nixos-config/nixos/system/all/sshd-known-hosts-bootup.nix

{ config, lib, pkgs, ... }:
with lib;
let

  computers = {
    #workhorse = {
    #  onionId = fileContents ../../private_assets/onion_id_workhorse;
    #  publicKey =
    #    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/I4JBA1HHTH2xsrEM7xtxkhRDE42lZcBrdBvN46WTx";
    #};
    #porani = {
    #  onionId = fileContents ../../private_assets/onion_id_porani;
    #  publicKey =
    #    "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGFaTRGqMd/rKpyMUP6wVbgiWFOUvUV2qS/B5Xe02UUch/wxR4fTCY+vnzku5K0V/qqJpjYLgHotwZFqO/8lFu4=";
    #};
  };

in
{

  services.openssh.knownHosts = mapAttrs'
    (name:
      { onionId, publicKey, ... }: {
        name = "${name}-init-ssh";
        value = {
          hostNames = [ onionId ];
          inherit publicKey;
        };
      })
    computers;

  environment.systemPackages =
    let

      ssh = mapAttrsToList
        (name:
          { onionId, ... }:
          pkgs.writers.writeDashBin "ssh-boot-to-${name}" ''
            ${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 23
          '')
        computers;

      password = mapAttrsToList
        (name:
          { onionId, ... }:
          pkgs.writers.writeDashBin "unlock-boot-${name}" ''
            ${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 23 '
            echo -n "enter password : "
            read password
            echo "$password" > /crypt-ramfs/passphrase
            '
          '')
        computers;

    in
    ssh ++ password;

}