fix: refactoring mistakes; and add generator for initrd_host_ed25519_key

README.md

@@ -60,7 +60,6 @@ This is my personal nix config.
 - create hosts/<name>
 - fill net.nix
 - fill fs.nix (you need to know the device by-id paths in advance for formatting to work!)
-- generate an initrd hostkey if necessary `ssh-keygen -t ed25519 -N "" -f /tmp/key; rage ...`
 - run generate-secrets
 
 #### Initial deploy

hosts/common/initrd-ssh.nix

@@ -4,8 +4,17 @@
   nodePath,
   ...
 }: {
-  # TODO generate script
+  age.secrets.initrd_host_ed25519_key = {
-  age.secrets.initrd_host_ed25519_key.file = nodePath + "/secrets/initrd_host_ed25519_key.age";
+    rekeyFile = nodePath + "/secrets/initrd_host_ed25519_key.age";
+    # Generate only an ssh-ed25519 private key
+    generator.script = {
+      pkgs,
+      lib,
+      ...
+    }: ''
+      (exec 3>&1; ${pkgs.openssh}/bin/ssh-keygen -q -t ed25519 -N "" -f /proc/self/fd/3 <<<y >/dev/null 2>&1)
+    '';
+  };
 
   boot.initrd.network.enable = true;
   boot.initrd.network.ssh = {

hosts/ward/microvms/grafana/secrets/host.pub

@@ -1 +1 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBXXjI6uB26xOF0DPy/QyLladoGIKfAtofyqPgIkCH/g
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBn1J13YFYrxYV39rdqDzTaS8r/U4iNMQmcz9Oi+D6oq

hosts/ward/microvms/kanidm/secrets/host.pub

@@ -1 +1 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN2TxWynLb8V9SP45kFqsoCWhe/dG8N1xWNuJG5VQndq
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6Waic9tzHF2gnD480ArdOyIdzdM4SN6bmh0ceVKqFo

hosts/ward/microvms/vaultwarden/default.nix

@@ -34,17 +34,17 @@ in {
         import common
 
         reverse_proxy {
-          to http://${config.services.vaultwarden.settings.ROCKET_ADDRESS}:${toString config.services.vaultwarden.settings.ROCKET_PORT}
+          to http://${config.services.vaultwarden.config.rocketAddress}:${toString config.services.vaultwarden.config.rocketPort}
           header_up X-Real-IP {remote_host}
         }
 
         reverse_proxy /notifications/hub {
-          to http://${config.services.vaultwarden.settings.WEBSOCKET_ADDRESS}:${toString config.services.vaultwarden.settings.WEBSOCKET_PORT}
+          to http://${config.services.vaultwarden.config.websocketAddress}:${toString config.services.vaultwarden.config.websocketPort}
           header_up X-Real-IP {remote_host}
         }
 
         reverse_proxy /notifications/hub/negotiate {
-          to http://${config.services.vaultwarden.settings.ROCKET_ADDRESS}:${toString config.services.vaultwarden.settings.ROCKET_PORT}
+          to http://${config.services.vaultwarden.config.rocketAddress}:${toString config.services.vaultwarden.config.rocketPort}
           header_up X-Real-IP {remote_host}
         }
       '';

hosts/ward/microvms/vaultwarden/secrets/host.pub

@@ -1 +1 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDDvvF3+KwfoZrPAUAt2HS7y5FM9S5Mr1iRkBUqoXno
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMTYmtppqehM9LuH9PwBJvBxvbyvauTlqtMeRHEYYqW9

modules/extra.nix

@@ -50,7 +50,7 @@ in {
 
     # Sensible defaults for caddy
     services.caddy = mkIf config.services.caddy.enable {
-      globalConfig = ''
+      extraConfig = ''
         (common) {
           encode zstd gzip
 

modules/promtail.nix

@@ -48,7 +48,7 @@ in {
 
         clients = [
           {
-            basicAuthUser = nodeName;
+            basic_auth.username = nodeName;
             basic_auth.password_file = config.age.secrets.promtail-loki-basic-auth-password.path;
             url = "https://${nodes.${cfg.proxy}.config.proxiedDomains.loki}/loki/api/v1/push";
           }