wip on init-ssh

configs/workhorse/configuration.nix

@@ -59,8 +59,7 @@
   configuration.init-ssh = {
     enable = "enabled";
     kernelModules = [ "r8169" ];
-    #hostECDSAKey = <secrets/init-ssh/host_ecdsa_key>;
+    hostKey = "/etc/ssh/ssh_host_ed25519_key";
-    hostECDSAKey = <secrets/init-ssh/ssh_host_ed25519_key>;
   };
 
   # nix-shell -p speedtest_cli --run speedtest

system/all/sshd-known-hosts-public.nix

@@ -41,7 +41,8 @@ with lib;
     # space-left
     gitlabSpaceLeft = {
       hostNames = [ "git.space-left.org" ];
-      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAapztj8I3xy6Ea8A1q7Mo5C6zdgsK1bguAXcKUDCRBO";
+      publicKey =
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAapztj8I3xy6Ea8A1q7Mo5C6zdgsK1bguAXcKUDCRBO";
     };
     # c-base
     "bnd-cbase" = {

system/server/initssh.nix

@@ -28,12 +28,13 @@ in {
         ++ (map (keyFile: lib.fileContents keyFile)
           config.users.users.root.openssh.authorizedKeys.keyFiles);
     };
-    hostECDSAKey = mkOption {
+    hostKey = mkOption {
-      default = null;
+      default = "/etc/ssh/ssh_host_ed25519_key";
-      type = with types; nullOr path;
+      type = with types; path;
       description = ''
-        you only need one host key
+        To generate keys, use ssh-keygen(1):
-        nix-shell -p dropbear --run "dropbearkey -t ecdsa -f ./host_ecdsa_key"
+        # ssh-keygen -t rsa -N "" -f /etc/secrets/initrd/ssh_host_rsa_key
+        # ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key
       '';
     };
 
@@ -91,10 +92,9 @@ in {
         enable = true;
         authorizedKeys = cfg.authorizedKeys;
         port = cfg.port;
+        hostKeys = [ cfg.hostKey ];
       };
       boot.initrd.availableKernelModules = cfg.kernelModules;
-      #boot.initrd.network.ssh.hostECDSAKey = cfg.hostECDSAKey;
-      boot.initrd.network.ssh.hostKeys = [ cfg.hostECDSAKey ];
     })
   ];
 }