1 { pkgs, lib, config, machineName, ... }:
3 inherit (config.security) pass;
5 initrdKey = "initrd/ssh.key";
9 <nixpkgs/nixos/modules/profiles/hardened.nix>
11 security.pass.store = ../../../sec/pass/machines/losurdo;
12 installer.ssh-nixos = {
13 PATH = with pkgs; [gnupg openssh];
14 script = lib.mkBefore ''
15 # Send the rootKey's passphrase
16 gpg --decrypt '${pass.store}/${rootKey}.pass.gpg' |
17 ssh '${config.installer.ssh-nixos.target}' \
18 install -D -m 400 -o root -g root /dev/stdin /${rootKey}.pass
21 gpg --decrypt '${pass.store}/${rootKey}.pass.gpg' |
22 gpg --batch --pinentry-mode loopback --passphrase-fd 0 --export-secret-subkeys @root@${machineName} |
23 ssh '${config.installer.ssh-nixos.target}' \
24 gpg --batch --pinentry-mode loopback --passphrase-file /root/key.pass --import
26 # Send the SSH key of the initrd
27 gpg --decrypt '${pass.store}/${initrdKey}.gpg' |
28 ssh '${config.installer.ssh-nixos.target}' \
29 install -D -m 400 -o root -g root /dev/stdin /root/${initrdKey}
32 boot.initrd.network.ssh.hostKeys = [ "/root/${initrdKey}" ];