1 { pkgs, lib, config, machineName, ... }:
3 inherit (config.security) gnupg;
5 initrdKey = "initrd/ssh.key";
6 keygrip = "89F52A879E0019A966503AFFDE72EEA84CDFA3A7";
10 <nixpkgs/nixos/modules/profiles/hardened.nix>
12 security.gnupg.store = builtins.getEnv "PASSWORD_STORE_DIR" + "/machines/${machineName}";
13 services.openssh.extraConfig = ''
14 StreamLocalBindUnlink yes
16 installer.ssh-nixos = {
17 PATH = [pkgs.gnupg pkgs.openssh];
18 script = lib.mkMerge [
20 # Send the SSH key of the initrd
21 gpg --decrypt '${gnupg.store}/${initrdKey}.gpg' |
22 ssh '${config.installer.ssh-nixos.target}' \
23 install -D -m 400 -o root -g root /dev/stdin /root/${initrdKey}
27 gpg --decrypt '${gnupg.store}/${rootKey}.pass.gpg' |
28 gpg --batch --pinentry-mode loopback --passphrase-fd 0 --export-secret-subkeys @root@${machineName} |
29 ssh '${config.installer.ssh-nixos.target}' \
30 install -D -d -m 640 /run/user/0/gnupg/d.6qoenf9br6fajbkknuz1i6ts '&&' \
31 gpg --no-autostart --homedir /var/lib/gnupg --no-autostart --batch --pinentry-mode loopback --import || true
33 # Send the rootKey's passphrase
34 gpg --decrypt '${gnupg.store}/${rootKey}.pass.gpg' |
35 ssh '${config.installer.ssh-nixos.target}' \
36 install -D -d -m 640 /run/user/0/gnupg/d.6qoenf9br6fajbkknuz1i6ts '&&' \
37 gpg-preset-passphrase \
38 --homedir /var/lib/gnupg \
39 --preset ${keygrip} || true
43 boot.initrd.network.ssh.hostKeys = [ "/root/${initrdKey}" ];