machines/mermet/security.nix

   1 { pkgs, lib, config, machineName, ... }:
   2 let
   3   inherit (config.security) pass;
   4   rootKey = "root/key";
   5   initrdKey = "initrd/ssh.key";
   6 in
   7 {
   8 imports = [
   9   <nixpkgs/nixos/modules/profiles/hardened.nix>
  10 ];
  11 security.pass.store = ../../../sec/pass/machines/losurdo;
  12 installer.ssh-nixos = {
  13   PATH = with pkgs; [gnupg openssh];
  14   script = lib.mkBefore ''
  15     # Send the rootKey's passphrase
  16     gpg --decrypt '${pass.store}/${rootKey}.pass.gpg' |
  17     ssh '${config.installer.ssh-nixos.target}' \
  18     install -D -m 400 -o root -g root /dev/stdin /${rootKey}.pass
  19
  20     # Send the rootKey
  21     gpg --decrypt '${pass.store}/${rootKey}.pass.gpg' |
  22     gpg --batch --pinentry-mode loopback --passphrase-fd 0 --export-secret-subkeys @root@${machineName} |
  23     ssh '${config.installer.ssh-nixos.target}' \
  24     gpg --batch --pinentry-mode loopback --passphrase-file /root/key.pass --import
  25
  26     # Send the SSH key of the initrd
  27     gpg --decrypt '${pass.store}/${initrdKey}.gpg' |
  28     ssh '${config.installer.ssh-nixos.target}' \
  29     install -D -m 400 -o root -g root /dev/stdin /root/${initrdKey}
  30   '';
  31 };
  32 boot.initrd.network.ssh.hostKeys = [ "/root/${initrdKey}" ];
  33 }