);
     };
-    hostECDSAKey = mkOption {
-      default = null;
-      type = with types; nullOr path;
+    hostKey = mkOption {
+      default = "/etc/ssh/ssh_host_ed25519_key";
+      type = with types; path;
       description = ''
-        you only need one host key
-        nix-shell -p dropbear --run "dropbearkey -t ecdsa -f ./host_ecdsa_key"
+        To generate keys, use ssh-keygen(1):
+        # ssh-keygen -t rsa -N "" -f /etc/secrets/initrd/ssh_host_rsa_key
+        # ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key
       '';
     };
 
@@ -91,10 +92,9 @@ in {
         enable = true;
         authorizedKeys = cfg.authorizedKeys;
         port = cfg.port;
+        hostKeys = [ cfg.hostKey ];
       };
       boot.initrd.availableKernelModules = cfg.kernelModules;
-      #boot.initrd.network.ssh.hostECDSAKey = cfg.hostECDSAKey;
-      boot.initrd.network.ssh.hostKeys = [ cfg.hostECDSAKey ];
     })
   ];
 }