fix: refactoring mistakes; and add generator for initrd_host_ed25519_key

2025-10-10 23:00:39 +02:00 · 2023-06-18 12:55:18 +02:00 · 2023-06-18 12:55:18 +02:00 · 1b42e0cd72
commit 1b42e0cd72
parent abdf363fba
8 changed files with 19 additions and 11 deletions
--- a/README.md
+++ b/README.md
@ -60,7 +60,6 @@ This is my personal nix config.
 - create hosts/<name>
 - fill net.nix
 - fill fs.nix (you need to know the device by-id paths in advance for formatting to work!)
- generate an initrd hostkey if necessary `ssh-keygen -t ed25519 -N "" -f /tmp/key; rage ...`
 - run generate-secrets

 #### Initial deploy
--- a/hosts/common/initrd-ssh.nix
+++ b/hosts/common/initrd-ssh.nix
@ -4,8 +4,17 @@
  nodePath,
  ...
 }: {
-  # TODO generate script
-  age.secrets.initrd_host_ed25519_key.file = nodePath + "/secrets/initrd_host_ed25519_key.age";
+  age.secrets.initrd_host_ed25519_key = {
+    rekeyFile = nodePath + "/secrets/initrd_host_ed25519_key.age";
+    # Generate only an ssh-ed25519 private key
+    generator.script = {
+      pkgs,
+      lib,
+      ...
+    }: ''
+      (exec 3>&1; ${pkgs.openssh}/bin/ssh-keygen -q -t ed25519 -N "" -f /proc/self/fd/3 <<<y >/dev/null 2>&1)
+    '';
+  };

  boot.initrd.network.enable = true;
  boot.initrd.network.ssh = {
--- a/hosts/ward/microvms/grafana/secrets/host.pub
+++ b/hosts/ward/microvms/grafana/secrets/host.pub
@ -1 +1 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBXXjI6uB26xOF0DPy/QyLladoGIKfAtofyqPgIkCH/g
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBn1J13YFYrxYV39rdqDzTaS8r/U4iNMQmcz9Oi+D6oq
--- a/hosts/ward/microvms/kanidm/secrets/host.pub
+++ b/hosts/ward/microvms/kanidm/secrets/host.pub
@ -1 +1 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN2TxWynLb8V9SP45kFqsoCWhe/dG8N1xWNuJG5VQndq
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6Waic9tzHF2gnD480ArdOyIdzdM4SN6bmh0ceVKqFo
--- a/hosts/ward/microvms/vaultwarden/default.nix
+++ b/hosts/ward/microvms/vaultwarden/default.nix
@ -34,17 +34,17 @@ in {
        import common

        reverse_proxy {
-          to http://${config.services.vaultwarden.settings.ROCKET_ADDRESS}:${toString config.services.vaultwarden.settings.ROCKET_PORT}
+          to http://${config.services.vaultwarden.config.rocketAddress}:${toString config.services.vaultwarden.config.rocketPort}
          header_up X-Real-IP {remote_host}
        }

        reverse_proxy /notifications/hub {
-          to http://${config.services.vaultwarden.settings.WEBSOCKET_ADDRESS}:${toString config.services.vaultwarden.settings.WEBSOCKET_PORT}
+          to http://${config.services.vaultwarden.config.websocketAddress}:${toString config.services.vaultwarden.config.websocketPort}
          header_up X-Real-IP {remote_host}
        }

        reverse_proxy /notifications/hub/negotiate {
-          to http://${config.services.vaultwarden.settings.ROCKET_ADDRESS}:${toString config.services.vaultwarden.settings.ROCKET_PORT}
+          to http://${config.services.vaultwarden.config.rocketAddress}:${toString config.services.vaultwarden.config.rocketPort}
          header_up X-Real-IP {remote_host}
        }
      '';
--- a/hosts/ward/microvms/vaultwarden/secrets/host.pub
+++ b/hosts/ward/microvms/vaultwarden/secrets/host.pub
@ -1 +1 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDDvvF3+KwfoZrPAUAt2HS7y5FM9S5Mr1iRkBUqoXno
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMTYmtppqehM9LuH9PwBJvBxvbyvauTlqtMeRHEYYqW9
--- a/modules/extra.nix
+++ b/modules/extra.nix
@ -50,7 +50,7 @@ in {

    # Sensible defaults for caddy
    services.caddy = mkIf config.services.caddy.enable {
-      globalConfig = ''
+      extraConfig = ''
        (common) {
          encode zstd gzip

--- a/modules/promtail.nix
+++ b/modules/promtail.nix
@ -48,7 +48,7 @@ in {

        clients = [
          {
-            basicAuthUser = nodeName;
+            basic_auth.username = nodeName;
            basic_auth.password_file = config.age.secrets.promtail-loki-basic-auth-password.path;
            url = "https://${nodes.${cfg.proxy}.config.proxiedDomains.loki}/loki/api/v1/push";
          }